ThorneLabs

OpenStack Swift 401 Unauthorized When Using the swift Command

• Updated March 17, 2019


After setting up an OpenStack Swift Cluster with TempAuth, I wanted to authenticate Swift against Keystone instead of TempAuth. However, I kept encountering 401 Unauthorized errors when running the swift command even though I was fairly certain everything was configured properly.

The following are the errors I encountered (192.168.236.60 is the Swift Proxy node’s IP address).

When running swift list the following error was thrown:

Account GET failed: http://192.168.236.60:8080/v1/AUTH_a72a173cb7a0404a8525548a3c2788c3?format=json 401 Unauthorized  [first 60 chars of response] 401 Unauthorized

This server could not verify that you are 

When running swift stat the following error was thrown:

Account HEAD failed: http://192.168.236.60:8080/v1/AUTH_a72a173cb7a0404a8525548a3c2788c3 401 Unauthorized

In addition, the following was being outputted in /var/log/messages on the Swift Proxy node:

localhost proxy-server: STDOUT: No handlers could be found for logger "keystone.common.cms" (txn: tx2cac3bf28904438bb88a5-0053c048ed)

I’m not sure how relevant that log is, but it was being thrown every time I ran one of the swift commands.

Google searching returns many results trying to troubleshoot the 401 Unauthorized error. Most of the proposed solutions did not apply to my Swift cluster because the original poster was missing configuration parameters that I already had in place.

After comparing the output of swift --debug list from my Swift Cluster to a working Swift Cluster, I discovered the problem.

My Keystone server was configured to use PKI tokens. Apparently, Swift 1.12.0 is not compatible with PKI tokens. With PKI tokens enabled, everything was working in the Horizon Dashboard, but the swift command would always return 401 Unauthorized even though the user I was authenticated as had the admin or SwiftOperator roles.

The fix was to modify Keystone to use UUID tokens. This can be quickly changed by opening /etc/keystone/keystone.conf, searching for token_format, and changing its value from PKI to UUID. Be sure to restart the Keystone service after making the change.

With that change in place, the swift command ran without a problem.

If you found this post useful and would like to help support this site - and get something for yourself - sign up for any of the services listed below through the provided affiliate links. I will receive a referral payment from any of the services you sign-up for.

Get faster shipping and more with Amazon Prime: About to order something from Amazon but want to get more value out of the money you would normally pay for shipping? Sign-up for a free 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.

Thanks for reading and take care.