Unable to authenticate with IBM Bluemix Swift

mpcarl · October 27, 2017, 1:21pm

I am having issues getting rclone working with IBM Bluemix Swift. I have tried various combinations of configurations, but with no luck. I always get this message.

$: rclone lsd “SwiftBlueMix:” -vv
2017/10/27 08:13:50 DEBUG : Using config file from “/Users/mpcarl/.config/rclone/rclone.conf”
2017/10/27 08:13:50 DEBUG : rclone: Version “v1.38” starting with parameters [“rclone” “lsd” “SwiftBlueMix:” “-vv”]
2017/10/27 08:13:55 Failed to create file system for “SwiftBlueMix:”: Authorization Failed

The config is:

[SwiftBlueMix]
type = swift
user = [userId from credentials]
key = [password from credentials]
auth = https://identity.open.softlayer.com/v3
domain =
tenant = [projectId from credentails]
tenant_domain =
region = dallas
storage_url =
auth_version = 3

Using these values with the swift command line tool works correctly.

export OS_USER_ID= [userId from credentials]
export OS_PASSWORD= [password from credentials]
export OS_TENANT_ID=[projectId from credentails]
export OS_AUTH_URL=‘https://identity.open.softlayer.com/v3’
export OS_REGION_NAME=‘dallas’
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_VERSION=3

$: swift list
DefaultProjectmpcarlusibmcom
fruit
usercontainer

Ideas?

ncw · October 27, 2017, 4:03pm

Note that user in the config file is not OS_USER_ID it is OS_USERNAME

Try using the config from environment vars by setting your config up like this

[swift]
type = swift
env_auth = true

And see if that works.

I think the problem is that rclone doesn’t let the user set USER_ID at the moment, only USER_NAME.

If that works, then I can add a field for user id setting - or you could send a pull request?

If you do get it working I’d also appreciate a section in the swift docs.

mpcarl · October 27, 2017, 7:08pm

Still no luck.

Using this config

[SwiftEnv]
type = swift
env_auth = true

With these env variables

export OS_PASSWORD='...'
export OS_TENANT_ID='....'
export OS_AUTH_URL='https://identity.open.softlayer.com/v3'
export OS_REGION_NAME='dallas'
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_VERSION=3
export OS_USERNAME='admin_...'

$: rclone lsd “SwiftEnv:”
2017/10/27 14:01:58 Failed to create file system for “SwiftEnv:”: Bad Request

I also tried with
export OS_USER_ID=’…’

ncw · October 28, 2017, 7:36pm

You want to set OS_USER_ID or OS_USERNAME not both.

Can you try using the exact same variables that worked with the openstack swift tool?

mpcarl · October 30, 2017, 12:58am

With the Swift CLI tool I set OS_USER_ID. Using swift and rclone in the same shell gives:

[mpcarl] $: swift list
DefaultProjectmpcarlusibmcom
fruit
usercontainer
[mpcarl] $: rclone lsd "SwiftEnv:"
2017/10/29 19:56:57 Failed to create file system for "SwiftEnv:": user not found

mpcarl · October 30, 2017, 1:28pm

I believe this is the auth request that is being sent by the Swift CLI.

POST $OS_AUTH_URL/auth/tokens HTTP/1.1


{
  "auth": {
    "identity": {
      "methods": [
        "password"
      ], 
      "password": {
        "user": {
          "id": "$OS_USER_ID", 
          "password": "$OS_PASSWORD"
        }
      }
    }, 
    "scope": {
      "project": {
        "id": "$OS_TENANT_ID"
      }
    }
  }
}

ncw · October 31, 2017, 9:13am

If you use -vv --dump-bodies with rclone then you can see what rclone sends and compare the two. So set your env vars above and try rclone -vv --dump-bodies lsd "SwiftEnv:". I’d love to see what this says (but remove all your usernames and passwords!).

mpcarl · October 31, 2017, 1:30pm

Looks like it immediately dumps the user not found error:

$: rclone lsd “SwiftEnv:” -vv --dump-bodies
2017/10/31 08:06:24 DEBUG : Using config file from “/Users/mpcarl/.config/rclone/rclone.conf”
2017/10/31 08:06:24 DEBUG : rclone: Version “v1.38” starting with parameters [“rclone” “lsd” “SwiftEnv:” “-vv” “–dump-bodies”]
2017/10/31 08:06:24 Failed to create file system for “SwiftEnv:”: user not found

If I instead use $OS_USERNAME, the request goes out and it looks to be the correct format. So it looks like the problem is that it won’t try with OS_USER_ID.

