openstackopenstack-swiftkeystone

401 Unauthorized when using s3 API for Swift Openstack

I am getting the following error running this:

Command:

[root@controller s3-curl]# ./s3curl.pl --debug -id personal http://controller:8080/v1/AUTH_aa58420177714dc89e6f06bf96dee164/container1/s3-curl.zip

Result:

s3curl: Found the url: host=controller; port=8080; uri=/v1/AUTH_aa584                                                                                                                                                             20177714dc89e6f06bf96dee164/container1/s3-curl.zip; query=;
s3curl: cname endpoint signing case
s3curl: StringToSign='HEAD\n\n\nFri, 09 Oct 2020 16:18:12 +0000\n/controller:8080/v1/AUTH_aa58420177714dc89e6f06bf96dee164/container1/s3-curl.zip'
s3curl: exec curl -H Date: Fri, 09 Oct 2020 16:18:12 +0000 -H Authorization: AWS                                                                                                                                                              05fbbd16b6b2479394a2d0b921260499:G75HMR7jeuTJYQZkohVtLPFYyq8= -L -H content-typ                                                                                                                                                             e:  -I http://controller:8080/v1/AUTH_aa58420177714dc89e6f06bf96dee16                                                                                                                                                             4/container1/s3-curl.zip
HTTP/1.1 401 Unauthorized
Date: Fri, 09 Oct 2020 16:18:12 GMT
Server: Apache/2.4.37 (centos) mod_wsgi/4.6.4 Python/3.6
Www-Authenticate: Swift realm="AUTH_aa58420177714dc89e6f06bf96dee164"
WWW-Authenticate: Keystone uri="http://controller:5000/v3/"
X-Trans-Id: txc86fb2c114b845e9b4f1f-005f808d46
X-Openstack-Request-Id: txc86fb2c114b845e9b4f1f-005f808d46
Content-Type: text/html; charset=UTF-8


[root@controller s3-curl]# cat ../.s3curl
%awsSecretAccessKeys = (
    # personal account
    personal => {
        id => '05fbbd16b6b2479394a2d0b921260499',
        key => '7a129e96850a408b91eba0e4c4bad53d',
    },

);





[root@controller ~]# openstack ec2 credentials list
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+
| Access                           | Secret                           | Project ID                       | User ID                          |
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+
| 0c55e069db00409cb5f6579ecb3be056 | 1f1b5bb52783449f829f338d61bc3746 | aa58420177714dc89e6f06bf96dee164 | e6bc765a255847e7aa50bb10ea961185 |
| 872926651be443e7ad28645742532972 | 539f6dd99c6e4d3ab38f691760854a05 | aa58420177714dc89e6f06bf96dee164 | e6bc765a255847e7aa50bb10ea961185 |
| 05fbbd16b6b2479394a2d0b921260499 | 7a129e96850a408b91eba0e4c4bad53d | aa58420177714dc89e6f06bf96dee164 | e6bc765a255847e7aa50bb10ea961185 |
+----------------------------------+----------------------------------+----------------------------------+----------------------------------+
[root@controller ~]# openstack object list container1
+-------------+
| Name        |
+-------------+
| s3-curl.zip |
+-------------+
[root@controller ~]# cat /etc/swift/proxy-server.conf

Here are the contents of proxy-server.conf. I keep triggering spam protection, so I had to strip out most of the information/comments. Should be unimportant to someone who knows what they're talking about, but I can make a pastebin or something if need be.

[pipeline:main]
#pipeline = catch_errors gatekeeper healthcheck proxy-logging cache listing_formats container_sync bulk tempurl ratelimit s3api tempauth copy container-quotas account-quotas slo dlo versioned_writes symlink proxy-logging proxy-server
pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk ratelimit authtoken s3api s3token  keystoneauth copy container-quotas account-quotas slo dlo versioned_writes symlink proxy-logging proxy-server
[app:proxy-server]
use = egg:swift#proxy
# set log_name = proxy-server
# set log_facility = LOG_LOCAL0
# set log_level = INFO
# set log_address = /dev/log
# require_proxy_protocol = false
# log_handoffs = true
# recheck_account_existence = 60
# recheck_container_existence = 60
# recheck_updating_shard_ranges = 3600
# object_chunk_size = 65536
# client_chunk_size = 65536
# node_timeout = 10
# recoverable_node_timeout = node_timeout
# conn_timeout = 0.5
# post_quorum_timeout = 0.5
# error_suppression_interval = 60
# error_suppression_limit = 10
# allow_account_management = false
account_autocreate = true
# max_containers_per_account = 0
# max_containers_whitelist =
# deny_host_headers =
# sorting_method = shuffle
# timing_expiry = 300
# rebalance_missing_suppression_count = 1
# concurrent_gets = off
# concurrency_timeout = 0.5
# concurrent_ec_extra_requests = 0
# request_node_count = 2 * replicas
# read_affinity = r1z1=100, r1z2=200, r2=300
# read_affinity =
# write_affinity = r1, r2
# write_affinity =
# write_affinity_node_count = 2 * replicas
# write_affinity_handoff_delete_count = auto
# swift_owner_headers = x-container-read, x-container-write, x-container-sync-key, x-container-sync-to, x-account-meta-temp-url-key, x-account-meta-temp-url-key-2, x-container-meta-temp-url-key, x-container-meta-temp-url-key-2, x-account-access-control
# nice_priority =
# Work only with ionice_class.
# ionice_class =
# ionice_priority =
# [proxy-server:policy:<policy index>]
# sorting_method =
# read_affinity =
# write_affinity =
# write_affinity_node_count =
# write_affinity_handoff_delete_count =
# rebalance_missing_suppression_count = 1
# concurrent_gets = off
# concurrency_timeout = 0.5
# concurrent_ec_extra_requests = 0
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
www_authenticate_uri = http://controller:5000/v3/
auth_url = http://controller:5000/v3/
auth_type = password
project_domain_id = default
user_domain_id = default
project_name = admin
username = admin
password = **********
delay_auth_decision = True
# cache = swift.cache
# include_service_catalog = False
[filter:keystoneauth]
use = egg:swift#keystoneauth
#reseller_prefix = AUTH
operator_roles = admin, user
# reseller_admin_role = ResellerAdmin
allow_overrides = true
# service_roles =
# default_domain_id = default
# allow_names_in_acls = true
[filter:s3api]
use = egg:swift#s3api
#   auth_token
# allow_no_owner = false
location = us-east-1
# dns_compliant_bucket_names = True
# max_bucket_listing = 1000
# max_parts_listing = 1000
# max_multi_delete_objects = 1000
# multi_delete_concurrency = 2
#s3_acl = true
# storage_domain =
# auth_pipeline_check = True
# allow_multipart_uploads = True
# max_upload_part_num = 1000
# check_bucket_owner = false
# force_swift_request_proxy_log = false
# min_segment_size = 5242880
# log_name = s3api
[filter:s3token]
use = egg:swift#s3token
#reseller_prefix = AUTH_
delay_auth_decision = True
auth_uri = http://controller:5000/v3/
http_timeout = 10.0
# secret_cache_duration = 0
# insecure = False
# certfile =
# keyfile =
# log_name = s3token
# secret_cache_duration = 0
# auth_url = http://keystonehost:5000
# auth_type = password
# project_domain_id = default
# project_name = service
# user_domain_id = default
# username = swift
# password = password

What I've tried:

-everything suggested, as found through thorough web searching

-completely rebuilding the setup from start to where I am now. Twice

-many small config changes, tweaks, the usual

-reading many online articles

I would appreciate any help diagnosing why I am receiving this 401 error, and any help fixing it as well. Thanks!

Solution

  • Apparently it was apache causing the issue. We switched to nginx and it works now.