Authenticate OpenStack Swift Against Keystone Instead of TempAuth

• Updated March 17, 2019


In a previous post I described how to install a stand-alone, multi-node OpenStack Swift Cluster with VirtualBox or VMware Fusion and Vagrant. That post configures Swift’s TempAuth module for authentication. However, if you have an existing OpenStack environment, or just an OpenStack Keystone server already setup, you can just as easily use Keystone instead.

The following steps pertain to the environment setup in the already mentioned previous post. If you do not have a Keystone Server setup, you can quickly set one up using DevStack, RDO, or Rackspace Private Cloud.

Log in to your Controller or Keystone Node

Begin by logging in to your controller or Keystone node.

Before continuing on, be sure Keystone is using UUID formatted tokens or you may encounter 401 Unauthorized errors when using the swift command. Confirm this is the case by looking for the token_format parameter in /etc/keystone/keystone.conf and setting its value to UUID.

Source your admin OpenStack credentials. This is typically a file named openrc.

Next, create user swift (you should change the password) and assign it to the service tenant:

keystone user-create --name=swift --pass=swift --tenant-id=$(keystone tenant-list | awk '/ service / {print $2}')

Assign the swift user the admin role within the service tenant:

keystone user-role-add --user=swift --role=admin --tenant=service

Create the swift service:

keystone service-create --name=swift --type=object-store --description="OpenStack Object Storage"

Create the Keystone Service Endpoints for Swift (be sure to change the IP address to point to your Swift Proxy Node):

keystone endpoint-create \
--region RegionOne \
--service-id=$(keystone service-list | awk '/ object-store / {print $2}') \
--publicurl='http://192.168.236.60:8080/v1/AUTH_%(tenant_id)s' \
--internalurl='http://192.168.236.60:8080/v1/AUTH_%(tenant_id)s' \
--adminurl=http://192.168.236.60:8080/

Create the SwiftOperator role:

keystone role-create --name SwiftOperator

Apply the SwiftOperator role to any non-admin user that you want to allow to use Swift. If you do not, you will encounter this error.

Log in to your Swift Proxy Node

Log in to your OpenStack Swift Proxy node.

Open /etc/swift/proxy-server.conf with your favorite command-line text editor and input the following configuration (be sure to change the IP addresses to match your environment).

[DEFAULT]
bind_ip = 192.168.236.60
bind_port = 8080
workers = 8
user = swift

[pipeline:main]
pipeline = healthcheck cache authtoken keystone proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

[filter:cache]
use = egg:swift#memcache
memcache_servers = 192.168.252.60:11211

[filter:catch_errors]
use = egg:swift#catch_errors

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:keystone]
use = egg:swift#keystoneauth
operator_roles = admin, SwiftOperator
is_admin = true
cache = swift.cache

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
admin_tenant_name = service
admin_user = swift
admin_password = swift
auth_host = 192.168.236.20
auth_port = 35357
auth_protocol = http
auth_uri = http://192.168.236.20:5000
signing_dir = /tmp/keystone-signing-swift

With the new configuration in place, restart the openstack-swift-proxy service:

swift-init proxy restart

You should now be able to source your admin OpenStack credentials (this is typically a file named openrc) and run the swift command.

If you found this post useful, you can help support this site and get something for yourself by signing up for any of the services listed below through the provided links.

The following links are part of affiliate programs, and I will receive a referral payment from any of the services you sign-up for.

  • Get Faster Shipping: Perhaps you're about to order some stuff on Amazon but want to get more value out of the money you would normally pay for shipping. Sign-up for a free, 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.
  • Start Investing Now: Are you looking to start investing some of your disposable saved income? Get started by opening an account with Webull, where upon sign-up and opening a brokerage account with an initial deposit of at least $100 you will receive 1 stock valued (subject to change based on normal market movement) between $8 and $1600.

Thanks for reading and take care.