Oups, dang new gmail gui!
I've managed to send the last email with an previously unknown key combination ;)
Sorry.
I just wanted to add the commands used to convert the certificates :
# openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey |
certutil -A -d /var/lib/ceph/nss -n ca -t "TCu,Cu,Tuw"
# openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey |
certutil -A -d /var/lib/ceph/nss -n signing_cert -t "TCu,Cu,Tuw"
Is it correct that both certificate are declared with the same type ("TCu,Cu,Tuw") ?
Cheers,
Davide
On Wed, May 15, 2013 at 5:33 PM, Davide Fanciola <dfanciola@xxxxxxxxx> wrote:
Hi Yehuda,thanks for your quick reply.
On Wed, May 15, 2013 at 4:08 PM, Yehuda Sadeh <yehuda@xxxxxxxxxxx> wrote:Yeah, that's unrelated. It's used by the gateway to identify whetherOn Wed, May 15, 2013 at 6:45 AM, Davide Fanciola <dfanciola@xxxxxxxxx> wrote:
> Hello everyone,
>
> i'm trying to setup the radosgw with keystone integration and having a few
> problems, hopefully due to my noobism.
> I'm using Ubuntu 13.04 with ceph-0.61.2-1raring and
> keystone-2013.1-0ubuntu1.
>
> I followed the docs at http://ceph.com/docs/master/radosgw/config/ and
> managed to have a "working" setup.
> Actually i have created a swift user and key using the internal
> authentication system and another user in keystone.
> I've successfully tested the access for both user with slightly different
> syntax on the swift command line.
>
> RGW User:
> $ swift -V 1.0 -A http://rgw.dns/auth -U user:subuser -K theKey stat
>
> Keystone User:
> $ swift -V 2.0 -A http://keystone.dns:5000/v2.0 -U tenant:user -K
> thePassword stat
>
> Now the problem i'm having is that if this two users create a
> bucket/container with the same name, the second user receive a permission
> error.
>
> From my understanding this is due to the fact that the returned
> "X-Storage-Url" do not contain any part specific to the user, i.e the url is
> always "http://rgw.dns/swift/v1".
> When I check the API documentation, the storage url is normally given in the
> form of "http://rgw.dns/swift/v1/{USER_OR_TENANT_ID_OR_NAME}".
> The only config options that looks like pertinent are "rgw swift url" and
> "rgw swift url prefix" but i don't see how to inject dynamic values (i.e.
> the tenant id)
> Am I completely on the wrong track here?
it's swift or not, and to generate the storage-url by the rgw
swift-auth.>Not currently. At the moment all rgw users share a single namespace.
> My final goal would be to have a sort of namespace for each keystone tenant
> (or RGW user).
> Tenant's users (RGW subusers) would be confined in that namespace and able
> to access each other files based on ACL's.
> Is this use case supported by the couple radosgw/keystone?
The rgw user <-> tenant mapping is more like the way S3 handles it. I
just created issue #5073 to allow that.So for the moment, the only way to ensure this would be at the application level?
It's hard to really identify what the problem is. It might be that
>
>
> The second problem is that i'm not sure the keystone revocation process is
> functioning correctly, here's what the logs shows:
>
> 2013-05-15 15:08:22.452380 7fa816bf9700 0 ERROR: signer 0 status =
> SigningCertNotTrusted
> 2013-05-15 15:08:22.452424 7fa816bf9700 0 ERROR: problem decoding
> 2013-05-15 15:08:22.452443 7fa816bf9700 0 ceph_decode_cms returned -22
> 2013-05-15 15:08:22.452463 7fa816bf9700 0 ERROR: keystone revocation
> processing returned error r=-22
>
> I've imported keystone's CA and signing certificate, so not sure what's
> wrong here but looks like the certutil step is not correct or complete.
>
you've converted the wrong openssl certificate.Allright, then maybe something is wrong on the keystone side. I'll regenerate keystone certs, ensure they're used for signing and try again.
Yehuda
> _______________________________________________
>
> For reference i report here my config for the radosgw :
>
> [client.radosgw.gateway]
> host = ubu-keystone
> keyring = /etc/ceph/keyring.radosgw.gateway
> rgw socket path = /tmp/radosgw.sock
> log file = /var/log/ceph/radosgw.log
> debug rgw = 20
> # Not using the 100-continue Apache
> rgw print continue = false
> rgw dns name = ubu-keystone
> rgw keystone url = "" href="http://ubu-keystone:35357" target="_blank">http://ubu-keystone:35357
> rgw keystone admin token = ADMINTOKEN
> rgw keystone accepted roles = Member, admin, swiftoperator
> rgw keystone token cache size = 500
> rgw keystone revocation interval = 600
> nss db path = /var/lib/ceph/nss
>
>
> Thanks in advance,
> Cheers,
> Davide
>
>
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
