OpenStack Swift 401 Unauthorized When Using the swift Command

Wednesday, July 16, 2014

After setting up a Swift Cluster with TempAuth, I wanted to remove TempAuth and use Keystone to authenticate. However, I kept encountering 401 Unauthorized errors when running the swift command even though I was fairly certain everything was configured properly.

The following are the errors I encountered (192.168.236.60 is the Swift Proxy node’s IP address).

When running swift list the following error was thrown:

Account GET failed: http://192.168.236.60:8080/v1/AUTH_a72a173cb7a0404a8525548a3c2788c3?format=json 401 Unauthorized  [first 60 chars of response] 401 Unauthorized

This server could not verify that you are 

When running swift stat the following error was thrown:

Account HEAD failed: http://192.168.236.60:8080/v1/AUTH_a72a173cb7a0404a8525548a3c2788c3 401 Unauthorized

In addition, the following was being outputted in /var/log/messages on the Swift Proxy node:

localhost proxy-server: STDOUT: No handlers could be found for logger "keystone.common.cms" (txn: tx2cac3bf28904438bb88a5-0053c048ed)

I’m not sure how relevant that log is, but it was being thrown every time I ran one of the swift commands.

Google is full of threads and posts trying to troubleshoot the 401 Unauthorized error. Most of the proposed solutions did not apply to my cluster because the original poster was missing configuration parameters that I already had in place.

After comparing the output of swift --debug list from my Swift Cluster to a working Swift Cluster, I discovered the problem.

My Keystone server was configured to use PKI tokens. Apparently, Swift 1.12.0 is not compatible with PKI tokens. With PKI tokens enabled, everything was working fine in the Horizon Dashboard, but the swift command would always return 401 Unauthorized even though the user I was authenticated as had the admin or SwiftOperator roles.

The fix was to modify Keystone to use UUID tokens. This can be quickly changed by opening /etc/keystone/keystone.conf, searching for token_format, and changing its value from PKI to UUID. Be sure to restart the Keystone service after making the change.

With that change in place, the swift commands ran without problem.



comments powered by Disqus