事象内容

swift stat コマンドを実行すると、以下エラーとなる。

ClientException: Account HEAD failed: http://controller:8080/v1/AUTH_b9644b0689c4469baa45f9acb009d860 403 Forbidden
Account HEAD failed: http://controller:8080/v1/AUTH_b9644b0689c4469baa45f9acb009d860 403 Forbidden
Failed Transaction ID: txa9703ae560154a2789c61-005bdcfe30

[root@controller ~]# swift --debug stat
DEBUG:keystoneclient.auth.identity.v3.base:Making authentication request to http://controller:5000/v3/auth/tokens
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): controller
DEBUG:urllib3.connectionpool:http://controller:5000 "POST /v3/auth/tokens HTTP/1.1" 201 5238
DEBUG:keystoneclient.auth.identity.v3.base:{"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "a766452813974f97b5ccd5cb306cdb55", "name": "myrole"}], "expires_at": "2018-11-03T02:47:28.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "b9644b0689c4469baa45f9acb009d860", "name": "myproject"}, "catalog": [{"endpoints": [{"url": "http://controller:9696", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5e06a671d5f44e748bcbd3121107c437"}, {"url": "http://controller:9696", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "728d12d8811942fdb2574220530dcc93"}, {"url": "http://controller:9696", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "b37dacf0dbcd4dc08f793cd0535960dc"}], "type": "network", "id": "0cfc31a3b8264d0296e41a9b28d3adc6", "name": "neutron"}, {"endpoints": [{"url": "http://controller:8776/v3/b9644b0689c4469baa45f9acb009d860", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "329faafbda0f4cd8903d0b360f322369"}, {"url": "http://controller:8776/v3/b9644b0689c4469baa45f9acb009d860", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "b2e7550e6c0c4f6cad596fa7b23b2d5a"}, {"url": "http://controller:8776/v3/b9644b0689c4469baa45f9acb009d860", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "ea21d5e87da6465dac0fc479f322438e"}], "type": "volumev3", "id": "18a9916d04b64863a7ceaba3dab705ca", "name": "cinderv3"}, {"endpoints": [{"url": "http://controller:8080/v1/AUTH_b9644b0689c4469baa45f9acb009d860", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "7355c08aabb540adb799bd94ecafdb36"}, {"url": "http://controller:8080/v1/AUTH_b9644b0689c4469baa45f9acb009d860", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "9a74f8cf2c2f4cfa8ea83222ec853801"}, {"url": "http://controller:8080/v1", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "eeaed3a1eb5b498ab0b3e75657290bbf"}], "type": "object-store", "id": "628ecad16c7745daacee1638998cd5b3", "name": "swift"}, {"endpoints": [{"url": "http://controller:8778", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "6a3fe5fa18c745b593b7012780815a3d"}, {"url": "http://controller:8778", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "7eb7321ac1d9489aaf2ed938d0c82d24"}, {"url": "http://controller:8778", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "f6c3f2d816c94e91bf4b330b6496abf9"}], "type": "placement", "id": "6455d40885b54fa5a61c77fc609e7dd3", "name": "placement"}, {"endpoints": [{"url": "http://controller:8776/v2/b9644b0689c4469baa45f9acb009d860", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "74963247070b4644b775ad27d9a125d4"}, {"url": "http://controller:8776/v2/b9644b0689c4469baa45f9acb009d860", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "a372650899e04336bed6829254b27076"}, {"url": "http://controller:8776/v2/b9644b0689c4469baa45f9acb009d860", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "ad3bad396c5d4bfe9160d2b8e5db98b5"}], "type": "volumev2", "id": "916ede5c51c444f5aa00aae825c4e222", "name": "cinderv2"}, {"endpoints": [{"url": "http://controller:9292", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "27a4f6bc3c554e1899cdc70a47910f19"}, {"url": "http://controller:9292", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "6384b136508145978072e2e660a9cf0b"}, {"url": "http://controller:9292", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "e0f6af2b29b64a4b8bffaf26f81af9f0"}], "type": "image", "id": "