GET /info returns 401 if Keystone is in use

Bug #1636349 reported by Pete Zaitcev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Invalid
Undecided
Unassigned

Bug Description

[zaitcev@lembas ~]$ PYTHONPATH=/q/zaitcev/hail/python-swiftclient-tip /q/zaitcev
/hail/python-swiftclient-tip/bin/swift --debug --os-cacert=/q/zaitcev/arc/CA/certs/cacert.pem -V 2 -A http://rhev-a24c-01.mpc.lab.eng.bos.redhat.com:5000/v2.0/ -U admten:zaitcev -K ******* info
DEBUG:keystoneclient.auth.identity.v2:Making authentication request to http://rhev-a24c-01.mpc.lab.eng.bos.redhat.com:5000/v2.0/tokens
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): rhev-a24c-01.mpc.lab.eng.bos.redhat.com
DEBUG:requests.packages.urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 1396
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): rhev-a24c-01.mpc.lab.eng.bos.redhat.com
DEBUG:requests.packages.urllib3.connectionpool:"GET /info HTTP/1.1" 401 23
INFO:swiftclient:REQ: curl -i https://rhev-a24c-01.mpc.lab.eng.bos.redhat.com/info -X GET
INFO:swiftclient:RESP STATUS: 401 Unauthorized
INFO:swiftclient:RESP HEADERS: {u'Date': u'Tue, 25 Oct 2016 02:05:26 GMT', u'Content-Length': u'23', u'Content-type': u'text/plain', u'WWW-Authenticate': u"Keystone uri='http://127.0.0.1:35357'", u'X-Trans-Id': u'tx31e5e3aead4a4cc0a2e30-00580ebde6'}
INFO:swiftclient:RESP BODY: Authentication required
Capabilities GET failed: https://rhev-a24c-01.mpc.lab.eng.bos.redhat.com/info 401 Unauthorized Authentication required
Failed Transaction ID: tx31e5e3aead4a4cc0a2e30-00580ebde6
[zaitcev@lembas ~]$

[root@rhev-a24c-01 ~]# grep pipeline /etc/swift/proxy-server.conf
[pipeline:main]
#pipeline = healthcheck cache proxy-logging tempauth proxy-server
#pipeline = healthcheck cache proxy-logging authtoken keystone proxy-server
#pipeline = catch_errors gatekeeper healthcheck proxy-logging cache swift3 tempauth staticweb copy slo dlo versioned_writes proxy-logging proxy-server
pipeline = catch_errors gatekeeper healthcheck proxy-logging cache swift3 authtoken keystone staticweb copy slo dlo versioned_writes proxy-logging proxy-server
# Note: The double proxy-logging in the pipeline is not a mistake. The

Note 1. User can create containers, so no issue with roles
Note 2. Switch to TempAuth and /info works even without authentication, like this:

curl -k https://rhev-a24c-01.mpc.lab.eng.bos.redhat.com/info

Note 3.
[root@rhev-a24c-01 ~]# rpm -qa | grep keystone | sort
openstack-keystone-2015.1.3-1.fc23.noarch
python-keystone-2015.1.3-1.fc23.noarch
python-keystoneclient-1.3.0-2.fc23.noarch
python-keystonemiddleware-1.5.1-2.fc23.noarch
[root@rhev-a24c-01 ~]# rpm -qa | grep swift | sort
openstack-swift-plugin-swift3-1.9-1.fc23.noarch
openstack-swift-proxy-2.9.0-1.z5.noarch
python-swift-2.9.0-1.z5.noarch

Pete Zaitcev (zaitcev)
description: updated
Revision history for this message
Donagh McCabe (donagh-mccabe) wrote :

FYI: works fine in my Mitaka environment.

Do you have delay_auth_decision = true in [filter:authtoken]? By removing delay_auth_decision, I can reproduce your result. For Swift, delay_auth_decision should be set to true (if you want ACLs to work).

Revision history for this message
Pete Zaitcev (zaitcev) wrote :

Indeed, I managed to lose delay_auth_decision from the config.
Marking the bug as invalid.

Changed in swift:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.