After setting up an OpenStack Swift Cluster with TempAuth, I wanted to authenticate Swift against Keystone instead of TempAuth. However, I kept encountering 401 Unauthorized errors when running the swift command even though I was fairly certain everything was configured properly.
The following are the errors I encountered (192.168.236.60 is the Swift Proxy node’s IP address).
When running swift list the following error was thrown:
Account GET failed: http://192.168.236.60:8080/v1/AUTH_a72a173cb7a0404a8525548a3c2788c3?format=json 401 Unauthorized [first 60 chars of response] 401 Unauthorized
This server could not verify that you are
When running swift stat the following error was thrown:
Account HEAD failed: http://192.168.236.60:8080/v1/AUTH_a72a173cb7a0404a8525548a3c2788c3 401 Unauthorized
In addition, the following was being outputted in /var/log/messages on the Swift Proxy node:
localhost proxy-server: STDOUT: No handlers could be found for logger "keystone.common.cms" (txn: tx2cac3bf28904438bb88a5-0053c048ed)
I’m not sure how relevant that log is, but it was being thrown every time I ran one of the swift commands.
Google searching returns many results trying to troubleshoot the 401 Unauthorized error. Most of the proposed solutions did not apply to my Swift cluster because the original poster was missing configuration parameters that I already had in place.
After comparing the output of swift --debug list from my Swift Cluster to a working Swift Cluster, I discovered the problem.
My Keystone server was configured to use PKI tokens. Apparently, Swift 1.12.0 is not compatible with PKI tokens. With PKI tokens enabled, everything was working in the Horizon Dashboard, but the swift command would always return 401 Unauthorized even though the user I was authenticated as had the admin or SwiftOperator roles.
The fix was to modify Keystone to use UUID tokens. This can be quickly changed by opening /etc/keystone/keystone.conf, searching for token_format, and changing its value from PKI to UUID. Be sure to restart the Keystone service after making the change.
With that change in place, the swift command ran without a problem.
