If any of you could provide keystone.log with me, it would be more helpful. and: keystone --version Shinobu ----- Original Message ----- From: "Shinobu Kinjo" <skinjo@xxxxxxxxxx> To: "Robert Duncan" <Robert.Duncan@xxxxxxxx> Cc: "Luis Periquito" <periquito@xxxxxxxxx>, "Abhishek L" <abhishek.lekshmanan@xxxxxxxxx>, "ceph-users" <ceph-users@xxxxxxxx> Sent: Saturday, September 26, 2015 12:03:17 PM Subject: Re: radosgw and keystone version 3 domains > and need to use openstack client. Yes, you have to for v3 anyway. Shinobu ----- Original Message ----- From: "Robert Duncan" <Robert.Duncan@xxxxxxxx> To: "Luis Periquito" <periquito@xxxxxxxxx> Cc: "Shinobu Kinjo" <skinjo@xxxxxxxxxx>, "Abhishek L" <abhishek.lekshmanan@xxxxxxxxx>, "ceph-users" <ceph-users@xxxxxxxx> Sent: Friday, September 25, 2015 11:29:14 PM Subject: RE: radosgw and keystone version 3 domains A few other things that don’t work – -appending /v3 into the rgw.conf file (worth a try) -adding the user into the default domain - removing the v2 endpoints from the keystone catalog -using a domain scoped token in rgw.conf -using admin username and password in rgw.conf According to keystone documents we shouldn’t use a versioned endpoint in the catalog anymore as ports 5000 and 35357 have a http 300 ‘multiple choices’ Although – horizon doesn’t work without explicitly stating ‘use identity v3’ – anyway, keystone python client is pretty much broken as we can’t list domain users or their projects(tenants) and need to use openstack client. This is the crux of the issue, if keystone v2 could only list domain users as having a role on a project, but it doesn’t understand the domain id part of the token – arrghhh! curl -i 172.25.60.2:35357 HTTP/1.1 300 Multiple Choices Vary: X-Auth-Token Content-Type: application/json Content-Length: 759 Date: Fri, 25 Sep 2015 14:11:08 GMT Connection: close {"versions": {"values": [{"status": "stable", "updated": "2013-03-06T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links": [{"href": "http://172.25.60.2:35357/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0", "links": [{"href": "http://172.25.60 .2:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": From: Luis Periquito [mailto:periquito@xxxxxxxxx] Sent: 25 September 2015 14:37 To: Robert Duncan Cc: Shinobu Kinjo; Abhishek L; ceph-users Subject: Re: radosgw and keystone version 3 domains This was reported in http://tracker.ceph.com/issues/8052 about a year ago. This ticket hasn't been updated... On Fri, Sep 25, 2015 at 1:37 PM, Robert Duncan <Robert.Duncan@xxxxxxxx<mailto:Robert.Duncan@xxxxxxxx>> wrote: I would be interested if anyone even has a work around to this - no matter how arcane. If anyone gets this to work I would be most obliged -----Original Message----- From: Shinobu Kinjo [mailto:skinjo@xxxxxxxxxx<mailto:skinjo@xxxxxxxxxx>] Sent: 25 September 2015 13:31 To: Luis Periquito Cc: Abhishek L; Robert Duncan; ceph-users Subject: Re: radosgw and keystone version 3 domains Thanks for the info. Shinobu ----- Original Message ----- From: "Luis Periquito" <periquito@xxxxxxxxx<mailto:periquito@xxxxxxxxx>> To: "Shinobu Kinjo" <skinjo@xxxxxxxxxx<mailto:skinjo@xxxxxxxxxx>> Cc: "Abhishek L" <abhishek.lekshmanan@xxxxxxxxx<mailto:abhishek.lekshmanan@xxxxxxxxx>>, "Robert Duncan" <Robert.Duncan@xxxxxxxx<mailto:Robert.Duncan@xxxxxxxx>>, "ceph-users" <ceph-users@xxxxxxxx<mailto:ceph-users@xxxxxxxx>> Sent: Friday, September 25, 2015 8:52:48 PM Subject: Re: radosgw and keystone version 3 domains I'm having the exact same issue, and after looking it seems that radosgw is hardcoded to authenticate using v2 api. from the config file: rgw keystone url = http://openstackcontrol.lab:35357/ the "/v2.0/" is hardcoded and gets appended to the authentication request. a snippet taken from radosgw (ran with "-d --debug-ms=1 --debug-rgw=20" options) 2015-09-25 12:40:00.359333 7ff4bcf61700 1 ====== starting new request req=0x7ff57801b810 ===== 2015-09-25 12:40:00.359355 7ff4bcf61700 2 req 1:0.000021::GET /swift/v1::initializing 2015-09-25 12:40:00.359358 7ff4bcf61700 10 host=s3.lab.tech.lastmile.com<http://s3.lab.tech.lastmile.com> 2015-09-25 12:40:00.359363 7ff4bcf61700 20 subdomain= domain= s3.lab.tech.lastmile.com<http://s3.lab.tech.lastmile.com> in_hosted_domain=1 2015-09-25 12:40:00.359400 7ff4bcf61700 10 ver=v1 first= req= 2015-09-25 12:40:00.359410 7ff4bcf61700 10 s->object=<NULL> s->bucket=<NULL> 2015-09-25 12:40:00.359419 7ff4bcf61700 2 req 1:0.000085:swift:GET /swift/v1::getting op 2015-09-25 12:40:00.359422 7ff4bcf61700 2 req 1:0.000089:swift:GET /swift/v1:list_buckets:authorizing 2015-09-25 12:40:00.359428 7ff4bcf61700 20 token_id=6b67585266ce4aee9e326e72c81865dd 2015-09-25 12:40:00.359451 7ff4bcf61700 20 sending request to http://openstackcontrol.lab:35357/v2.0/tokens/6b67585266ce4aee9e326e72c81865dd 2015-09-25 12:40:00.377066 7ff4bcf61700 20 received response: {"error": {"message": "Non-default domain is not supported (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized"}} 2015-09-25 12:40:00.377175 7ff4bcf61700 0 user does not hold a matching role; required roles: admin, Member, _member_ 2015-09-25 12:40:00.377179 7ff4bcf61700 10 failed to authorize request 2015-09-25 12:40:00.377216 7ff4bcf61700 2 req 1:0.017883:swift:GET /swift/v1:list_buckets:http status=401 2015-09-25 12:40:00.377219 7ff4bcf61700 1 ====== req done req=0x7ff57801b810 http_status=401 ====== >From this it seems that radosgw doesn't support auth v3! Are there any plans to add that support? On Sat, Sep 19, 2015 at 6:56 AM, Shinobu Kinjo <skinjo@xxxxxxxxxx<mailto:skinjo@xxxxxxxxxx>> wrote: > What's error message you saw when you tried? > > Shinobu > > ----- Original Message ----- > From: "Abhishek L" <abhishek.lekshmanan@xxxxxxxxx<mailto:abhishek.lekshmanan@xxxxxxxxx>> > To: "Robert Duncan" <Robert.Duncan@xxxxxxxx<mailto:Robert.Duncan@xxxxxxxx>> > Cc: ceph-users@xxxxxxxx<mailto:ceph-users@xxxxxxxx> > Sent: Friday, September 18, 2015 12:29:20 PM > Subject: Re: radosgw and keystone version 3 domains > > On Fri, Sep 18, 2015 at 4:38 AM, Robert Duncan > <Robert.Duncan@xxxxxxxx<mailto:Robert.Duncan@xxxxxxxx>> > wrote: > > > > Hi > > > > > > > > It seems that radosgw cannot find users in Keystone V3 domains, that > > is, > > > > When keystone is configured for domain specific drivers radossgw > > cannot > find the users in the keystone users table (as they are not there) > > > > I have a deployment in which ceph providers object block ephemeral > > and > user storage, however any user outside of the ‘default’ sql backed > domain cannot be found by radosgw. > > > > Has anyone seen this issue before when using ceph in openstack? Is > > it > possible to configure radosgw to use a keystone v3 url? > > I'm not sure whether keystone v3 support for radosgw is there yet, > particularly for the swift api. Currently keystone v2 api is > supported, and due to the change in format between v2 and v3 tokens, > I'm not sure whether swift apis will work with v3 yet, though keystone > v3 *might* just work on the s3 interface due to the different format used. > > > > > > > > Thanks, > > > > Rob. > > > > ________________________________ > > > > The information contained and transmitted in this e-mail is > > confidential > information, and is intended only for the named recipient to which it > is addressed. The content of this e-mail may not have been sent with > the authority of National College of Ireland. Any views or opinions > presented are solely those of the author and do not necessarily > represent those of National College of Ireland. If the reader of this > message is not the named recipient or a person responsible for > delivering it to the named recipient, you are notified that the > review, dissemination, distribution, transmission, printing or > copying, forwarding, or any other use of this message or any part of > it, including any attachments, is strictly prohibited. If you have > received this communication in error, please delete the e-mail and > destroy all record of this communication. Thank you for your assistance. > > > > ________________________________ > > > > _______________________________________________ > > ceph-users mailing list > > ceph-users@xxxxxxxxxxxxxx<mailto:ceph-users@xxxxxxxxxxxxxx> > > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx<mailto:ceph-users@xxxxxxxxxxxxxx> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx<mailto:ceph-users@xxxxxxxxxxxxxx> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > ________________________________ The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance. ________________________________ _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com