svfs icon indicating copy to clipboard operation
svfs copied to clipboard

Published 20 hours ago verified publisher icon ovh

Authentication with a multi-domain Keystone/Identity API v3 installation

Open timss opened this issue 8 years ago • 3 comments

Hi, and thanks for creating SVFS :)

Context

  • svfs version : 0.9.0
  • storage provider : Private
  • product : OpenStack Swift/Keystone Mitaka

Steps to reproduce this issue :

  1. Install Swift with Keystone as the authentication service, configured to use identity API v3 and multiple domains (for instance one with default SQL driver, and one with LDAP). Setup project/user/container in one of the domains.
  2. Install SVFS on Linux.
  3. Try to mount project/container using mount command.

Results you expected :

Containers in project, or if specified, a container, is to be mounted at mountpoint (see debug).

Results you observed :

Mount failed due to problems authenticating with Keystone, which expects a domain to be specified using v3 API.

Debug log :

SVFS debug:

$ mount -t svfs -o\
    debug,auth_url="https://domain.com:5000/v3",version="3",\
    region="",username="",password="",tenant=""\
    <device> /mountpoint
DEBU[2016-12-09T09:37:43Z] Skipping configuration : open : no such file or directory   source=svfs
FATA[2016-12-09T09:37:44Z] Bad Request

Keystone log: (removed some verbose datetime/req output)

INFO keystone.common.wsgi [req-[..]] POST https://domain.com:5000/v3/auth/tokens
WARNING keystone.common.wsgi [req-[..]] Expecting to find domain in user - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.

Additional information :

It seems that SVFS supports identity v3, but I can't find a way to specify domain(s).

I have no experience with Go, but digging a bit into the code it seems that xlucas/swift (and its upstream project) is the library used for Swift authentication. This library does seem to support v3 and with domains (see code), but is this implemented (as an option) in SVFS?

In a multidomain setup, you'd typically have to define both the domain of the user ($OS_USER_DOMAIN_NAME) and the domain of the project ($OS_PROJECT_DOMAIN_NAME) for Keystone to know which domain (and driver) to use. For instance:

$ swift list\
    --os-region-name RegionOne\
    --os-user-domain-name default\
    --os-username user\
    --os-password pw\
    --os-project-domain-name default\
    --os-project-name project\
    --os-auth-url "https://domain.com:5000/v3"\
    --os-identity-api-version 3

Would it be possibly to do or add this to SVFS?

timss avatar Dec 09 '16 11:12 timss

Hello !

This is not yet available in SVFS but should be relatively easy to implement since as you noted the upstream library has support for this.

I'll give it a shot soon.

xlucas avatar Dec 19 '16 22:12 xlucas

Great, thanks!

timss avatar Dec 19 '16 23:12 timss

Is this issue still open ? I have the same behavior on the client side. Can't check what's going on in the keystone, I do not have access but it is a V3 as well. I can access through swift client but mounting with svfs fails.

benoit74 avatar Jul 05 '19 05:07 benoit74