Re: Rados Gateway and keystone

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Addendum

 

In the keystone log, I got

2015-05-06 11:42:24.594 10435 INFO eventlet.wsgi.server [-] 10.193.108.238 - - [06/May/2015 11:42:24] "POST /v2.0/s3tokens HTTP/1.1" 404 247 0.003872

 

Something is missing

 

This is my new quest…

 

 

De : CHEVALIER Ghislain IMT/OLPS
Envoyé : mercredi 6 mai 2015 10:24
À : ceph-users
Objet : RE: [ceph-users] Rados Gateway and keystone

 

Hi,

 

Coming back to that issue.

My endpoint wasn’t right set up.

I changed it to myrgw:myport (rgwow:8080) in the cloudberry profile or in the curl request and  I got a 403 error due to a potential bad role returned by keystone.

In the radosgw log, I got

2015-05-05 14:58:23.895961 7fb9f4fe9700  1 ====== starting new request req=0x7fba040177c0 =====

2015-05-05 14:58:23.895975 7fb9f4fe9700  2 req 82:0.000015::GET /::initializing

2015-05-05 14:58:23.896009 7fb9f4fe9700 10 s->object=<NULL> s->bucket=<NULL>

2015-05-05 14:58:23.896014 7fb9f4fe9700  2 req 82:0.000054:s3:GET /::getting op

2015-05-05 14:58:23.896018 7fb9f4fe9700  2 req 82:0.000058:s3:GET /:list_buckets:authorizing

2015-05-05 14:58:23.896022 7fb9f4fe9700  2 req 82:0.000062:s3:GET /:list_buckets:reading permissions

2015-05-05 14:58:23.896027 7fb9f4fe9700  2 req 82:0.000067:s3:GET /:list_buckets:init op

2015-05-05 14:58:23.896030 7fb9f4fe9700  2 req 82:0.000070:s3:GET /:list_buckets:verifying op mask

2015-05-05 14:58:23.896032 7fb9f4fe9700 20 required_mask= 1 user.op_mask=7

2015-05-05 14:58:23.896033 7fb9f4fe9700  2 req 82:0.000073:s3:GET /:list_buckets:verifying op permissions

2015-05-05 14:58:23.896036 7fb9f4fe9700  2 req 82:0.000075:s3:GET /:list_buckets:verifying op params

2015-05-05 14:58:23.896037 7fb9f4fe9700  2 req 82:0.000077:s3:GET /:list_buckets:executing

2015-05-05 14:58:23.898267 7fb9f4fe9700  5 nothing to log for operation

2015-05-05 14:58:23.898286 7fb9f4fe9700  2 req 82:0.002326:s3:GET /:list_buckets:http status=200

2015-05-05 14:58:23.898293 7fb9f4fe9700  1 ====== req done req=0x7fba040177c0 http_status=200 ======

2015-05-05 14:58:24.227297 7fba215f8700 20 enqueued request req=0x7fba04013580

2015-05-05 14:58:24.227318 7fba215f8700 20 RGWWQ:

2015-05-05 14:58:24.227320 7fba215f8700 20 req: 0x7fba04013580

2015-05-05 14:58:24.227328 7fba215f8700 10 allocated request req=0x7fba04012050

2015-05-05 14:58:24.227454 7fb9f57ea700 20 dequeued request req=0x7fba04013580

2015-05-05 14:58:24.227471 7fb9f57ea700 20 RGWWQ: empty

2015-05-05 14:58:24.227512 7fb9f57ea700 20 DOCUMENT_ROOT=/var/www/radosgw

2015-05-05 14:58:24.227515 7fb9f57ea700 20 FCGI_ROLE=RESPONDER

2015-05-05 14:58:24.227516 7fb9f57ea700 20 GATEWAY_INTERFACE=CGI/1.1

2015-05-05 14:58:24.227517 7fb9f57ea700 20 HTTP_ACCEPT=*/*

2015-05-05 14:58:24.227518 7fb9f57ea700 20 HTTP_AUTHORIZATION=AWS ffd80839282d4183afedff542de10760:9vF6bLQCF4a/bYTgaxPjl1bFro4=

2015-05-05 14:58:24.227520 7fb9f57ea700 20 HTTP_CONNECTION=close

2015-05-05 14:58:24.227521 7fb9f57ea700 20 HTTP_DATE=Tue, 05 May 2015 12:58:24 +0000

2015-05-05 14:58:24.227522 7fb9f57ea700 20 HTTP_HOST=rgwow:8080

2015-05-05 14:58:24.227523 7fb9f57ea700 20 HTTP_USER_AGENT=curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3

