Swift/DevstackSetupForKeystoneV3
Contents
Setting up devstack to run swift with keystone v3 API
Install devstack
Instructions for devstack all-in-one installation are here: http://devstack.org/guides/single-machine.html
Edit devstack/local.conf as described on that page.
Before running stack.sh there's a few more config changes to make.
1. If you have proxy settings in your environment be sure to set no_proxy for local address ranges e.g.
export no_proxy=192.168.58.0/8,localhost,127.0.0.0/8,.localdomain
(replace 192.168.58.0 with your VM subnet)
2. Enable swift to run in devstack
By default devstack does not run swift, so add a line to devstack/local.conf in the Swift section:
enable_service s-proxy s-object s-container s-account
(see http://devstack.org/configuration.html)
3. Enable keystone v3 API to be used by swift's auth middleware
Add line to devstack/lib/swift in in function configure_swift(), section starting with comment "# Configure Keystone":
iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken auth_version v3.0
(at time of writing this was at line 369 in devstack/lib/swift )
4. Configure keystone to use UUID tokens rather than PKI - this may not be necessary but avoids any issues arising from large PKI tokens exceeding Swift's default max header size.
Edit existing variable in devstack/lib/keystone:
KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-UUID}
Now run devstack:
$ cd devstack $ ./stack.sh
Enter SERVICE_TOKEN password when prompted (examples below assume this is 'ADMIN').
With devstack running, check the [filter:authtoken] section in /etc/swift/proxy-server.conf to verify that auth_version = v3.0 is set.
Install openstackclient
openstackclient will be used to set up users and projects in non-default keystone domains - keystoneclient CLI does not support non-default domains.
On a client machine:
$ git clone https://github.com/openstack/python-openstackclient.git openstackclient $ cd openstackclient [ may be needed: $ sudo pip install -r requirements.txt ] $ sudo python setup.py install $ cd ..
The openstack client command line help is here: https://wiki.openstack.org/wiki/OpenStackClient/Commands
Use openstackclient to create a domain, and a user and project in that domain
keystone-v3-setup.sh script will perform these steps: https://gist.github.com/alistairncoles/ae9d5f92063b58afeb88#file-keystone-v3-setup-sh
NOTE: in following examples replace 'u132.localdomain' with your devstack hostname/IP address and replace 'ADMIN' with whatever password you entered for SERVICE_TOKEN when running stack.sh
Create a domain named d1 (note use of --os-url and --os-token to manage keystone)
$ openstack --os-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-token=ADMIN domain create d1 +---------+----------------------------------------------------------------------------------------+ | Field | Value | +---------+----------------------------------------------------------------------------------------+ | enabled | True | | id | b91b1a2be2784448a44f82ed1feafef8 | | links | {u'self': u'http://u132.localdomain:5000/v3/domains/b91b1a2be2784448a44f82ed1feafef8'} | | name | d1 | +---------+----------------------------------------------------------------------------------------+
Create a project named p1 in domain d1
$ openstack --os-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-token=ADMIN project create p1 --domain d1 +-------------+-----------------------------------------------------------------------------------------+ | Field | Value | +-------------+-----------------------------------------------------------------------------------------+ | description | | | domain_id | b91b1a2be2784448a44f82ed1feafef8 | | enabled | True | | id | 3a64e71a64a84c4796b93b109cd2b5ba | | links | {u'self': u'http://u132.localdomain:5000/v3/projects/3a64e71a64a84c4796b93b109cd2b5ba'} | | name | p1 | +-------------+-----------------------------------------------------------------------------------------+
Create a user named u1 in domain d1
$ openstack --os-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-token=ADMIN user create u1 --domain d1 --password testing +-----------+--------------------------------------------------------------------------------------+ | Field | Value | +-----------+--------------------------------------------------------------------------------------+ | domain_id | b91b1a2be2784448a44f82ed1feafef8 | | enabled | True | | id | f227284da36849a39b29db3798d00979 | | links | {u'self': u'http://u132.localdomain:5000/v3/users/f227284da36849a39b29db3798d00979'} | | name | u1 | +-----------+--------------------------------------------------------------------------------------+
Create a role named admin (note, use 'admin' role because devstack does not configure the role 'swiftoperator' in swift-proxy-server.conf)
$ openstack --os-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-token=ADMIN role create admin +-------+--------------------------------------------------------------------------------------+ | Field | Value | +-------+--------------------------------------------------------------------------------------+ | id | 587f0885f6174436bd1cd5b0862324b2 | | links | {u'self': u'http://u132.localdomain:5000/v3/roles/587f0885f6174436bd1cd5b0862324b2'} | | name | admin | +-------+--------------------------------------------------------------------------------------+
Assign user u1 the role admin on project p1
$ openstack --os-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-token=ADMIN role add --user u1 --project p1 admin
This may return an error because 'admin' role already exists - ignore:
ERROR: cliff.app Conflict occurred attempting to store role. (IntegrityError) (1062, "Duplicate entry 'admin' for key 'ixu_role_name'") 'INSERT INTO role (id, name, extra) VALUES (%s, %s, %s)' ('342b7b9103ff4c1284b1926c6e2bcc2c', 'admin', '{}') (HTTP 409)
Use swiftclient to create an account
Patch swiftclient from from https://review.openstack.org/#/c/91788/ to get keystone v3 support.
stat the account (note -V 3 option and /v3 at end of auth url)
$ swift --os-auth-url http://u132.localdomain:5000/v3 --os-username u1 --os-user-domain-name d1 --os-project-name p1 --os-project-domain-name d1 --os-password testing -V 3 stat No handlers could be found for logger "keystoneclient.httpclient" Account: AUTH_3a64e71a64a84c4796b93b109cd2b5ba Containers: 0 Objects: 0 Bytes: 0 Content-Type: text/plain; charset=utf-8 X-Timestamp: 1406021227.61343 X-Trans-Id: tx405d56d8da1a454492a58-0053ce2e6b X-Put-Timestamp: 1406021227.61343
Create a container
$ swift --os-auth-url http://u132.localdomain:5000/v3 --os-username u1 --os-user-domain-name d1 --os-project-name p1 --os-project-domain-name d1 --os-password testing -V 3 post c1 No handlers could be found for logger "keystoneclient.httpclient"
List the account containers using swiftclient
$ swift --os-auth-url http://u132.localdomain:5000/v3 --os-username u1 --os-user-domain-name d1 --os-project-name p1 --os-project-domain-name d1 --os-password testing -V 3 list No handlers could be found for logger "keystoneclient.httpclient" c1
You can also list the account containers using openstackclient (note: now using --os-auth-url and user credentials)
$ openstack --os-auth-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-username u1 --os-user-domain-name d1 --os-project-name p1 --os-project-domain-name d1 --os-password testing container list WARNING: keystoneclient.httpclient Failed to retrieve management_url from token +------+ | Name | +------+ | c1 | +------+