Re: Openstack keystone with Radosgw

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Have done this too, but in vain. I made changes to Horizon.conf as shown below. I had only I do not see the user being validated in radosgw log at all. 

root@overcloud-controller0-fjvtpqjip2hl:/etc/apache2/sites-available# ls
000-default.conf  default-ssl.conf  horizon.conf

----------------------------------------------------
<VirtualHost *:80>
    WSGIScriptAlias / /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/wsgi/django.wsgi
    WSGIDaemonProcess horizon user=horizon group=horizon processes=3 threads=10 home=/opt/stack/venvs/horizon python-path=/opt/stack/venvs/horizon:/opt/stack/venvs/horizon/lib/python2.7/site-packages/
    WSGIApplicationGroup %{GLOBAL}

    SetEnv APACHE_RUN_USER horizon
    SetEnv APACHE_RUN_GROUP horizon
    WSGIProcessGroup horizon
    WSGIChunkedRequest On

    DocumentRoot /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static
    Alias /static /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static
    Alias /media /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static

    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>

    <Directory /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static>
        Options Indexes FollowSymLinks MultiViews
        Require all granted
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    <Directory /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard>
        Options Indexes FollowSymLinks MultiViews
        Require all granted
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    ErrorLog /var/log/httpd/horizon_error.log
    LogLevel debug
    CustomLog /var/log/httpd/horizon_access.log combined
</VirtualHost>

WSGISocketPrefix /var/run/httpd

----------------------------------




On Thursday, October 9, 2014 3:51 PM, Mark Kirkwood <mark.kirkwood@xxxxxxxxxxxxxxx> wrote:


No, I don't have any explicit ssl enabled in the rgw site.

Now you might be running into http://tracker.ceph.com/issues/7796 . So
check if you have enabled

WSGIChunkedRequest On

In your keystone virtualhost setup (explained in the issue).