{
  "auth": {
    "identity": {
      "methods": [
        "password"
      ], 
      "password": {
        "user": {
          "name": "$OS_USERNAME", 
          "password": "$OS_PASSWORD"
        }
      }
    }, 
    "scope": {
      "project": {
        "id": "$OS_TENANT_ID"
      }
    }
  }
}

This is the rest of the dump response:

2017/10/31 08:07:35 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2017/10/31 08:07:35 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2017/10/31 08:07:35 DEBUG : HTTP RESPONSE (req 0xc420100000)
2017/10/31 08:07:35 DEBUG : HTTP/1.1 400 Bad Request
Content-Length: 233
Cache-Control: no-cache, no-store, must-revalidate
Cneonction: close
Content-Security-Policy: default-src 'self'
Content-Type: application/json
Date: Tue, 31 Oct 2017 13:07:33 GMT
Expires: 0
Pragma: no-cache
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
Strict-Transport-Security: max-age=31536000
Vary: X-Auth-Token
X-Content-Type-Options: nosniff
X-Openstack-Request-Id: req-2659dac7-21ce-4610-9c39-c7548ae080a2
X-Xss-Protection: 0

{"error": {"message": "Expecting to find domain in user - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}
2017/10/31 08:07:35 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2017/10/31 08:07:35 Failed to create file system for "SwiftEnv:": Bad Request

ncw · October 31, 2017, 2:25pm

Sorry, I should have noticed it gave a different error.

This https://beta.rclone.org/v1.38-050-g4a1013f2/ (uploaded in 15-30 mins) should fix it hopefully!

That produced this error

Expecting to find domain in user - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.

Which kind of suggests that if you were to supply the domain too it would work. Maybe!

mpcarl · October 31, 2017, 4:44pm

That seemed to do the trick.

[mpcarl] $: swift list
DefaultProjectmpcarlusibmcom
fruit
usercontainer

[mpcarl] $: rclone lsd "SwiftEnv:"
2017/10/31 11:41:56 Failed to create file system for "SwiftEnv:": user not found

[mpcarl] $: ~/Downloads/rclone-v1.38-050-g4a1013f2β-osx-amd64/rclone lsd "SwiftEnv:"
           0 2017-10-31 11:42:24         0 DefaultProjectmpcarlusibmcom
           7 2017-10-31 11:42:24         4 fruit
     3621084 2017-10-31 11:42:24         4 usercontainer

I tried with different combinations of OS_DOMAIN, OS_DOMAIN_NAME, OS_DOMAIN_ID, etc. but never got that working. At any rate, this seems to work with with the same parameters as the Swift CLI.

Thanks a lot for the support!

ncw · November 1, 2017, 9:07am

Hooray!

I’d quite like to get a section on how to configure Bluemix into the docs.

If I add a “user_id” parameter to the swift config would you be willing to try to make a working config from it? That should be enough to make the config work without setting environment variables.

mpcarl · November 1, 2017, 2:07pm

Absolutely! IBM Bluemix has four ObjectStorage options. With this fix, I’ll have three of them working. I have not tried the fourth option but will be getting to it shortly.

ncw · November 1, 2017, 9:29pm

In https://beta.rclone.org/v1.38-051-gcacae8d1/ (uploaded in 15-30 mins) I’ve added a user_id parameter to the swift config.

Can you have a go with that please and see if that is enough to make it work?

mpcarl · November 1, 2017, 10:27pm

That worked

$: ~/Downloads/rclone-v1.38-051-gcacae8d1β-osx-amd64/rclone lsd “SwiftBlueMix:”
0 2017-11-01 17:27:33 0 DefaultProjectmpcarlusibmcom
7 2017-11-01 17:27:33 4 fruit
3621084 2017-11-01 17:27:33 4 usercontainer

Using these config settings:

[SwiftBlueMix]
type = swift
user_id = $OS_USER_ID
key =$OS_PASSWORD
auth = https://identity.open.softlayer.com/v3
domain =
tenant_id = $OS_TENANT_ID
tenant_domain =
region = dallas
storage_url =
auth_version = 3

With the only trick being $OS_TENANT_ID is called “projectId” in the settings shown on the bluemix configuration details page.

ncw · November 2, 2017, 7:39am

That is slightly puzzling - there isn’t a tenant_id setting in rclone as yet?

mpcarl · November 2, 2017, 1:27pm

Perhaps it was picking it up from the ENV variable I had set based on it existing int he config? I was running in the same shell, so that might have confused things.

In a fresh shell, with tenant_id set in the rclone.conf file and no OS_ ENV values defined I don’t see it being passed in the request.

{
“auth”: {
“identity”: {
“methods”: [
“password”
],
“password”: {
“user”: {
“id”: “$OS_USER_ID”,
“password”: “$OS_PASSWORD”
}
}
}
}
}

However, it still works. I don’t know if that means the project_id is optional or if I am just getting lucky because I only have one space defined in Bluemix.

ncw · November 2, 2017, 3:12pm

I added tenant_id to the config here too - can you give that a go?

https://beta.rclone.org/v1.38-052-gf60e2a7a/ (uploaded in 15-30 mins)

I guess if you only have one project it isn’t needed. Most openstack providers would need it though.

mpcarl · November 2, 2017, 3:32pm

Yes, that worked and I see the project id (tenant_id) being sent in the initial request

..."scope":{"project":{"id":"5a..."}}}}

ncw · November 2, 2017, 3:44pm

Thanks for testing!

Would you like to send a pull request to update the docs? docs/content/swift.md?

mpcarl · November 2, 2017, 4:25pm

You are welcome and thank you for the fix.

Yes, I’ll have a look at the docs.