Bug #1682059 “Fix install guide filter:authtoken config example” : Bugs : OpenStack Object Storage (swift)

Matthew Oliver (matt-0) on 2017-04-12

Changed in swift:
status:	New → Confirmed

Revision history for this message

Matthew Oliver (matt-0) wrote on 2017-04-12:

#1

Download full text (8.9 KiB)

I have personally confirmed this with a keystone + Swift dev environment, while reviewing patch https://review.openstack.org/#/c/454386:

firstly the default values are defined:
<snip from Colleen Murphy's comment in above patch>

The name of the default domain is defined here:
http://git.openstack.org/cgit/openstack/keystone/tree/keystone/resource/core.py?id=69d03670d1ddcf428063d81a0f25b6196650876e#n841

The default ID of the default domain is defined here:
http://git.openstack.org/cgit/openstack/keystone/tree/keystone/conf/identity.py?id=69d03670d1ddcf428063d81a0f25b6196650876e#n21
</snip>

So params ending in _id are default and the -name are Default.. which I find annoying. But there you go. Our sample doc uses _id = default which "should" be correct.

What do others use, well according to https://docs.openstack.org/developer/keystonemiddleware/api/keystonemiddleware.auth_token.html
it gives a sample, apparently from nova that:

  [keystone_authtoken]
  auth_plugin = password
  auth_url = http://keystone:35357/
  username = nova
  user_domain_id = default
  password = whyarewestillusingpasswords
  project_name = service
  project_domain_id = default

Which using using "default" against the *_id versions of the configuration.

Now if I pop into my test keystone server, and take a look:

Now lets do some keystone config tests in Swift.
First using:

  [filter:authtoken]
  paste.filter_factory = keystonemiddleware.auth_token:filter_factory
  auth_url = http://localhost:35357
  auth_uri = http://localhost:5000
  auth_plugin = password
  project_name = service
  username = swift
  password = Sekr3tPass
  delay_auth_decision = True
  user_domain_id = default
  project_domain_id = default

It works:

  $ swift stat
                 Account: KEY_fce1546e0675483bb3862a54a2ed68f6
              Containers: 0
                 Objects: 0
                   Bytes: 0
         X-Put-Timestamp: 1491904442.67731
             X-Timestamp: 1491904442.67731
              X-Trans-Id: tx0814c8d8f3694f47a13d9-0058eca7ba
            Content-Type: text/plain; charset=utf-8
  X-Openstack-Request-Id: tx0814c8d8f3694f47a13d9-0058eca7ba

Change to _id = Default:

  [filter:authtoken]
  paste.filter_factory = keystonemiddleware.auth_token:filter_factory
  auth_url = http://localhost:35357
  auth_uri = http://localhost:5000
  auth_plugin = password
  project_name = service
  username = swift
  password = Sekr3tPass
  delay_auth_decision = True
  user_domain_id = Default
  project_domain_id = Default

And:

$ swift stat
Account HEA...

I have personally confirmed this with a keystone + Swift dev environment, while reviewing patch https://review.openstack.org/#/c/454386:

firstly the default values are defined:
<snip from Colleen Murphy's comment in above patch>

The name of the default domain is defined here:
http://git.openstack.org/cgit/openstack/keystone/tree/keystone/resource/core.py?id=69d03670d1ddcf428063d81a0f25b6196650876e#n841

The default ID of the default domain is defined here:
http://git.openstack.org/cgit/openstack/keystone/tree/keystone/conf/identity.py?id=69d03670d1ddcf428063d81a0f25b6196650876e#n21
</snip>

So params ending in _id are default and the -name are Default.. which I find annoying. But there you go. Our sample doc uses _id = default which "should" be correct.

What do others use, well according to https://docs.openstack.org/developer/keystonemiddleware/api/keystonemiddleware.auth_token.html
it gives a sample, apparently from nova that:

[keystone_authtoken]
  auth_plugin = password
  auth_url = http://keystone:35357/
  username = nova
  user_domain_id = default
  password = whyarewestillusingpasswords
  project_name = service
  project_domain_id = default

Which using using "default" against the *_id versions of the configuration.

