A few other things that don’t work –
-appending /v3 into the rgw.conf file (worth a try)
-adding the user into the default domain
- removing the v2 endpoints from the keystone catalog
-using a domain scoped token in rgw.conf
-using admin username and password in rgw.conf
According to keystone documents we shouldn’t use a versioned endpoint in the catalog anymore as ports 5000 and 35357 have a http
300 ‘multiple choices’
Although – horizon doesn’t work without explicitly stating ‘use identity v3’ – anyway, keystone python client is pretty much broken
as we can’t list domain users or their projects(tenants) and need to use openstack client.
This is the crux of the issue, if keystone v2 could only list domain users as having a role on a project, but it doesn’t understand
the domain id part of the token – arrghhh!
curl -i 172.25.60.2:35357
HTTP/1.1 300 Multiple Choices
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 759
Date: Fri, 25 Sep 2015 14:11:08 GMT
Connection: close
{"versions": {"values": [{"status": "stable", "updated": "2013-03-06T00:00:00Z", "media-types": [{"base": "application/json", "type":
"application/vnd.openstack.identity-v3+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links": [{"href": "http://172.25.60.2:35357/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z",
"media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0", "links": [{"href": "http://172.25.60
.2:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type":
From: Luis Periquito [mailto:periquito@xxxxxxxxx]
Sent: 25 September 2015 14:37
To: Robert Duncan
Cc: Shinobu Kinjo; Abhishek L; ceph-users
Subject: Re: [ceph-users] radosgw and keystone version 3 domains
On Fri, Sep 25, 2015 at 1:37 PM, Robert Duncan <Robert.Duncan@xxxxxxxx> wrote:
I would be interested if anyone even has a work around to this - no matter how arcane.
If anyone gets this to work I would be most obliged
-----Original Message-----
From: Shinobu Kinjo [mailto:skinjo@xxxxxxxxxx]
Sent: 25 September 2015 13:31
To: Luis Periquito
Cc: Abhishek L; Robert Duncan; ceph-users
Subject: Re: [ceph-users] radosgw and keystone version 3 domains
Thanks for the info.
Shinobu
----- Original Message -----
From: "Luis Periquito" <periquito@xxxxxxxxx>
To: "Shinobu Kinjo" <skinjo@xxxxxxxxxx>
Cc: "Abhishek L" <abhishek.lekshmanan@xxxxxxxxx>, "Robert Duncan" <Robert.Duncan@xxxxxxxx>, "ceph-users" <ceph-users@xxxxxxxx>
Sent: Friday, September 25, 2015 8:52:48 PM
Subject: Re: [ceph-users] radosgw and keystone version 3 domains
I'm having the exact same issue, and after looking it seems that radosgw is hardcoded to authenticate using v2 api.
from the config file: rgw keystone url = "" href="http://openstackcontrol.lab:35357/" target="_blank">
http://openstackcontrol.lab:35357/
the "/v2.0/" is hardcoded and gets appended to the authentication request.
a snippet taken from radosgw (ran with "-d --debug-ms=1 --debug-rgw=20"
options)
2015-09-25 12:40:00.359333 7ff4bcf61700 1 ====== starting new request
req=0x7ff57801b810 =====
2015-09-25 12:40:00.359355 7ff4bcf61700 2 req 1:0.000021::GET /swift/v1::initializing
2015-09-25 12:40:00.359358 7ff4bcf61700 10 host=s3.lab.tech.lastmile.com
2015-09-25 12:40:00.359363 7ff4bcf61700 20 subdomain= domain=
s3.lab.tech.lastmile.com in_hosted_domain=1
2015-09-25 12:40:00.359400 7ff4bcf61700 10 ver=v1 first= req=
2015-09-25 12:40:00.359410 7ff4bcf61700 10 s->object=<NULL> s->bucket=<NULL>
2015-09-25 12:40:00.359419 7ff4bcf61700 2 req 1:0.000085:swift:GET /swift/v1::getting op
2015-09-25 12:40:00.359422 7ff4bcf61700 2 req 1:0.000089:swift:GET /swift/v1:list_buckets:authorizing
2015-09-25 12:40:00.359428 7ff4bcf61700 20 token_id=6b67585266ce4aee9e326e72c81865dd
2015-09-25 12:40:00.359451 7ff4bcf61700 20 sending request to
http://openstackcontrol.lab:35357/v2.0/tokens/6b67585266ce4aee9e326e72c81865dd
2015-09-25 12:40:00.377066 7ff4bcf61700 20 received response: {"error":
{"message": "Non-default domain is not supported (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}}
2015-09-25 12:40:00.377175 7ff4bcf61700 0 user does not hold a matching role; required roles: admin, Member, _member_
2015-09-25 12:40:00.377179 7ff4bcf61700 10 failed to authorize request
2015-09-25 12:40:00.377216 7ff4bcf61700 2 req 1:0.017883:swift:GET /swift/v1:list_buckets:http status=401
2015-09-25 12:40:00.377219 7ff4bcf61700 1 ====== req done
req=0x7ff57801b810 http_status=401 ======
From this it seems that radosgw doesn't support auth v3! Are there any plans to add that support?
On Sat, Sep 19, 2015 at 6:56 AM, Shinobu Kinjo <skinjo@xxxxxxxxxx> wrote:
> What's error message you saw when you tried?
>
> Shinobu
>
> ----- Original Message -----
> From: "Abhishek L" <abhishek.lekshmanan@xxxxxxxxx>
> To: "Robert Duncan" <Robert.Duncan@xxxxxxxx>
> Cc: ceph-users@xxxxxxxx
> Sent: Friday, September 18, 2015 12:29:20 PM
> Subject: Re: [ceph-users] radosgw and keystone version 3 domains
>
> On Fri, Sep 18, 2015 at 4:38 AM, Robert Duncan
> <Robert.Duncan@xxxxxxxx>
> wrote:
> >
> > Hi
> >
> >
> >
> > It seems that radosgw cannot find users in Keystone V3 domains, that
> > is,
> >
> > When keystone is configured for domain specific drivers radossgw
> > cannot
> find the users in the keystone users table (as they are not there)
> >
> > I have a deployment in which ceph providers object block ephemeral
> > and
> user storage, however any user outside of the ‘default’ sql backed
> domain cannot be found by radosgw.
> >
> > Has anyone seen this issue before when using ceph in openstack? Is
> > it
> possible to configure radosgw to use a keystone v3 url?
>
> I'm not sure whether keystone v3 support for radosgw is there yet,
> particularly for the swift api. Currently keystone v2 api is
> supported, and due to the change in format between v2 and v3 tokens,
> I'm not sure whether swift apis will work with v3 yet, though keystone
> v3 *might* just work on the s3 interface due to the different format used.
>
>
> >
> >
> > Thanks,
> >
> > Rob.
> >
> > ________________________________
> >
> > The information contained and transmitted in this e-mail is
> > confidential
> information, and is intended only for the named recipient to which it
> is addressed. The content of this e-mail may not have been sent with
> the authority of National College of Ireland. Any views or opinions
> presented are solely those of the author and do not necessarily
> represent those of National College of Ireland. If the reader of this
> message is not the named recipient or a person responsible for
> delivering it to the named recipient, you are notified that the
> review, dissemination, distribution, transmission, printing or
> copying, forwarding, or any other use of this message or any part of
> it, including any attachments, is strictly prohibited. If you have
> received this communication in error, please delete the e-mail and
> destroy all record of this communication. Thank you for your assistance.
> >
> > ________________________________
> >
> > _______________________________________________
> > ceph-users mailing list
> > ceph-users@xxxxxxxxxxxxxx
> >
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> >
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
>
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
>
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
________________________________
The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland.
Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient,
you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in
error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.
________________________________
|