Cheers

Mark


On 10/10/14 11:03, lakshmi k s wrote:
> Right, I have these certs on both nodes - keystone node and rgw gateway
> node. Not sure where I am going wrong. And what about SSL? Should the
> following be in rgw.conf in gateway node? I am not using this as it was
> optional.
>
> SSLEngine on
> SSLCertificateFile /etc/apache2/ssl/apache.crt
> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
> SetEnv SERVER_PORT_SECURE 443
>
>
>
>
>
> On Thursday, October 9, 2014 2:48 PM, Mark Kirkwood
> <mark.kirkwood@xxxxxxxxxxxxxxx> wrote:
>
>
> Almost - the converted certs need to be saved on your *rgw* host in
> nss_db_path (default is /var/ceph/nss but wherever you have it
> configured should be ok). Then restart the gateway.
>
> What is happening is the the rgw needs these certs to speak with
> encryption to the keystone server (the latter does not need anything
> changed, as it is already using encryption).
>
> Regards
>
> Mark
>
> On 10/10/14 08:31, lakshmi k s wrote:
>  > Thanks Mark. I got past this error being root. So essentially, I copied
>  > the certs from openstack controller node to gateway node. Did the
>  > conversion using certutil and copied the files back to controller node
>  > under /var/lib/ceph/nss directory. Is this the correct directory? Ceph
>  > doc says /var/ceph/nss though.
>  >
>  > But after this, I tried to use curl GET command, but in vain.Same old
>  > 401 - Authorization failure.
>  >
>  > curl -i -X GET
>  > http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc
> <http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc>-H
>  > "X-Auth-
>  > Token: a510edb22f074946940cd4c07aafcd9d"
>  >
>  > HTTP/1.1 401 Unauthorized
>  > Date: Thu, 09 Oct 2014 19:17:31 GMT
>  > Server: Apache/2.4.7 (Ubuntu)
>  > Accept-Ranges: bytes
>  > Content-Length: 12
>  > Content-Type: text/plain; charset=utf-8
>  > AccessDeniedroot
>  >
>  > Not much difference in radosgw logs too. Note that the token used above
>  > is same one in ceph.conf file too. Please help.
>  >
>  > [client.radosgw.gateway]
>  > rgw keystone url = "" shape="rect" href="http://192.0.8.2:5000/" target="_blank" class="" style="">http://192.0.8.2:5000 <http://192.0.8.2:5000/>
>  > rgw keystone admin token = a510edb22f074946940cd4c07aafcd9d
>  > rgw keystone accepted roles = admim Member _member_ swiftoperator
>  > rgw keystone token cache size = 500
>  > rgw keystone revocation interval = 500
>  > rgw s3 auth use keystone = false
>  > nss db path = /var/lib/ceph/nss
>  > debug rgw = 20
>  > host = gateway
>  > keyring = /etc/ceph/ceph.client.radosgw.keyring
>  > rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
>  > log file = /var/log/ceph/client.radosgw.gateway.log
>  > rgw dns name = gateway
>  >
>  >
>  >
>  >
>  >
>  > On Thursday, October 9, 2014 1:15 AM, Mark Kirkwood
>  > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>> wrote:
>  >
>  >
>  > I ran into this - needed to actually be root via sudo -i or similar,
>  > *then* it worked. Unhelpful error message is I think referring to no
>  > intialized db.
>  >
>  > On 09/10/14 16:36, lakshmi k s wrote:
>  >  > Good workaround. But it did not work. Not sure what this error is all
>  >  > about now.
>  >  >
>  >  > gateway@gateway <mailto:gateway@gateway> <mailto:gateway@gateway
> <mailto:gateway@gateway>>:~$ openssl x509 -in
>  > /home/gateway/ca.pem -pubkey |
>  >  > certutil -d /var/lib/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
>  >  > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
>  >  > certificate/key database is in an old, unsupported format.
>  >  >
>  >  >
>  >  >
>  >  > On Wednesday, October 8, 2014 7:55 PM, Mark Kirkwood
>  >  > <mark.kirkwood@xxxxxxxxxxxxxxx <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
>  > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>> wrote:
>  >  >
>  >  >
>  >  > As a workaround check if your rgw host has openssl and certutil
>  >  > installed, if so you can copy the relevant unconverted certs over
> to it
>  > > and convert 'em there.
>  >  >
>  >  > On 09/10/14 15:07, lakshmi k s wrote:
>  >  >  > Tried aptitude as well, but no luck.
>  >  >  >
>  >  >  > Ceph users, have you tried to install libnss3-tools or certutil
>  > tool on
>  >  >  > debian/ubuntu? If so, how did you go about this problem.
>  >  >  >
>  >  >  >
>  >  >  > On Wednesday, October 8, 2014 7:01 PM, Mark Kirkwood
>  >  >  > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx

> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
>  >  > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
>
>  > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>> wrote:
>  >
>  >  >  >
>  >  >  >
>  >  >  > Ok, so that is the thing to get sorted. I'd suggest posting the
>  > error(s)
>  >  >  > you are getting perhaps here (someone else might know), but
> definitely
>  >  >  > to one of the Debian specific lists.
>  >  >  >
>  >  >  > In the meantime perhaps try installing the packages with aptitude
>  > rather
>  >  >  > than apt-get - if there is some fancy footwork required it is
> fairly
>  >  >  > smart about what needs to be done.
>  >  >  >
>  > >  > Cheers
>  >  >  >
>  >  >  > Mark
>  >  >  >
>  >  >  > On 09/10/14 14:38, lakshmi k s wrote:
>  >  >  >  > Thanks Mark. I have been trying to install this on controller
>  >  > node. But
>  >  >  >  > for some reason, I am unable to install certutil or
>  > libnss3-tools on
>  >  >  >  > debian. I am not sure how to proceed.
>  >  >  >  >
>  >  >  >
>  >  >  >
>  >  >  >
>  >  >
>  >  >
>  >  >
>  >
>  >
>  >
>
>
>



_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux