I'm having the exact same issue, and after looking it seems that radosgw is hardcoded to authenticate using v2 api.
from the config file: rgw keystone url = "" href="http://openstackcontrol.lab:35357/" target="_blank">http://openstackcontrol.lab:35357/
the "/v2.0/" is hardcoded and gets appended to the authentication request.
a snippet taken from radosgw (ran with "-d --debug-ms=1 --debug-rgw=20" options)
2015-09-25 12:40:00.359333 7ff4bcf61700 1 ====== starting new request req=0x7ff57801b810 =====
2015-09-25 12:40:00.359355 7ff4bcf61700 2 req 1:0.000021::GET /swift/v1::initializing
2015-09-25 12:40:00.359358 7ff4bcf61700 10 host=s3.lab.tech.lastmile.com
2015-09-25 12:40:00.359363 7ff4bcf61700 20 subdomain= domain=s3.lab.tech.lastmile.com in_hosted_domain=1
2015-09-25 12:40:00.359400 7ff4bcf61700 10 ver=v1 first= req=
2015-09-25 12:40:00.359410 7ff4bcf61700 10 s->object=<NULL> s->bucket=<NULL>
2015-09-25 12:40:00.359419 7ff4bcf61700 2 req 1:0.000085:swift:GET /swift/v1::getting op
2015-09-25 12:40:00.359422 7ff4bcf61700 2 req 1:0.000089:swift:GET /swift/v1:list_buckets:authorizing
2015-09-25 12:40:00.359428 7ff4bcf61700 20 token_id=6b67585266ce4aee9e326e72c81865dd
2015-09-25 12:40:00.359451 7ff4bcf61700 20 sending request to http://openstackcontrol.lab:35357/v2.0/tokens/6b67585266ce4aee9e326e72c81865dd
2015-09-25 12:40:00.377066 7ff4bcf61700 20 received response: {"error": {"message": "Non-default domain is not supported (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}
2015-09-25 12:40:00.377175 7ff4bcf61700 0 user does not hold a matching role; required roles: admin, Member, _member_
2015-09-25 12:40:00.377179 7ff4bcf61700 10 failed to authorize request
2015-09-25 12:40:00.377216 7ff4bcf61700 2 req 1:0.017883:swift:GET /swift/v1:list_buckets:http status=401
2015-09-25 12:40:00.377219 7ff4bcf61700 1 ====== req done req=0x7ff57801b810 http_status=401 ======
From this it seems that radosgw doesn't support auth v3! Are there any plans to add that support?
On Sat, Sep 19, 2015 at 6:56 AM, Shinobu Kinjo <skinjo@xxxxxxxxxx> wrote:
What's error message you saw when you tried?
Shinobu
----- Original Message -----
From: "Abhishek L" <abhishek.lekshmanan@xxxxxxxxx>
To: "Robert Duncan" <Robert.Duncan@xxxxxxxx>
Cc: ceph-users@xxxxxxxx
Sent: Friday, September 18, 2015 12:29:20 PM
Subject: Re: radosgw and keystone version 3 domains
On Fri, Sep 18, 2015 at 4:38 AM, Robert Duncan <Robert.Duncan@xxxxxxxx> wrote:
>
> Hi
>
>
>
> It seems that radosgw cannot find users in Keystone V3 domains, that is,
>
> When keystone is configured for domain specific drivers radossgw cannot find the users in the keystone users table (as they are not there)
>
> I have a deployment in which ceph providers object block ephemeral and user storage, however any user outside of the ‘default’ sql backed domain cannot be found by radosgw.
>
> Has anyone seen this issue before when using ceph in openstack? Is it possible to configure radosgw to use a keystone v3 url?
I'm not sure whether keystone v3 support for radosgw is there yet,
particularly for the swift api. Currently keystone v2 api is supported,
and due to the change in format between v2 and v3 tokens, I'm not sure
whether swift apis will work with v3 yet, though keystone v3 *might*
just work on the s3 interface due to the different format used.
>
>
> Thanks,
>
> Rob.
>
> ________________________________
>
> The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.
>
> ________________________________
>
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