Now if I pop into my test keystone server, and take a look:

Now lets do some keystone config tests in Swift.
First using:

[filter:authtoken]
  paste.filter_factory = keystonemiddleware.auth_token:filter_factory
  auth_url = http://localhost:35357
  auth_uri = http://localhost:5000
  auth_plugin = password
  project_name = service
  username = swift
  password = Sekr3tPass
  delay_auth_decision = True
  user_domain_id = default
  project_domain_id = default

It works:

$ swift stat
                 Account: KEY_fce1546e0675483bb3862a54a2ed68f6
              Containers: 0
                 Objects: 0
                   Bytes: 0
         X-Put-Timestamp: 1491904442.67731
             X-Timestamp: 1491904442.67731
              X-Trans-Id: tx0814c8d8f3694f47a13d9-0058eca7ba
            Content-Type: text/plain; charset=utf-8
  X-Openstack-Request-Id: tx0814c8d8f3694f47a13d9-0058eca7ba

Change to _id = Default:

[filter:authtoken]
  paste.filter_factory = keystonemiddleware.auth_token:filter_factory
  auth_url = http://localhost:35357
  auth_uri = http://localhost:5000
  auth_plugin = password
  project_name = service
  username = swift
  password = Sekr3tPass
  delay_auth_decision = True
  user_domain_id = Default
  project_domain_id = Default

And:

$ swift stat
  Account HEAD failed: http://localhost:8080/v1/KEY_fce1546e0675483bb3862a54a2ed68f6 503 Service Unavailable
  Failed Transaction ID: tx4ead4df812e2407f95b98-0058eca84d

And in the keystone log you get:

2017-04-11 09:56:05.681 20254 INFO keystone.common.wsgi [req-cb404ba3-7762-4f8f-a84a-be8991b17851 - - - - -] POST http://localhost:35357/v3/auth/tokens
  2017-04-11 09:56:05.686 20254 WARNING keystone.auth.core [req-cb404ba3-7762-4f8f-a84a-be8991b17851 - - - - -] Could not find domain: Default.
  2017-04-11 09:56:05.687 20254 WARNING keystone.common.wsgi [req-cb404ba3-7762-4f8f-a84a-be8991b17851 - - - - -] Authorization failed. The request you have made requires authentication. from 127.0.0.1
  [pid: 20254|app: 0|req: 19/19] 127.0.0.1 () {36 vars in 536 bytes} [Tue Apr 11 09:56:05 2017] POST /v3/auth/tokens => generated 114 bytes in 7 msecs (HTTP/1.1 401) 5 headers in 225 bytes (1 switches on core 0)
  2017-04-11 09:56:13.705 20254 INFO keystone.common.wsgi [req-26eeacbe-072a-48fe-87bf-ab5e0a2053c8 - - - - -] POST http://localhost:35357/v3/auth/tokens
  2017-04-11 09:56:13.711 20254 WARNING keystone.auth.core [req-26eeacbe-072a-48fe-87bf-ab5e0a2053c8 - - - - -] Could not find domain: Default.
  2017-04-11 09:56:13.712 20254 WARNING keystone.common.wsgi [req-26eeacbe-072a-48fe-87bf-ab5e0a2053c8 - - - - -] Authorization failed. The request you have made requires authentication. from 127.0.0.1
  [pid: 20254|app: 0|req: 20/20] 127.0.0.1 () {36 vars in 536 bytes} [Tue Apr 11 09:56:13 2017] POST /v3/auth/tokens => generated 114 bytes in 9 msecs (HTTP/1.1 401) 5 headers in 225 bytes (1 switches on core 0)
  2017-04-11 09:56:13.718 20254 INFO keystone.common.wsgi [req-21127bde-4b5f-4710-a33d-1eb12a4cb5fe - - - - -] POST http://localhost:35357/v3/auth/tokens
  2017-04-11 09:56:13.723 20254 WARNING keystone.auth.core [req-21127bde-4b5f-4710-a33d-1eb12a4cb5fe - - - - -] Could not find domain: Default.
  2017-04-11 09:56:13.723 20254 WARNING keystone.common.wsgi [req-21127bde-4b5f-4710-a33d-1eb12a4cb5fe - - - - -] Authorization failed. The request you have made requires authentication. from 127.0.0.1
  [pid: 20254|app: 0|req: 21/21] 127.0.0.1 () {36 vars in 536 bytes} [Tue Apr 11 09:56:13 2017] POST /v3/auth/tokens => generated 114 bytes in 7 msecs (HTTP/1.1 401) 5 headers in 225 bytes (1 switches on core 0)