2015-05-05 14:58:24.227524 7fb9f57ea700 20 PATH=/usr/local/bin:/usr/bin:/bin

2015-05-05 14:58:24.227525 7fb9f57ea700 20 QUERY_STRING=page=&params=

2015-05-05 14:58:24.227526 7fb9f57ea700 20 REMOTE_ADDR=10.193.108.105

2015-05-05 14:58:24.227527 7fb9f57ea700 20 REMOTE_PORT=44436

2015-05-05 14:58:24.227528 7fb9f57ea700 20 REQUEST_METHOD=GET

2015-05-05 14:58:24.227528 7fb9f57ea700 20 REQUEST_URI=/

2015-05-05 14:58:24.227529 7fb9f57ea700 20 SCRIPT_FILENAME=/var/www/radosgw/s3gw.fcgi

2015-05-05 14:58:24.227530 7fb9f57ea700 20 SCRIPT_NAME=/

2015-05-05 14:58:24.227530 7fb9f57ea700 20 SCRIPT_URI=http://rgwow:8080/

2015-05-05 14:58:24.227531 7fb9f57ea700 20 SCRIPT_URL=/

2015-05-05 14:58:24.227532 7fb9f57ea700 20 SERVER_ADDR=10.193.108.236

2015-05-05 14:58:24.227532 7fb9f57ea700 20 SERVER_ADMIN=[no address given]

2015-05-05 14:58:24.227533 7fb9f57ea700 20 SERVER_NAME=rgwow

2015-05-05 14:58:24.227534 7fb9f57ea700 20 SERVER_PORT=8080

2015-05-05 14:58:24.227534 7fb9f57ea700 20 SERVER_PROTOCOL=HTTP/1.1

2015-05-05 14:58:24.227535 7fb9f57ea700 20 SERVER_SIGNATURE=

2015-05-05 14:58:24.227536 7fb9f57ea700 20 SERVER_SOFTWARE=Apache/2.2.22 (Ubuntu)

2015-05-05 14:58:24.227537 7fb9f57ea700  1 ====== starting new request req=0x7fba04013580 =====

2015-05-05 14:58:24.227551 7fb9f57ea700  2 req 83:0.000014::GET /::initializing

2015-05-05 14:58:24.227557 7fb9f57ea700 10 host=rgwow:8080 rgw_dns_name=rgwow

2015-05-05 14:58:24.227588 7fb9f57ea700 10 s->object=<NULL> s->bucket=<NULL>

2015-05-05 14:58:24.227593 7fb9f57ea700  2 req 83:0.000056:s3:GET /::getting op

2015-05-05 14:58:24.227596 7fb9f57ea700  2 req 83:0.000059:s3:GET /:list_buckets:authorizing

2015-05-05 14:58:24.227600 7fb9f57ea700 20 s3 keystone: trying keystone auth

2015-05-05 14:58:24.227693 7fb9f57ea700 10 get_canon_resource(): dest=/

2015-05-05 14:58:24.227776 7fb9f57ea700 20 sending request to 10.194.167.23:5000/v2.0/s3tokens

2015-05-05 14:58:24.233049 7fb9f57ea700  5 s3 keystone: user does not hold a matching role; required roles: _member_, Member, admin, swiftoperator

2015-05-05 14:58:24.233121 7fb9f57ea700 20 get_obj_state: rctx=0x7fba6c0021e0 obj=.users:ffd80839282d4183afedff542de10760 state=0x7fba6c00b1a8 s->prefetch_data=0

2015-05-05 14:58:24.233135 7fb9f57ea700 10 cache get: name=.users+ffd80839282d4183afedff542de10760 : miss

2015-05-05 14:58:24.235002 7fb9f57ea700 10 cache put: name=.users+ffd80839282d4183afedff542de10760

2015-05-05 14:58:24.235025 7fb9f57ea700 10 adding .users+ffd80839282d4183afedff542de10760 to cache LRU end

2015-05-05 14:58:24.235038 7fb9f57ea700  5 error reading user info, uid=ffd80839282d4183afedff542de10760 can't authenticate

2015-05-05 14:58:24.235041 7fb9f57ea700 10 failed to authorize request

2015-05-05 14:58:24.235098 7fb9f57ea700  5 nothing to log for operation

2015-05-05 14:58:24.235102 7fb9f57ea700  2 req 83:0.007565:s3:GET /:list_buckets:http status=403

2015-05-05 14:58:24.235108 7fb9f57ea700  1 ====== req done req=0x7fba04013580 http_status=403 ======

 

In the keystone request, there is s3tokens.

