2

I'm trying to use Bluemix Object Storage for storing some user content (images). It runs Openstack Swift.

According to the bluemix guide it supports Keystone V2 authentication in an unbound context or Keystone v3 in a bound context. Since my main app is not in the same Bluemix environment, I prefer to use unbound, but can also use bound via a dummy app.

According to some release notes for the Fog gem and the fog source code, both auth methods are supported. I'm using Fog 1.31.0.

Using the unbound method, I get the following credentials after creating the Bluemix service. All values are slightly changed for privacy reasons.

{
  "credentials": {
    "auth_url": "https://identity.open.softlayer.com",
    "project": "object_storage_af31119c",
    "projectId": "82e592b46bb84232370f9657fec2b576",
    "region": "dallas",
    "userId": "02faa40ff3f342faaafdty1a75bd901a",
    "username": "user_28uigjab0a2ef799eb5280c786a2ff503c978aaf",
    "password": "V3i~]oYU8/UMNvVm",
    "domainId": "3f160e53e6114a748a34724005a458ea",
    "domainName": "779543"
  }
}

The fog openstack docs contain this configuration example:

  service = Fog::Storage.new({
  :provider            => 'OpenStack',   # OpenStack Fog provider
  :openstack_username  => USERNAME,      # Your OpenStack Username
  :openstack_api_key   => PASSWORD,      # Your OpenStack Password
  :openstack_auth_url  => 'http://YOUR_OPENSTACK_ENDPOINT:PORT/v2.0/tokens'
})

I filled my credentials and used https://identity.open.softlayer.com/v2.0/tokens as the auth_url. This is the error I get:

Uncaught exception: Expected([200, 204]) <=> Actual(401 Unauthorized)
excon.error.response
:body => "{\"error\": {\"message\": \"The request you have made requires 
authentication.\", \"code\": 401, \"title\": \"Unauthorized \"}}"

:headers => {
"Content-Length" => "114"
"Content-Type"   => "application/json"
"Date"           => "Fri, 06 Nov 2015 15:08:55 GMT"
"Server"         => "Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5"
"Vary"           => "X-Auth-Token"
"WWW-Authenticate"       => "Keystone uri=\"https://identity.open.softlayer.com\""
"x-openstack-request-id" => "req-2f68188e-2a9e-45ad-ae18-289ac88b78ae" }
:local_address => "10.0.2.15"
:local_port    => 59407
:reason_phrase => "Unauthorized"
:remote_ip     => "198.23.119.11"
:status        => 401
:status_line   => "HTTP/1.1 401 Unauthorized\r\n"

/home/startupdeltadev/.rbenv/versions/1.9.3-p551/lib/ruby/gems/1.9.1/gems/excon-0.45.3/lib/excon/middlewares/expects.rb:10:in `response_call'
/home/startupdeltadev/.rbenv/versions/1.9.3-p551/lib/ruby/gems/1.9.1/gems/excon-0.45.3/lib/excon/middlewares/response_parser.rb:8:in `response_call'
/home/startupdeltadev/.rbenv/versions/1.9.3-p551/lib/ruby/gems/1.9.1/gems/excon-0.45.3/lib/excon/connection.rb:372:in `response'
/home/startupdeltadev/.rbenv/versions/1.9.3-p551/lib/ruby/gems/1.9.1/gems/excon-0.45.3/lib/excon/connection.rb:236:in `request'
/home/startupdeltadev/.rbenv/versions/1.9.3-p551/lib/ruby/gems/1.9.1/gems/fog-core-1.31.1/lib/fog/core/connection.rb:81:in `request'
/home/startupdeltadev/.rbenv/versions/1.9.3-p551/lib/ruby/gems/1.9.1/gems/fog-1.31.0/lib/fog/openstack/core.rb:331:in `retrieve_tokens_v2'

Apparently, my credentials are not sent correctly. Any hints?

Community
  • 1
  • 1
Nino van Hooff
  • 3,677
  • 1
  • 36
  • 52

2 Answers2

0

Your Openstack user belongs to the '779543' domain. The Identity (Keystone) v3 API supports domains. I can't find any good examples on how to use Keystone v3 with Fog.

cmull
  • 11
  • 2
0

According the documentation Bluemix OpenStack Swift

OpenStack Identity (Keystone) v2

The v2 token request is a POST request to https://identity.open.softlayer.com/v2.0/tokens as shown in the following curl command:

curl -i \
-H "Content-Type: application/json" \
-d '
{
    "auth": {
      "tenantId": "0f47b41b06d047f9aae3b33f1db061ed",
      "passwordCredentials": {
        "userId": "ad78b2a3f843466988afd077731c61fc",
        "password": "K/jyIi2jR=1?D.TP "
    }
}
}' \
https://identity.open.softlayer.com/v2.0/tokens ; echo

Note: This request method is not documented on the OpenStack Identity v2 website. You cannot use tenantName and username.

Fog::OpenStack (and many other libraries) uses username instead of userId

You should use OpenStack Identity (Keystone) v3 in this way:

storage = Fog::OpenStack.new({
  :provider                 => 'OpenStack',
  :openstack_auth_url       => credentials['auth_url'],
  :openstack_api_key        => credentials['password'],
  :openstack_project_id     => credentials['projectId'],        
  :openstack_username       => credentials['username'],
  :openstack_domain_name    => credentials['domainName'],#required if you use :openstack_username (otherwise set :openstack_userid)
  :openstack_region         => credentials['region']
})
Santi Bivacqua
  • 101
  • 1
  • 3