Hello everyone,
i'm trying to setup the radosgw with keystone integration and having a few problems, hopefully due to my noobism.
I'm using Ubuntu 13.04 with ceph-0.61.2-1raring and keystone-2013.1-0ubuntu1.
I followed the docs at http://ceph.com/docs/master/radosgw/config/ and managed to have a "working" setup.
Actually i have created a swift user and key using the internal authentication system and another user in keystone.
I've successfully tested the access for both user with slightly different syntax on the swift command line.
RGW User:
$ swift -V 1.0 -A http://rgw.dns/auth -U user:subuser -K theKey stat
Keystone User:
$ swift -V 2.0 -A http://keystone.dns:5000/v2.0 -U tenant:user -K thePassword stat
Now the problem i'm having is that if this two users create a bucket/container with the same name, the second user receive a permission error.
From my understanding this is due to the fact that the returned "X-Storage-Url" do not contain any part specific to the user, i.e the url is always "http://rgw.dns/swift/v1".
When I check the API documentation, the storage url is normally given in the form of "http://rgw.dns/swift/v1/{USER_OR_TENANT_ID_OR_NAME}".
The only config options that looks like pertinent are "rgw swift url" and "rgw swift url prefix" but i don't see how to inject dynamic values (i.e. the tenant id)
Am I completely on the wrong track here?
My final goal would be to have a sort of namespace for each keystone tenant (or RGW user).
Tenant's users (RGW subusers) would be confined in that namespace and able to access each other files based on ACL's.
Is this use case supported by the couple radosgw/keystone?
The second problem is that i'm not sure the keystone revocation process is functioning correctly, here's what the logs shows:
2013-05-15 15:08:22.452380 7fa816bf9700 0 ERROR: signer 0 status = SigningCertNotTrusted
2013-05-15 15:08:22.452424 7fa816bf9700 0 ERROR: problem decoding
2013-05-15 15:08:22.452443 7fa816bf9700 0 ceph_decode_cms returned -22
2013-05-15 15:08:22.452463 7fa816bf9700 0 ERROR: keystone revocation processing returned error r=-22
I've imported keystone's CA and signing certificate, so not sure what's wrong here but looks like the certutil step is not correct or complete.
For reference i report here my config for the radosgw :
[client.radosgw.gateway]
host = ubu-keystone
keyring = /etc/ceph/keyring.radosgw.gateway
rgw socket path = /tmp/radosgw.sock
log file = /var/log/ceph/radosgw.log
debug rgw = 20
# Not using the 100-continue Apache
rgw print continue = false
rgw dns name = ubu-keystone
rgw keystone url = "" href="http://ubu-keystone:35357">http://ubu-keystone:35357
rgw keystone admin token = ADMINTOKEN
rgw keystone accepted roles = Member, admin, swiftoperator
rgw keystone token cache size = 500
rgw keystone revocation interval = 600
nss db path = /var/lib/ceph/nss
Thanks in advance,
Cheers,
Davide
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