d2f2daec67bb46c29db876e1c1f19d47", "name": "glance"}, {"endpoints": [{"url": "http://controller:8774/v2.1", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "0c052f0e1ce240669e4cec053a4222d5"}, {"url": "http://controller:8774/v2.1", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "7578099b350b483da4266cfa45588fe8"}, {"url": "http://controller:8774/v2.1", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "af0b62545a0446628452acc1b9806c83"}], "type": "compute", "id": "db009971d19a4e069af2eaf7ff825104", "name": "nova"}, {"endpoints": [{"url": "http://controller:5000/v3/", "interface": "internal", "region": "RegionOne", "region_id": "RegionOne", "id": "20faffafd8a84b4b81a6373594f5e51a"}, {"url": "http://controller:5000/v3/", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "487420da877148ab9d652249be6d05e8"}, {"url": "http://controller:5000/v3/", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "8ae3c225b3e8418b85a22c04bc40e984"}], "type": "identity", "id": "e3cb952cfe5c4a15984ea5534dc40058", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "myuser", "id": "64b377d70bc4457faa169912b02a24d1"}, "audit_ids": ["udk1p1v_TLe7NIn1zp1yeQ"], "issued_at": "2018-11-03T01:47:28.000000Z"}}
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): controller
DEBUG:urllib3.connectionpool:http://controller:8080 "HEAD /v1/AUTH_b9644b0689c4469baa45f9acb009d860 HTTP/1.1" 403 0
INFO:swiftclient:REQ: curl -i http://controller:8080/v1/AUTH_b9644b0689c4469baa45f9acb009d860 -I -H "X-Auth-Token: gAAAAABb3P4wY83Y3ECYj0YaEask1kEQs8Y2Di0MNpHGYdAkOlkCSjD5H9AcTjWDx8lC0iKb5NyN_2jt4o1mqpqpnMYMXTZSpsQS5v8fnk7CwIuxUlacE6MYPQIw9PCtrQAI-dlV4eP1I4CJ3uasLlH3vygGm1SVMU7MvvVC09nl1CzPW12-QZ4"
INFO:swiftclient:RESP STATUS: 403 Forbidden
INFO:swiftclient:RESP HEADERS: {u'Date': u'Sat, 03 Nov 2018 01:47:28 GMT', u'Content-Length': u'0', u'Content-Type': u'text/html; charset=UTF-8', u'X-Openstack-Request-Id': u'txa9703ae560154a2789c61-005bdcfe30', u'X-Trans-Id': u'txa9703ae560154a2789c61-005bdcfe30'}
ERROR:swiftclient.service:Account HEAD failed: http://controller:8080/v1/AUTH_b9644b0689c4469baa45f9acb009d860 403 Forbidden
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/swiftclient/service.py", line 516, in stat
    items, headers = get_future_result(stats_future)
  File "/usr/lib/python2.7/site-packages/swiftclient/service.py", line 231, in get_future_result
    res = f.result(timeout=timeout)
  File "/usr/lib/python2.7/site-packages/concurrent/futures/_base.py", line 429, in result
    return self.__get_result()
  File "/usr/lib/python2.7/site-packages/concurrent/futures/thread.py", line 62, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/swiftclient/multithreading.py", line 187, in conn_fn
    return fn(*conn_args, **kwargs)
  File "/usr/lib/python2.7/site-packages/swiftclient/command_helpers.py", line 24, in stat_account
    headers = conn.head_account(headers=req_headers)
  File "/usr/lib/python2.7/site-packages/swiftclient/client.py", line 1767, in head_account
    return self._retry(None, head_account, headers=headers)
  File "/usr/lib/python2.7/site-packages/swiftclient/client.py", line 1722, in _retry
    service_token=self.service_token, **kwargs)
  File "/usr/lib/python2.7/site-packages/swiftclient/client.py", line 842, in head_account
    raise ClientException.from_response(resp, 'Account HEAD failed', body)
ClientException: Account HEAD failed: http://controller:8080/v1/AUTH_b9644b0689c4469baa45f9acb009d860 403 Forbidden
Account HEAD failed: http://controller:8080/v1/AUTH_b9644b0689c4469baa45f9acb009d860 403 Forbidden
Failed Transaction ID: txa9703ae560154a2789c61-005bdcfe30
[root@controller ~]#

解決方法

Swift プロキシーサービスの設定ファイル( /etc/swift/proxy-server.conf )の [filter:keystoneauth] セクションでの設定している Swift オペレーターのロールにコマンドを実行するユーザーのロールが設定されていないことが原因である。operator_roles に必要となるロールを設定する。

[root@controller ~]# vi /etc/swift/proxy-server.conf
[filter:keystoneauth]
# ...
operator_roles = admin,user
↓
必要となるロールに変更
operator_roles = admin,myrole