NOTING: Could not find domain: Default

So the domain_id is definitely 'default'

Now lets try name:

[filter:authtoken]
  paste.filter_factory = keystonemiddleware.auth_token:filter_factory
  auth_url = http://localhost:35357
  auth_uri = http://localhost:5000
  auth_plugin = password
  project_name = service
  username = swift
  password = Sekr3tPass
  delay_auth_decision = True
  user_domain_name = Default
  project_domain_name = Default

And it works again:

$ swift stat
                 Account: KEY_fce1546e0675483bb3862a54a2ed68f6
              Containers: 0
                 Objects: 0
                   Bytes: 0
         X-Put-Timestamp: 1491904775.43378
             X-Timestamp: 1491904775.43378
              X-Trans-Id: tx22ad58bb32954355acac1-0058eca906
            Content-Type: text/plain; charset=utf-8
  X-Openstack-Request-Id: tx22ad58bb32954355acac1-0058eca906

Lets finally try _name = default:

[filter:authtoken]
  paste.filter_factory = keystonemiddleware.auth_token:filter_factory
  auth_url = http://localhost:35357
  auth_uri = http://localhost:5000
  auth_plugin = password
  project_name = service
  username = swift
  password = Sekr3tPass
  delay_auth_decision = True
  user_domain_name = default
  project_domain_name = default

And:

$ swift stat
  Account HEAD failed: http://localhost:8080/v1/KEY_fce1546e0675483bb3862a54a2ed68f6 503 Service Unavailable
  Failed Transaction ID: txa0f514a2fdb1472bae420-0058eca984

And again the keystone logs say:

2017-04-11 10:01:16.267 20254 INFO keystone.common.wsgi [req-9b2f788d-6950-4f57-85b5-eb9daec55e87 - - - - -] POST http://localhost:35357/v3/auth/tokens
  2017-04-11 10:01:16.272 20254 WARNING keystone.auth.core [req-9b2f788d-6950-4f57-85b5-eb9daec55e87 - - - - -] Could not find domain: default.
  2017-04-11 10:01:16.273 20254 WARNING keystone.common.wsgi [req-9b2f788d-6950-4f57-85b5-eb9daec55e87 - - - - -] Authorization failed. The request you have made requires authentication. from 127.0.0.1
  [pid: 20254|app: 0|req: 33/33] 127.0.0.1 () {36 vars in 535 bytes} [Tue Apr 11 10:01:16 2017] POST /v3/auth/tokens => generated 114 bytes in 9 msecs (HTTP/1.1 401) 5 headers in 225 bytes (1 switches on core 0)
  2017-04-11 10:01:16.280 20254 INFO keystone.common.wsgi [req-ad3103ab-7624-4554-905c-0ab14621365e - - - - -] POST http://localhost:35357/v3/auth/tokens
  2017-04-11 10:01:16.284 20254 WARNING keystone.auth.core [req-ad3103ab-7624-4554-905c-0ab14621365e - - - - -] Could not find domain: default.

Conclusion:

*_id = default
  *_name = Default

When in doubt check keystone:

project_domain_id = default
user_domain_id = default

Revision history for this message

Alistair Coles (alistair-coles) wrote on 2017-04-12:

#2

Related bug https://bugs.launchpad.net/swift/+bug/1604674

My research confirms that since Newton (and before Mitaka?) the keystone install guide has default keystone domain created with id 'default' and name 'Default'. This is how our sample configs and docs have described the options since [1], but the swift install guide uses domain name 'default', which was the recommended config in Mitaka install guide.

[1] https://review.openstack.org/#/c/261395/

Revision history for this message

Alistair Coles (alistair-coles) wrote on 2017-05-02:

#3

Somehow we failed to have a Closes-Bug patch on the patch. This is fixed by:
https://review.openstack.org/#/c/454386

Changed in swift:
status:	Confirmed → Fix Committed

OpenStack Object Storage (swift)

Fix install guide filter:authtoken config example

Bug Description

Other bug subscribers

Remote bug watches