OpenStack Identity (keystone)

Comment 5 for bug 1177526

Revision history for this message

Alejandro Comisario (alejandro-comisario) wrote on 2013-05-13:

Thanks for the quick response Chmouel.
Heres how we miss-achieve the deletion of and account being in the operator_roles.
Again, we are using SWIFT 1.7.4 (Folsom release) with the essex keystone middleware 2012.1.4 since we are hiting a keystone/essex service.

1 - Our proxy-server.conf file, were you can see in the keystoneauth section, the operator_roles line composed by admin, and swiftoperator roles.

cat /etc/swift/proxy-server.conf

[DEFAULT]
bind_port = 8080
workers = 16
user = swift
log_name = swift-proxy-server
log_facility = LOG_LOCAL0
log_level = DEBUG
log_headers = True
log_address = /dev/log

[pipeline:main]
pipeline = catch_errors healthcheck cache authtoken keystoneauth proxy-logging proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true
set log_name = swift-proxy-server
set log_facility = LOG_LOCAL0
set log_level = DEBUG
set access_log_name = swift-proxy-server
set access_log_facility = LOG_LOCAL0
set access_log_level = DEBUG
set log_headers = True

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:catch_errors]
use = egg:swift#catch_errors

[filter:cache]
use = egg:swift#memcache
set log_name = cache
memcache_servers = 172.16.177.253:11211,172.16.177.254:11211

[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = admin, swiftoperator
is_admin = true

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = essexkeystone.melicloud.com
service_port = 5000
auth_protocol = http
auth_host = essexkeystone.melicloud.com
auth_port = 35357
admin_tenant_name = swift
admin_user = swiftAdmin
admin_password = xxxxxxxxx
delay_auth_decision = 1
token_cache_time = 43200
memcache_servers = 172.16.177.253:11211,172.16.177.254:11211

[filter:proxy-logging]
use = egg:swift#proxy_logging

2 - In the token and user section from the result of a "get token" operation you can see that the user mvenesio has the swiftoperator role, as well as the swift url at the endpoints section.

            {
                "endpoints": [
                    {
                        "adminURL": "http://172.16.1.84:8080/",
                        "internalURL": "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21",
                        "publicURL": "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21",
                        "region": "SwiftRegion"
                    }
                ],
                "endpoints_links": [],
                "name": "swift",
                "type": "object-store"
            },
        ],
        "token": {
            "expires": "2013-05-14T16:53:22Z",
            "id": "8ff060e2e2d54cfc97602692096d5e98",
            "tenant": {
                "description": null,
                "enabled": true,
                "id": "1bf1f1b69a864abb84ed8a1bc82cff21",
                "name": "cloudbuilders"
            }
        },
        "user": {
            "id": "28db445c87aa48cea5b7b33cd9c18adf",
            "name": "mvenesio",
            "roles": [
                {
                    "id": "6626d07a39e7415fbad7d51d99b130a8",
                    "name": "cloudadmin"
                },
                {
                    "id": "cc04c30d58b646cba087a1e55093f8dc",
                    "name": "asoc_cloudbuilders"
                },
                {
                    "id": "98d21d4ee2624ba182e310f84fb7b120",
                    "name": "swiftoperator"
                }
            ],
            "roles_links": [],
            "username": "mvenesio"
        }
    }
}

3 - So, here we will use the mvenesio user to check the existence of the "AUTH_1bf1f1b69a864abb84ed8a1bc82cff21" account who has a few containers inside, then we can DELETE the account, and we will not be able to recreate it until the recaim_age time

mvenesio@maxbox:~# curl -X GET -H "X-Auth-Token: 8ff060e2e2d54cfc97602692096d5e98" "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21" -I
HTTP/1.1 200 OK
X-Account-Object-Count: 0
X-Timestamp: 1343764253.09865
X-Account-Bytes-Used: 0
X-Account-Container-Count: 4
Accept-Ranges: bytes
Content-Length: 24
Content-Type: text/plain; charset=utf-8
X-Trans-Id: tx7dbc8d47fe1e49568b159ccb1893d8ed
Date: Mon, 13 May 2013 17:15:54 GMT

mvenesio@maxbox:~# curl -X GET -H "X-Auth-Token: 8ff060e2e2d54cfc97602692096d5e98" "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21"
test1
test2
test3
test4

mvenesio@maxbox:~# curl -X DELETE -H "X-Auth-Token: 8ff060e2e2d54cfc97602692096d5e98" "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21"
404 Not Found

The resource could not be found.

mvenesio@maxbox:~# curl -X GET -H "X-Auth-Token: 8ff060e2e2d54cfc97602692096d5e98" "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21" -I
HTTP/1.1 403 Forbidden
Content-Length: 16
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx1b2d6ae7dba141478935f455bb160784
Date: Mon, 13 May 2013 17:16:22 GMT

mvenesio@maxbox:~# curl -X GET -H "X-Auth-Token: 8ff060e2e2d54cfc97602692096d5e98" "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21"
Recently deleted

mvenesio@maxbox:~#

1 - Our proxy-server.conf file, were you can see in the keystoneauth section, the operator_roles line composed by admin, and swiftoperator roles.

cat /etc/swift/proxy-server.conf

[DEFAULT]
bind_port = 8080
workers = 16
user = swift
log_name = swift-proxy-server
log_facility = LOG_LOCAL0
log_level = DEBUG
log_headers = True
log_address = /dev/log

[pipeline:main]
pipeline = catch_errors healthcheck cache authtoken keystoneauth proxy-logging proxy-server

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:catch_errors]
use = egg:swift#catch_errors

[filter:cache]
use = egg:swift#memcache
set log_name = cache
memcache_servers = 172.16.177.253:11211,172.16.177.254:11211

[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = admin, swiftoperator
is_admin = true

[filter:proxy-logging]
use = egg:swift#proxy_logging

2 - In the token and user section from the result of a "get token" operation  you can see that the user mvenesio has the swiftoperator role, as well as the swift url at the endpoints section.

{
                "endpoints": [
                    {
                        "adminURL": "http://172.16.1.84:8080/", 
                        "internalURL": "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21", 
                        "publicURL": "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21", 
                        "region": "SwiftRegion"
                    }
                ], 
                "endpoints_links": [], 
                "name": "swift", 
                "type": "object-store"
            }, 
        ], 
        "token": {
            "expires": "2013-05-14T16:53:22Z", 
            "id": "8ff060e2e2d54cfc97602692096d5e98", 
            "tenant": {
                "description": null, 
                "enabled": true, 
                "id": "1bf1f1b69a864abb84ed8a1bc82cff21", 
                "name": "cloudbuilders"
            }
        }, 
        "user": {
            "id": "28db445c87aa48cea5b7b33cd9c18adf", 
            "name": "mvenesio", 
            "roles": [
                {
                    "id": "6626d07a39e7415fbad7d51d99b130a8", 
                    "name": "cloudadmin"
                }, 
                {
                    "id": "cc04c30d58b646cba087a1e55093f8dc", 
                    "name": "asoc_cloudbuilders"
                }, 
                {
                    "id": "98d21d4ee2624ba182e310f84fb7b120", 
                    "name": "swiftoperator"
                }
            ], 
            "roles_links": [], 
            "username": "mvenesio"
        }
    }
}

mvenesio@maxbox:~# curl -X GET -H "X-Auth-Token: 8ff060e2e2d54cfc97602692096d5e98" "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21"
test1
test2
test3
test4

mvenesio@maxbox:~# curl -X DELETE -H "X-Auth-Token: 8ff060e2e2d54cfc97602692096d5e98" "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21" 
404 Not Found

The resource could not be found.

mvenesio@maxbox:~# curl -X GET -H "X-Auth-Token: 8ff060e2e2d54cfc97602692096d5e98" "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21" -I
HTTP/1.1 403 Forbidden
Content-Length: 16
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx1b2d6ae7dba141478935f455bb160784
Date: Mon, 13 May 2013 17:16:22 GMT

mvenesio@maxbox:~# curl -X GET -H "X-Auth-Token: 8ff060e2e2d54cfc97602692096d5e98" "http://172.16.1.84:8080/v1/AUTH_1bf1f1b69a864abb84ed8a1bc82cff21" 
Recently deleted

mvenesio@maxbox:~#