On Wed, May 15, 2013 at 6:45 AM, Davide Fanciola <dfanciola@xxxxxxxxx> wrote: > Hello everyone, > > i'm trying to setup the radosgw with keystone integration and having a few > problems, hopefully due to my noobism. > I'm using Ubuntu 13.04 with ceph-0.61.2-1raring and > keystone-2013.1-0ubuntu1. > > I followed the docs at http://ceph.com/docs/master/radosgw/config/ and > managed to have a "working" setup. > Actually i have created a swift user and key using the internal > authentication system and another user in keystone. > I've successfully tested the access for both user with slightly different > syntax on the swift command line. > > RGW User: > $ swift -V 1.0 -A http://rgw.dns/auth -U user:subuser -K theKey stat > > Keystone User: > $ swift -V 2.0 -A http://keystone.dns:5000/v2.0 -U tenant:user -K > thePassword stat > > Now the problem i'm having is that if this two users create a > bucket/container with the same name, the second user receive a permission > error. > > From my understanding this is due to the fact that the returned > "X-Storage-Url" do not contain any part specific to the user, i.e the url is > always "http://rgw.dns/swift/v1";. > When I check the API documentation, the storage url is normally given in the > form of "http://rgw.dns/swift/v1/{USER_OR_TENANT_ID_OR_NAME}";. > The only config options that looks like pertinent are "rgw swift url" and > "rgw swift url prefix" but i don't see how to inject dynamic values (i.e. > the tenant id) > Am I completely on the wrong track here? Yeah, that's unrelated. It's used by the gateway to identify whether it's swift or not, and to generate the storage-url by the rgw swift-auth. > > My final goal would be to have a sort of namespace for each keystone tenant > (or RGW user). > Tenant's users (RGW subusers) would be confined in that namespace and able > to access each other files based on ACL's. > Is this use case supported by the couple radosgw/keystone? Not currently. At the moment all rgw users share a single namespace. The rgw user <-> tenant mapping is more like the way S3 handles it. I just created issue #5073 to allow that. > > > The second problem is that i'm not sure the keystone revocation process is > functioning correctly, here's what the logs shows: > > 2013-05-15 15:08:22.452380 7fa816bf9700 0 ERROR: signer 0 status = > SigningCertNotTrusted > 2013-05-15 15:08:22.452424 7fa816bf9700 0 ERROR: problem decoding > 2013-05-15 15:08:22.452443 7fa816bf9700 0 ceph_decode_cms returned -22 > 2013-05-15 15:08:22.452463 7fa816bf9700 0 ERROR: keystone revocation > processing returned error r=-22 > > I've imported keystone's CA and signing certificate, so not sure what's > wrong here but looks like the certutil step is not correct or complete. > It's hard to really identify what the problem is. It might be that you've converted the wrong openssl certificate. Yehuda > > For reference i report here my config for the radosgw : > > [client.radosgw.gateway] > host = ubu-keystone > keyring = /etc/ceph/keyring.radosgw.gateway > rgw socket path = /tmp/radosgw.sock > log file = /var/log/ceph/radosgw.log > debug rgw = 20 > # Not using the 100-continue Apache > rgw print continue = false > rgw dns name = ubu-keystone > rgw keystone url = http://ubu-keystone:35357 > rgw keystone admin token = ADMINTOKEN > rgw keystone accepted roles = Member, admin, swiftoperator > rgw keystone token cache size = 500 > rgw keystone revocation interval = 600 > nss db path = /var/lib/ceph/nss > > > Thanks in advance, > Cheers, > Davide > > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |