search

ovh / svfs

The Swift Virtual File System
Other
374 stars 54 forks source link

Authentication with a multi-domain Keystone/Identity API v3 installation #111

Open timss opened 7 years ago

timss commented 7 years ago

Hi, and thanks for creating SVFS :)

Context

Steps to reproduce this issue :

  1. Install Swift with Keystone as the authentication service, configured to use identity API v3 and multiple domains (for instance one with default SQL driver, and one with LDAP). Setup project/user/container in one of the domains.
  2. Install SVFS on Linux.
  3. Try to mount project/container using mount command.

Results you expected :

Containers in project, or if specified, a container, is to be mounted at mountpoint (see debug).

Results you observed :

Mount failed due to problems authenticating with Keystone, which expects a domain to be specified using v3 API.

Debug log :

SVFS debug:

$ mount -t svfs -o\
    debug,auth_url="https://domain.com:5000/v3",version="3",\
    region="",username="",password="",tenant=""\
    <device> /mountpoint
DEBU[2016-12-09T09:37:43Z] Skipping configuration : open : no such file or directory   source=svfs
FATA[2016-12-09T09:37:44Z] Bad Request

Keystone log: (removed some verbose datetime/req output)

INFO keystone.common.wsgi [req-[..]] POST https://domain.com:5000/v3/auth/tokens
WARNING keystone.common.wsgi [req-[..]] Expecting to find domain in user - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.

Additional information :

It seems that SVFS supports identity v3, but I can't find a way to specify domain(s).

I have no experience with Go, but digging a bit into the code it seems that xlucas/swift (and its upstream project) is the library used for Swift authentication. This library does seem to support v3 and with domains (see code), but is this implemented (as an option) in SVFS?

In a multidomain setup, you'd typically have to define both the domain of the user ($OS_USER_DOMAIN_NAME) and the domain of the project ($OS_PROJECT_DOMAIN_NAME) for Keystone to know which domain (and driver) to use. For instance:

$ swift list\
    --os-region-name RegionOne\
    --os-user-domain-name default\
    --os-username user\
    --os-password pw\
    --os-project-domain-name default\
    --os-project-name project\
    --os-auth-url "https://domain.com:5000/v3"\
    --os-identity-api-version 3

Would it be possibly to do or add this to SVFS?

xlucas commented 7 years ago

Hello !

This is not yet available in SVFS but should be relatively easy to implement since as you noted the upstream library has support for this.

I'll give it a shot soon.

timss commented 7 years ago

Great, thanks!

benoit74 commented 5 years ago

Is this issue still open ? I have the same behavior on the client side. Can't check what's going on in the keystone, I do not have access but it is a V3 as well. I can access through swift client but mounting with svfs fails.