ThorneLabs

Authenticate OpenStack Swift Against Keystone Instead of TempAuth

• Updated March 17, 2019


In a previous post I described how to install a stand-alone, multi-node OpenStack Swift Cluster with VirtualBox or VMware Fusion and Vagrant. That post configures Swift’s TempAuth module for authentication. However, if you have an existing OpenStack environment, or just an OpenStack Keystone server already setup, you can just as easily use Keystone instead.

The following steps pertain to the environment setup in the already mentioned previous post. If you do not have a Keystone Server setup, you can quickly set one up using DevStack, RDO, or Rackspace Private Cloud.

Log in to your Controller or Keystone Node

Begin by logging in to your controller or Keystone node.

Before continuing on, be sure Keystone is using UUID formatted tokens or you may encounter 401 Unauthorized errors when using the swift command. Confirm this is the case by looking for the token_format parameter in /etc/keystone/keystone.conf and setting its value to UUID.

Source your admin OpenStack credentials. This is typically a file named openrc.

Next, create user swift (you should change the password) and assign it to the service tenant:

keystone user-create --name=swift --pass=swift --tenant-id=$(keystone tenant-list | awk '/ service / {print $2}')

Assign the swift user the admin role within the service tenant:

keystone user-role-add --user=swift --role=admin --tenant=service

Create the swift service:

keystone service-create --name=swift --type=object-store --description="OpenStack Object Storage"

Create the Keystone Service Endpoints for Swift (be sure to change the IP address to point to your Swift Proxy Node):

keystone endpoint-create \
--region RegionOne \
--service-id=$(keystone service-list | awk '/ object-store / {print $2}') \
--publicurl='http://192.168.236.60:8080/v1/AUTH_%(tenant_id)s' \
--internalurl='http://192.168.236.60:8080/v1/AUTH_%(tenant_id)s' \
--adminurl=http://192.168.236.60:8080/

Create the SwiftOperator role:

keystone role-create --name SwiftOperator

Apply the SwiftOperator role to any non-admin user that you want to allow to use Swift. If you do not, you will encounter this error.

Log in to your Swift Proxy Node

Log in to your OpenStack Swift Proxy node.

Open /etc/swift/proxy-server.conf with your favorite command-line text editor and input the following configuration (be sure to change the IP addresses to match your environment).

[DEFAULT]
bind_ip = 192.168.236.60
bind_port = 8080
workers = 8
user = swift

[pipeline:main]
pipeline = healthcheck cache authtoken keystone proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

[filter:cache]
use = egg:swift#memcache
memcache_servers = 192.168.252.60:11211

[filter:catch_errors]
use = egg:swift#catch_errors

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:keystone]
use = egg:swift#keystoneauth
operator_roles = admin, SwiftOperator
is_admin = true
cache = swift.cache

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
admin_tenant_name = service
admin_user = swift
admin_password = swift
auth_host = 192.168.236.20
auth_port = 35357
auth_protocol = http
auth_uri = http://192.168.236.20:5000
signing_dir = /tmp/keystone-signing-swift

With the new configuration in place, restart the openstack-swift-proxy service:

swift-init proxy restart

You should now be able to source your admin OpenStack credentials (this is typically a file named openrc) and run the swift command.