Re: [Openstack] Swift/Keystone authorization question
As a followup, additional info… Both the admin and glance accounts, that successfully authenticate against keystone, were created via the command line. Both accounts also have a tenant of the same name as the user (probably irrelevant). All other user accounts that have been created for general users won't authenticate agains keystone, and exhibit the same error pattern as described below. Interestingly, if I create a tenant with the same name as a user account, then I get a 403 unable to get HEAD message when issuing a stat command as described below. /ross On Feb 22, 2012, at 2:52 PM, Lillie Ross-CDSR11 wrote: I've successfully installed all OpenStack components with Keystone authorization (well, mostly at least), but am now seeing an interesting problem for new accounts (created in Dashboard). Using my admin account, I issue a swift stat command and get the expected response back from swift-proxy: root@swift:/etc/swift# swift -v -V 2 -A http://173.23.181.1:5000/v2.0/ -U admin -K admin stat StorageURL: http://173.23.181.2:8080/v1/AUTH_1 Auth Token: 10111213141516171819 Account: AUTH_1 Containers: 5 Objects: 20 Bytes: 6335748 Accept-Ranges: bytes X-Trans-Id: tx6ffec7207a5c41329e53dbab6a6e2c37 Looking at the keystone admin.log file (with debugging enabled) I see the following: 2012-02-22 14:26:38DEBUG [routes.middleware] Matched POST /tokens 2012-02-22 14:26:38DEBUG [routes.middleware] Route path: '/tokens', defaults: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:26:38DEBUG [routes.middleware] Match dict: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT tenants.id AS tenants_id, tenants.name AS tenants_name, tenants.`desc` AS tenants_desc, tenants.enabled AS tenants_enabled FROM tenants WHERE tenants.name = %s LIMIT 0, 1 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (u'admin',) 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('tenants_id', 'tenants_name', 'tenants_desc', 'tenants_enabled') 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 'admin', 'All administrative tasks are to be grouped underneath this tenancy. Users are not to be associated with this tenant unless they have been granted admin roles.', 1L) 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT users.id AS users_id, users.name AS users_name, users.password AS users_password, users.email AS users_email, users.enabled AS users_enabled, users.tenant_id AS users_tenant_id FROM users WHERE users.name = %s LIMIT 0, 1 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (u'admin',) 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('users_id', 'users_name', 'users_password', 'users_email', 'users_enabled', 'users_tenant_id') 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 'admin', '$6$rounds=4$k5f0Zd1lOK3AVXbx$awVYhvdu1CI33hRhugjURheVePZYh60EjWSUa4Zwq0Ha48eNH3SQXSFVQeEYv4ffwUzlRVVkoUbr6C4Ai63WC.', None, 1L, 1L) 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT users.id AS users_id, users.name AS users_name, users.password AS users_password, users.email AS users_email, users.enabled AS users_enabled, users.tenant_id AS users_tenant_id FROM users WHERE users.tenant_id = %s AND users.id = %s LIMIT 0, 1 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (1L, 1L) 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('users_id', 'users_name', 'users_password', 'users_email', 'users_enabled', 'users_tenant_id') 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 'admin', '$6$rounds=4$k5f0Zd1lOK3AVXbx$awVYhvdu1CI33hRhugjURheVePZYh60EjWSUa4Zwq0Ha48eNH3SQXSFVQeEYv4ffwUzlRVVkoUbr6C4Ai63WC.', None, 1L, 1L) 2012-02-22 14:26:38 . . . However, when I issue the same command with a newly created user account I get a 401 not authorized command back from swift-proxy. For example: root@swift:/etc/swift# swift -v -V 2 -A http://173.23.181.1:5000/v2.0/ -U lillie -K changeme stat Auth GET failed: http://173.23.181.1:5000/v2.0/tokens 401 Unauthorized and the keystone admin.log file shows the following: 2012-02-22 14:30:40DEBUG [routes.middleware] Matched POST /tokens 2012-02-22 14:30:40DEBUG [routes.middleware] Route path: '/tokens', defaults: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:30:40DEBUG [routes.middleware] Match dict: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:30:40 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT
Re: [Openstack] Swift/Keystone authorization question
I think I'm figuring this out, then again maybe not. For general users, via the command line, you need to specify your user id as tenant:username after reading through the source (my Python is really rusty). So, when I try this I now get a 403 Forbidden error. I had high hopes. Just another data point. Ross On Feb 22, 2012, at 2:52 PM, Lillie Ross-CDSR11 wrote: I've successfully installed all OpenStack components with Keystone authorization (well, mostly at least), but am now seeing an interesting problem for new accounts (created in Dashboard). Using my admin account, I issue a swift stat command and get the expected response back from swift-proxy: root@swift:/etc/swift# swift -v -V 2 -A http://173.23.181.1:5000/v2.0/ -U admin -K admin stat StorageURL: http://173.23.181.2:8080/v1/AUTH_1 Auth Token: 10111213141516171819 Account: AUTH_1 Containers: 5 Objects: 20 Bytes: 6335748 Accept-Ranges: bytes X-Trans-Id: tx6ffec7207a5c41329e53dbab6a6e2c37 Looking at the keystone admin.log file (with debugging enabled) I see the following: 2012-02-22 14:26:38DEBUG [routes.middleware] Matched POST /tokens 2012-02-22 14:26:38DEBUG [routes.middleware] Route path: '/tokens', defaults: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:26:38DEBUG [routes.middleware] Match dict: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT tenants.id AS tenants_id, tenants.name AS tenants_name, tenants.`desc` AS tenants_desc, tenants.enabled AS tenants_enabled FROM tenants WHERE tenants.name = %s LIMIT 0, 1 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (u'admin',) 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('tenants_id', 'tenants_name', 'tenants_desc', 'tenants_enabled') 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 'admin', 'All administrative tasks are to be grouped underneath this tenancy. Users are not to be associated with this tenant unless they have been granted admin roles.', 1L) 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT users.id AS users_id, users.name AS users_name, users.password AS users_password, users.email AS users_email, users.enabled AS users_enabled, users.tenant_id AS users_tenant_id FROM users WHERE users.name = %s LIMIT 0, 1 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (u'admin',) 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('users_id', 'users_name', 'users_password', 'users_email', 'users_enabled', 'users_tenant_id') 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 'admin', '$6$rounds=4$k5f0Zd1lOK3AVXbx$awVYhvdu1CI33hRhugjURheVePZYh60EjWSUa4Zwq0Ha48eNH3SQXSFVQeEYv4ffwUzlRVVkoUbr6C4Ai63WC.', None, 1L, 1L) 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT users.id AS users_id, users.name AS users_name, users.password AS users_password, users.email AS users_email, users.enabled AS users_enabled, users.tenant_id AS users_tenant_id FROM users WHERE users.tenant_id = %s AND users.id = %s LIMIT 0, 1 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (1L, 1L) 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('users_id', 'users_name', 'users_password', 'users_email', 'users_enabled', 'users_tenant_id') 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 'admin', '$6$rounds=4$k5f0Zd1lOK3AVXbx$awVYhvdu1CI33hRhugjURheVePZYh60EjWSUa4Zwq0Ha48eNH3SQXSFVQeEYv4ffwUzlRVVkoUbr6C4Ai63WC.', None, 1L, 1L) 2012-02-22 14:26:38 . . . However, when I issue the same command with a newly created user account I get a 401 not authorized command back from swift-proxy. For example: root@swift:/etc/swift# swift -v -V 2 -A http://173.23.181.1:5000/v2.0/ -U lillie -K changeme stat Auth GET failed: http://173.23.181.1:5000/v2.0/tokens 401 Unauthorized and the keystone admin.log file shows the following: 2012-02-22 14:30:40DEBUG [routes.middleware] Matched POST /tokens 2012-02-22 14:30:40DEBUG [routes.middleware] Route path: '/tokens', defaults: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:30:40DEBUG [routes.middleware] Match dict: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:30:40 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT tenants.id AS tenants_id, tenants.name AS tenants_name, tenants.`desc` AS tenants_desc, tenants.enabled AS tenants_enabled FROM tenants WHERE tenants.name = %s LIMIT 0, 1 2012-02-22 14:30:40 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (u'lillie',)
Re: [Openstack] Swift/Keystone authorization question