Is it a standard implementation or does the keystone installation require something specific?

 

Best regards

 

 

De : ceph-users [mailto:ceph-users-bounces@xxxxxxxxxxxxxx] De la part de ghislain.chevalier@xxxxxxxxxx
Envoyé : jeudi 16 avril 2015 13:14
À : ceph-users
Objet : Re: [ceph-users] Rados Gateway and keystone

 

Hi,

 

I finally configure a cloudberry profile by setting what seems to be the right endpoint for object storage according to the openstack environment : myrgw:myport/swift/v1

I got a “204 no content” error even if 2 containers were previously created by a swift operation with object into them.

 

In the log, I saw a dialog between the rgw and keystone but the right service doesn’t seem to be selected and the id became anonymous.

 

Any idea?

 

De : ceph-users [mailto:ceph-users-bounces@xxxxxxxxxxxxxx] De la part de ghislain.chevalier@xxxxxxxxxx
Envoyé : mercredi 15 avril 2015 18:39
À : ceph-users
Objet : Re: [ceph-users] Rados Gateway and keystone

 

Hi,

 

Despite the creation of ec2 credentials which provides an accesskey and a secretkey for a user, it’s always impossible to connect using S3 (Forbidden/Access denied).

All is right using swift (create container, list container, get object, put object, delete object)

I use cloudberry client to do so.

 

Does someone know how I can check if the interoperability between keystone and the rgw is correctly set up?

In the rgw pools? in the radosgw metadata?

 

Best regards

 

De : ceph-users [mailto:ceph-users-bounces@xxxxxxxxxxxxxx] De la part de ghislain.chevalier@xxxxxxxxxx
Envoyé : mercredi 15 avril 2015 13:16
À : Erik McCormick
Cc : ceph-users
Objet : Re: [ceph-users] Rados Gateway and keystone

 

Thanks a lot

That helps.

 

De : Erik McCormick [mailto:emccormick@xxxxxxxxxxxxxxx]
Envoyé : lundi 13 avril 2015 18:32
À : CHEVALIER Ghislain IMT/OLPS
Cc : ceph-users
Objet : Re: [ceph-users] Rados Gateway and keystone

 

I haven't really used the S3 stuff much, but the credentials should be in keystone already. If you're in horizon, you can download them under Access and Security->API Access. Using the CLI you can use the openstack client like "openstack credential <list | show | create | delete | set>" or with the keystone client like "keystone ec2-credentials-list", etc.  Then you should be able to feed those credentials to the rgw like a normal S3 API call.

 

Cheers,

Erik

 

On Mon, Apr 13, 2015 at 10:16 AM, <ghislain.chevalier@xxxxxxxxxx> wrote:

Hi all,

Coming back to that issue.

I successfully used keystone users for the rados gateway and the swift API but I still don't understand how it can work with S3 API and i.e. S3 users (AccessKey/SecretKey)

I found a swift3 initiative but I think It's only compliant in a pure OpenStack swift environment  by setting up a specific plug-in.
https://github.com/stackforge/swift3

A rgw can be, at the same, time under keystone control and  standard radosgw-admin if
- for swift, you use the right authentication service (keystone or internal)
- for S3, you use the internal authentication service

So, my questions are still valid.
How can a rgw work for S3 users if there are stored in keystone? Which is the accesskey and secretkey?
What is the purpose of "rgw s3 auth use keystone" parameter ?

Best regards

----------------------
De : ceph-users [mailto:ceph-users-bounces@xxxxxxxxxxxxxx] De la part de ghislain.chevalier@xxxxxxxxxx
Envoyé : lundi 23 mars 2015 14:03
À : ceph-users
Objet : [ceph-users] Rados Gateway and keystone


Hi All,

I just would to be sure about keystone configuration for Rados Gateway.

I read the documentation http://ceph.com/docs/master/radosgw/keystone/ and http://ceph.com/docs/master/radosgw/config-ref/?highlight=keystone
but I didn't catch if after having configured the rados gateway (ceph.conf) in order to use keystone, it becomes mandatory to create all the users in it.

In other words, can a rgw be, at the same, time under keystone control and  standard radosgw-admin ?
How does it work for S3 users ?
What is the purpose of "rgw s3 auth use keystone" parameter ?

Best regards

- - - - - - - - - - - - - - - - -
Ghislain Chevalier
+33299124432
+33788624370
ghislain.chevalier@xxxxxxxxxx
_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

 

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux