Hello Mark -
Changing the rwg keystone url to http://192.168.122.165:35357 did not help. I continue to get 401 error. Also, I am trying to integrate with Icehouse this time. I did not see any keystone.conf in /etc/apache2/sites-available for adding WSGI chunked encoding. That said, I am having issues with
initial keystone handshake itself.
Thanks,
Lakshmi.
On Wednesday, October 15, 2014 2:37 PM, Mark Kirkwood <mark.kirkwood@xxxxxxxxxxxxxxx> wrote:
On 16/10/14 09:08, lakshmi k s wrote:
> I am trying to integrate Openstack keystone with radosgw. I have
> followed the instructions as per the link -
> http://ceph.com/docs/master/radosgw/keystone/. But for some reason,
> keystone flags under [client.radosgw.gateway] section are not being
> honored. That means, presence of these flags never attempt to use
> keystone. Hence, any swift v2.0 calls results in 401-Authorization
> problem. But If I move the keystone url outside under global section, I
> see that there is initial keystone handshake between keystone and
> gateway nodes.
>
> Please note that swift v1 calls (without using keystone) work great.
> Any thoughts on how to resolve this problem?
>
> ceph.conf
>
> [global]
> fsid = f216cbe1-fa49-42ed-b28a-322aa3d48fff
> mon_initial_members = node1
> mon_host = 192.168.122.182
> auth_cluster_required = cephx
> auth_service_required = cephx
> auth_client_required = cephx
> filestore_xattr_use_omap = true
>
> [client.admin]
> keyring = /etc/ceph/ceph.client.admin.keyring
>
> [client.radosgw.gateway]
> host = radosgw
> keyring = /etc/ceph/ceph.client.radosgw.keyring
> rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
> log file = /var/log/ceph/client.radosgw.gateway.log
> rgw dns name = radosgw
>
> rgw keystone url = "" shape="rect" href="http://192.168.122.165:5000/" target="_blank" >http://192.168.122.165:5000
> rgw keystone admin token = faedf7bc53e3371924e7b3ddb9d13ddd
> rgw keystone accepted roles = admin Member _member_
> rgw keystone token cache size = 500
> rgw keystone revocation interval = 500
> rgw s3 auth use keystone = true
> nss db path = /var/ceph/nss
>
>
I have managed to to reproduce this:
If I copy your [client.radosgw.gateway] section and amend the obvious
differences (hostnames and ips, and socket paths), then I too see auth
failed and no sign of any attempt to use keystone auth logged. Making
the following change:
- rgw keystone url = "" shape="rect" href="http://192.168.122.165:5000/" target="_blank" >http://192.168.122.165:5000
+ rgw keystone url = "">http://192.168.122.165:35357
makes it work again. I'm guessing it is tied up with with the fact we
needed to add WSGI Chunked encoding... and we did that only for the
35357 keystone virtualhost (I guess I can add it to 5000 too and see if
that fixes it). I does seem odd that there is no log entry on the rgw...
but it may be failing before the call gets logged (will look).
Regards
Mark
P.s: Added $SUBJECT header.
> I am trying to integrate Openstack keystone with radosgw. I have
> followed the instructions as per the link -
> http://ceph.com/docs/master/radosgw/keystone/. But for some reason,
> keystone flags under [client.radosgw.gateway] section are not being
> honored. That means, presence of these flags never attempt to use
> keystone. Hence, any swift v2.0 calls results in 401-Authorization
> problem. But If I move the keystone url outside under global section, I
> see that there is initial keystone handshake between keystone and
> gateway nodes.
>
> Please note that swift v1 calls (without using keystone) work great.
> Any thoughts on how to resolve this problem?
>
> ceph.conf
>
> [global]
> fsid = f216cbe1-fa49-42ed-b28a-322aa3d48fff
> mon_initial_members = node1
> mon_host = 192.168.122.182
> auth_cluster_required = cephx
> auth_service_required = cephx
> auth_client_required = cephx
> filestore_xattr_use_omap = true
>
> [client.admin]
> keyring = /etc/ceph/ceph.client.admin.keyring
>
> [client.radosgw.gateway]
> host = radosgw
> keyring = /etc/ceph/ceph.client.radosgw.keyring
> rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
> log file = /var/log/ceph/client.radosgw.gateway.log
> rgw dns name = radosgw
>
> rgw keystone url = "" shape="rect" href="http://192.168.122.165:5000/" target="_blank" >http://192.168.122.165:5000
> rgw keystone admin token = faedf7bc53e3371924e7b3ddb9d13ddd
> rgw keystone accepted roles = admin Member _member_
> rgw keystone token cache size = 500
> rgw keystone revocation interval = 500
> rgw s3 auth use keystone = true
> nss db path = /var/ceph/nss
>
>
I have managed to to reproduce this:
If I copy your [client.radosgw.gateway] section and amend the obvious
differences (hostnames and ips, and socket paths), then I too see auth
failed and no sign of any attempt to use keystone auth logged. Making
the following change:
- rgw keystone url = "" shape="rect" href="http://192.168.122.165:5000/" target="_blank" >http://192.168.122.165:5000
+ rgw keystone url = "">http://192.168.122.165:35357
makes it work again. I'm guessing it is tied up with with the fact we
needed to add WSGI Chunked encoding... and we did that only for the
35357 keystone virtualhost (I guess I can add it to 5000 too and see if
that fixes it). I does seem odd that there is no log entry on the rgw...
but it may be failing before the call gets logged (will look).
Regards
Mark
P.s: Added $SUBJECT header.
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
- References:
- (no subject)
- From: lakshmi k s
- Re: Radosgw refusing to even attempt to use keystone auth
- From: Mark Kirkwood
- (no subject)
- Prev by Date: Re: Firefly maintenance release schedule
- Next by Date: Re: Radosgw refusing to even attempt to use keystone auth
- Previous by thread: Re: Radosgw refusing to even attempt to use keystone auth
- Next by thread: Re: Radosgw refusing to even attempt to use keystone auth
- Index(es):
 |