[rhos-list] Glance API can't authenticate with swift proxy

Flavio Percoco flavio at redhat.com
Tue Jun 11 12:12:07 UTC 2013 

On 11/06/13 11:44 +0000, Lutz Christoph wrote:
>   Hi!
>   I'm trying to set up Open Stack Grizzly with the Red Hat packages, and
>   I'm falbbergasted with a problem between the glance API daemon and the
>   swift proxy. Here is a piece of strace from the proxy:
>   25807 recvfrom(9, "POST /v1/tokens HTTP/1.1\r\nHost:
>   192.168.101.118:8080\r\nContent-Length: 105\r\nContent-Type:
>   application/json\r\nAccept-Encoding: gzip, deflate, compress\r\nAccept:
>   */*\r\nUser-Agent: python-keystoneclient\r\n\r\n{\"auth\":
>   {\"tenantName\": \"service\", \"passwordCredentials\": {\"username\":
>   \"swift\", \"password\": \"bar\"}}}", 8192, 0, NULL, NULL) = 304
>   25807 getsockname(9, {sa_family=AF_INET, sin_port=htons(8080),
>   sin_addr=inet_addr("192.168.101.118")}, [16]) = 0
>   25807 gettimeofday({1370936801, 180804}, NULL) = 0
>   25807 gettimeofday({1370936801, 181775}, NULL) = 0
>   25807 sendto(7, "<132>proxy-server Unable to find authentication token
>   in headers\0", 65, 0, NULL, 0) = 65
>   25807 gettimeofday({1370936801, 182507}, NULL) = 0
>   25807 sendto(7, "<134>proxy-server Invalid user token - rejecting
>   request\0", 57, 0, NULL, 0) = 57
>   25807 gettimeofday({1370936801, 183435}, NULL) = 0
>   25807 sendto(9, "HTTP/1.1 401 Unauthorized\r\nContent-Type: text/html;
>   charset=UTF-8\r\nWww-Authenticate: Keystone
>   uri='http://127.0.0.1:35357'\r\nContent-Length: 387\r\nDate: Tue, 11
>   Jun 2013 07:46:41 GMT\r\n\r\n<html>\n <head>\n  <title>401
>   Unauthorized</title>\n </head>\n <body>\n  <h1>401 Unauthorized</h1>\n
>   This server could not verify that you are authorized to\r\naccess the
>   document you requested.  Either you supplied the\r\nwrong credentials
>   (e.g., bad password), or your browser\r\ndoes not understand how to
>   supply the credentials required.\r\n<br /><br />\nAuthentication
>   required\n\n\n </body>\n</html>", 571, 0, NULL, 0) = 571
>   The proxy code seems to want a X-Auth-Token header, which the glance
>   code duely send to other daemons.
>   Here is the config on the glance side (assuming the proxy is right to
>   complain):
>   sql_connection = mysql://glance:foo@192.168.101.118/glance
>   default_store = swift
>   swift_store_auth_version = 2
>   swift_store_auth_address = http://192.168.101.118:8080/v1/
>   swift_store_user = service:swift
>   swift_store_key = foo
>   Any clues? I've been stuck for a day now.


Hi,

Could you please send the output of the glanceclient command as well?
(please use -d -v flags).

This seems to be something related to keystone. Are you able to
authenticate to keystone and use other glance actions not requiring
swift?

Cheers,
FF

-- 
@flaper87
Flavio Percoco

More information about the rhos-list mailing list