OpenStack Identity (keystone)

Container Sync and Keystone

Bug #954030 reported by Dmitry Ukov
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Maru Newby
OpenStack Identity (keystone) 2012.1 "essex"
keystone (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned

Bug Description

Keystone do not work with Swift Container Sync. Container server does sync to remote proxy server without X-Auth-Token header. So keystone middleware rejects this request.
Log message from Container Sync service
...
container-sync Unauth 'AUTH_1/cont' => 'http://192.168.10.16:8080/v1/AUTH_1/cont1'
...

Proxy1 config
...
[pipeline:main]
pipeline = healthcheck cache swift3 keystone swiftauth proxy-server
...
[filter:keystone]
use = egg:keystone#tokenauth
auth_protocol = http
auth_host = 192.168.10.15
auth_port = 35357
admin_token = 999888777666
delay_auth_decision = 0
service_protocol = http
service_host = 192.168.10.15
service_port = 5000
cache = swift.cache

[filter:swiftauth]
use = egg:keystone#swiftauth
keystone_swift_operator_roles = Admin, SwiftOperator
keystone_tenant_user_admin = true
allowed_sync_hosts = 127.0.0.1, 192.168.10.16
...

Proxy2 config
...
[pipeline:main]
pipeline = healthcheck cache swift3 keystone swiftauth proxy-server
...

[filter:keystone]
use = egg:keystone#tokenauth
auth_protocol = http
auth_host = 192.168.10.15
auth_port = 35357
admin_token = 999888777666
delay_auth_decision = 0
service_protocol = http
service_host = 192.168.10.15
service_port = 5000
cache = swift.cache

[filter:swiftauth]
use = egg:keystone#swiftauth
keystone_swift_operator_roles = Admin, SwiftOperator
keystone_tenant_user_admin = true
allowed_sync_hosts = 127.0.0.1, 192.168.10.15
...

Container Server configs contains
..
allowed_sync_hosts = 127.0.0.1, 192.168.10.15, 192.168.10.16
...

Revision history for this message
Chmouel Boudjnah (chmouel) wrote :

I was planned to do that as part of this blueprint :

https://blueprints.launchpad.net/keystone/+spec/swift-middleware-allow-anonymous-via-acl

This is still a WIP.

Changed in swift:
assignee: nobody → Chmouel Boudjnah (chmouel)
Chmouel Boudjnah (chmouel)
affects: swift → keystone
Joseph Heck (heckj)
Changed in keystone:
status: New → Confirmed
importance: Undecided → Low
Maru Newby (maru)
tags: added: essex-rc-potential
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Chmouel Boudjnah (chmouel) → Maru Newby (maru)
status: Confirmed → In Progress
Joseph Heck (heckj)
Changed in keystone:
milestone: none → essex-rc2
Thierry Carrez (ttx)
tags: removed: essex-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/5603
Committed: http://github.com/openstack/keystone/commit/6ec1782dcc13b77eba14d7ff1ace6c9bca997dc5
Submitter: Jenkins
Branch: master

commit 6ec1782dcc13b77eba14d7ff1ace6c9bca997dc5
Author: Maru Newby <email address hidden>
Date: Tue Mar 20 22:19:36 2012 -0700

    Add support to swift_auth for tokenless authz

     * Updates keystone.middleware.swift_auth to allow token-less
       (unauthenticated) access for container sync (bug 954030) and
       permitted referrers (bug 924578).

    Change-Id: Ieccf458c44dfe55f546dc15c79704800dad59ac0

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/6177

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (milestone-proposed)

Reviewed: https://review.openstack.org/6177
Committed: http://github.com/openstack/keystone/commit/89e8dc075151acc85d8c4f8972d3910c7f33bd25
Submitter: Jenkins
Branch: milestone-proposed

commit 89e8dc075151acc85d8c4f8972d3910c7f33bd25
Author: Maru Newby <email address hidden>
Date: Tue Mar 20 22:19:36 2012 -0700

    Add support to swift_auth for tokenless authz

     * Updates keystone.middleware.swift_auth to allow token-less
       (unauthenticated) access for container sync (bug 954030) and
       permitted referrers (bug 924578).

    Change-Id: Ieccf458c44dfe55f546dc15c79704800dad59ac0

Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: essex-rc2 → 2012.1
Chuck Short (zulcss)
Changed in keystone (Ubuntu Precise):
status: New → Fix Released
Chuck Short (zulcss)
Changed in keystone (Ubuntu):
status: New → Fix Released
Revision history for this message
Sergio Rubio (rubiojr) wrote :

Howdy folks,

Trying to get container sync working (Swift 1.7.6) across two isolated Swift clusters sharing a central keystone and having some issues.

I could be wrong but I'd say the official documentation doesn't cover container syncing with keystone auth enabled only:

http://docs.openstack.org/developer/swift/overview_container_sync.html

As a matter of fact, Rackspace mentions that syncing code may need patching to support keystone style auth:

http://www.rackspace.com/knowledge_center/article/syncing-private-cloud-swift-containers-to-rackspace-cloud-files

They state that Rackspace isn't using keystone for auth so you need patching to have the feature but the referenced patch:

https://github.com/dani4571/swift/commit/9fb626e39b2345215c821e192629a28a966b4200

appears to be using some sort of keystone style auth I think (rackspace_auth method).

Tracing received requests in one of the clusters I can see that syncing requests end up with a 401 and the 'Unauth' log message (HTTP_UNAUTHORIZED).

Am I missing something perhaps? Haven't been able to find up to date documentation on the subject.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.