I'm trying to access Swift with curl using Keystone-based authentication (following the Keystone API docs here).
curl -d '{"auth": {"passwordCredentials": {
"username": "USERNAME", "password": "PASSWORD"}}}' \
-H "Content-Type: application/json" \
http://identity:35357/v2.0/tokens
Response:
{
"access": {
"token": {
"expires": "2014-02-27T11:35:11Z",
"id": "TOKENID"
},
"serviceCatalog": [],
"user": {
"username": "USERNAME",
"roles_links": [],
"id": "USERID",
"roles": [],
"name": "NAME"
}
}
}
Note that, contrary to what's said in the API docs, the tenant info is missing from the response.
curl -H "X-Auth-Token: TOKENID" http://swift/v1/AUTH_TENANTID/bucket
Response: 401 Unauthorized
After looking inside the Keystone auth_token middleware, I found that it fails when trying to fetch the tenant from the token data:
def get_tenant_info():
"""Returns a (tenant_id, tenant_name) tuple from context."""
def essex():
"""Essex puts the tenant ID and name on the token."""
return (token['tenant']['id'], token['tenant']['name'])
def pre_diablo():
"""Pre-diablo, Keystone only provided tenantId."""
return (token['tenantId'], token['tenantId'])
def default_tenant():
"""Pre-grizzly, assume the user's default tenant."""
return (user['tenantId'], user['tenantName'])
for method in [essex, pre_diablo, default_tenant]:
try:
return method()
except KeyError:
pass
raise InvalidUserToken('Unable to determine tenancy.')
Since there is no tenant info in the token data, it always fails. What might I be doing wrong?
This answer addresses your initial authentication question, but not the rest of the question...
Your initial request:
curl -d '{"auth": {"passwordCredentials": {
"username": "USERNAME", "password": "PASSWORD"}}}' \
-H "Content-Type: application/json" \
http://identity:35357/v2.0/tokens
Needs to provide either a tenantName or tenantId attribute. With either of these supplied, your reply should include both the tenant information and a service catalog, for looking up other service endpoints.
So:
curl -d '{"auth": {"tenantName": "mytenant", "passwordCredentials": {
"username": "USERNAME", "password": "PASSWORD"}}}' \
-H "Content-Type: application/json" \
http://identity:35357/v2.0/tokens
Which should get you something like this:
{
"access": {
"metadata": {
"roles": [
"9fe2ff9ee4384b1894a90878d3e92bab",
"0ecb6fccfd8546148cbb00b6d51364ce"
],
"is_admin": 0
},
"user": {
"name": "lars",
"roles": [
{
"name": "_member_"
},
{
"name": "admin"
}
],
"id": "436d522125584cf3a21ddcf628d59e2e",
"roles_links": [],
"username": "lars"
},
"serviceCatalog": [
{
"name": "nova",
"type": "compute",
"endpoints_links": [],
"endpoints": [
{
"publicURL": "http://192.168.200.1:8774/v2/28a490a259974817b88ce490a74df8d2",
"id": "264f2b4179ca4d6ca3a62b7347db11ce",
"internalURL": "http://192.168.200.1:8774/v2/28a490a259974817b88ce490a74df8d2",
"region": "RegionOne",
"adminURL": "http://192.168.200.1:8774/v2/28a490a259974817b88ce490a74df8d2"
}
]
},
.
.
.
],
"token": {
"tenant": {
"name": "users/lars",
"id": "28a490a259974817b88ce490a74df8d2",
"enabled": true,
"description": null
},
"id": "TOKENID",
"expires": "2014-02-21T20:07:36Z",
"issued_at": "2014-02-20T20:07:36.189044"
}
}
}