Ceph, Keystone and S3

Carlos Gimeno Yañez <cgimeno@xxxxxxx> · Tue, 15 Oct 2013 16:17:37 +0200

Hi

I've deployed Ceph using Ceph-deploy and following the official documentation. I've created a user to use with Swift and everything is working fine, my users can create buckets and upload files if they use Horizon Dashboard or Swift CLI.

However, everything changes if they try to do it with S3 API. When they download their credentials from Horizon dashboard to get their keys, they can't connect to ceph using S3 API. They only get a "403 Access Denied" error message. I'm using Ceph 0.70 so, if i'm not wrong, ceph should be able to validate S3 tokens against keystone since 0.69 version.

Here is my ceph.conf:

[client.radosgw.gateway]
host = server2
keyring = /etc/ceph/keyring.radosgw.gateway
rgw socket path = /var/run/ceph/radosgw.sock
log file = /var/log/ceph/radosgw.log
rgw keystone url = "">
rgw keystone admin token = admintoken
rgw keystone accepted roles = admin _member_ Member
rgw print continue = false
rgw keystone token cache size = 500
rgw keystone revocation interval = 500
nss db path = /var/ceph/nss

#Add DNS hostname to enable S3 subdomain calls
rgw dns name = server2

And this is the error message (with s3-curl):

> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: host_ip

> Accept: */*
> Date: Tue, 15 Oct 2013 14:07:24 +0000
> Authorization: AWS 3a1ecdea87d6493a9922c13a06d392cf:SNu/sjTuDtvunOQKJaU8Besm1RQ=
> 
< HTTP/1.1 403 Forbidden
< Date: Tue, 15 Oct 2013 14:07:24 GMT

< Server: Apache/2.2.22 (Ubuntu)
< Accept-Ranges: bytes
< Content-Length: 78
< Content-Type: application/xml
< 
{ [data not shown]
<?xml version="1.0" encoding="UTF-8"?>

<Error>
    <Code>AccessDenied</Code>
</Error>

Regards

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com