OK, is this a 'role' grant issue? /ross On Feb 22, 2012, at 2:52 PM, Lillie Ross-CDSR11 wrote: I've successfully installed all OpenStack components with Keystone authorization (well, mostly at least), but am now seeing an interesting problem for new accounts (created in Dashboard). Using my admin account, I issue a swift stat command and get the expected response back from swift-proxy: root@swift:/etc/swift# swift -v -V 2 -A http://173.23.181.1:5000/v2.0/ -U admin -K admin stat StorageURL: http://173.23.181.2:8080/v1/AUTH_1 Auth Token: 10111213141516171819 Account: AUTH_1 Containers: 5 Objects: 20 Bytes: 6335748 Accept-Ranges: bytes X-Trans-Id: tx6ffec7207a5c41329e53dbab6a6e2c37 Looking at the keystone admin.log file (with debugging enabled) I see the following: 2012-02-22 14:26:38DEBUG [routes.middleware] Matched POST /tokens 2012-02-22 14:26:38DEBUG [routes.middleware] Route path: '/tokens', defaults: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:26:38DEBUG [routes.middleware] Match dict: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT tenants.id AS tenants_id, tenants.name AS tenants_name, tenants.`desc` AS tenants_desc, tenants.enabled AS tenants_enabled FROM tenants WHERE tenants.name = %s LIMIT 0, 1 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (u'admin',) 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('tenants_id', 'tenants_name', 'tenants_desc', 'tenants_enabled') 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 'admin', 'All administrative tasks are to be grouped underneath this tenancy. Users are not to be associated with this tenant unless they have been granted admin roles.', 1L) 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT users.id AS users_id, users.name AS users_name, users.password AS users_password, users.email AS users_email, users.enabled AS users_enabled, users.tenant_id AS users_tenant_id FROM users WHERE users.name = %s LIMIT 0, 1 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (u'admin',) 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('users_id', 'users_name', 'users_password', 'users_email', 'users_enabled', 'users_tenant_id') 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 'admin', '$6$rounds=4$k5f0Zd1lOK3AVXbx$awVYhvdu1CI33hRhugjURheVePZYh60EjWSUa4Zwq0Ha48eNH3SQXSFVQeEYv4ffwUzlRVVkoUbr6C4Ai63WC.', None, 1L, 1L) 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT users.id AS users_id, users.name AS users_name, users.password AS users_password, users.email AS users_email, users.enabled AS users_enabled, users.tenant_id AS users_tenant_id FROM users WHERE users.tenant_id = %s AND users.id = %s LIMIT 0, 1 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (1L, 1L) 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('users_id', 'users_name', 'users_password', 'users_email', 'users_enabled', 'users_tenant_id') 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 'admin', '$6$rounds=4$k5f0Zd1lOK3AVXbx$awVYhvdu1CI33hRhugjURheVePZYh60EjWSUa4Zwq0Ha48eNH3SQXSFVQeEYv4ffwUzlRVVkoUbr6C4Ai63WC.', None, 1L, 1L) 2012-02-22 14:26:38 . . . However, when I issue the same command with a newly created user account I get a 401 not authorized command back from swift-proxy. For example: root@swift:/etc/swift# swift -v -V 2 -A http://173.23.181.1:5000/v2.0/ -U lillie -K changeme stat Auth GET failed: http://173.23.181.1:5000/v2.0/tokens 401 Unauthorized and the keystone admin.log file shows the following: 2012-02-22 14:30:40DEBUG [routes.middleware] Matched POST /tokens 2012-02-22 14:30:40DEBUG [routes.middleware] Route path: '/tokens', defaults: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:30:40DEBUG [routes.middleware] Match dict: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:30:40 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT tenants.id AS tenants_id, tenants.name AS tenants_name, tenants.`desc` AS tenants_desc, tenants.enabled AS tenants_enabled FROM tenants WHERE tenants.name = %s LIMIT 0, 1 2012-02-22 14:30:40 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (u'lillie',) 2012-02-22 14:30:40DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('tenants_id', 'tenants_name', 'tenants_desc', 'tenants_enabled') 2012-02-22 14:30:40DEBUG [eventlet.wsgi.server] 173.23.181.2 - - [22/Feb/2012 14:30:40] POST /v2.0/tokens HTTP/1.1 401 197 0.004990
Re: [Openstack] Swift/Keystone authorization question
OK. Reading through the swiftkeystone2 (module that I'm using to support v2 authentication in swift's proxy configuration) source and documentation, I've figured out the necessary roles that need to be applied to user's accounts and ACLs to project containers to allow all combinations of access to swift storage. Works great. /ross On Feb 22, 2012, at 3:26 PM, Lillie Ross-CDSR11 wrote: As a followup, additional info… Both the admin and glance accounts, that successfully authenticate against keystone, were created via the command line. Both accounts also have a tenant of the same name as the user (probably irrelevant). All other user accounts that have been created for general users won't authenticate agains keystone, and exhibit the same error pattern as described below. Interestingly, if I create a tenant with the same name as a user account, then I get a 403 unable to get HEAD message when issuing a stat command as described below. /ross On Feb 22, 2012, at 2:52 PM, Lillie Ross-CDSR11 wrote: I've successfully installed all OpenStack components with Keystone authorization (well, mostly at least), but am now seeing an interesting problem for new accounts (created in Dashboard). Using my admin account, I issue a swift stat command and get the expected response back from swift-proxy: root@swift:/etc/swift# swift -v -V 2 -A http://173.23.181.1:5000/v2.0/ -U admin -K admin stat StorageURL: http://173.23.181.2:8080/v1/AUTH_1 Auth Token: 10111213141516171819 Account: AUTH_1 Containers: 5 Objects: 20 Bytes: 6335748 Accept-Ranges: bytes X-Trans-Id: tx6ffec7207a5c41329e53dbab6a6e2c37 Looking at the keystone admin.log file (with debugging enabled) I see the following: 2012-02-22 14:26:38DEBUG [routes.middleware] Matched POST /tokens 2012-02-22 14:26:38DEBUG [routes.middleware] Route path: '/tokens', defaults: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:26:38DEBUG [routes.middleware] Match dict: {'action': u'authenticate', 'controller': keystone.controllers.auth.AuthController object at 0x170da10} 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT tenants.id AS tenants_id, tenants.name AS tenants_name, tenants.`desc` AS tenants_desc, tenants.enabled AS tenants_enabled FROM tenants WHERE tenants.name = %s LIMIT 0, 1 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (u'admin',) 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('tenants_id', 'tenants_name', 'tenants_desc', 'tenants_enabled') 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 'admin', 'All administrative tasks are to be grouped underneath this tenancy. Users are not to be associated with this tenant unless they have been granted admin roles.', 1L) 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT users.id AS users_id, users.name AS users_name, users.password AS users_password, users.email AS users_email, users.enabled AS users_enabled, users.tenant_id AS users_tenant_id FROM users WHERE users.name = %s LIMIT 0, 1 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (u'admin',) 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('users_id', 'users_name', 'users_password', 'users_email', 'users_enabled', 'users_tenant_id') 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 'admin', '$6$rounds=4$k5f0Zd1lOK3AVXbx$awVYhvdu1CI33hRhugjURheVePZYh60EjWSUa4Zwq0Ha48eNH3SQXSFVQeEYv4ffwUzlRVVkoUbr6C4Ai63WC.', None, 1L, 1L) 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT users.id AS users_id, users.name AS users_name, users.password AS users_password, users.email AS users_email, users.enabled AS users_enabled, users.tenant_id AS users_tenant_id FROM users WHERE users.tenant_id = %s AND users.id = %s LIMIT 0, 1 2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (1L, 1L) 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col ('users_id', 'users_name', 'users_password', 'users_email', 'users_enabled', 'users_tenant_id') 2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 'admin', '$6$rounds=4$k5f0Zd1lOK3AVXbx$awVYhvdu1CI33hRhugjURheVePZYh60EjWSUa4Zwq0Ha48eNH3SQXSFVQeEYv4ffwUzlRVVkoUbr6C4Ai63WC.', None, 1L, 1L) 2012-02-22 14:26:38 . . . However, when I issue the same command with a newly created user account I get a 401 not authorized command back from swift-proxy. For example: root@swift:/etc/swift# swift -v -V 2 -A http://173.23.181.1:5000/v2.0/ -U lillie -K changeme stat Auth GET failed: http://173.23.181.1:5000/v2.0/tokens 401 Unauthorized and the keystone admin.log file shows the following: 2012-02-22 14:30:40DEBUG [routes.middleware] Matched POST /tokens 2012-02-22 14:30:40DEBUG