Hy, I tried your endpoint configuration but with the same outcome. Maybe I am missing something.... I also don't know if I am testing the right way. But thank you for your answer and your help. Greets Stefan Bujack root@keystone:~# openstack endpoint list | grep swift | 0ee9c91af2424e33a91a4c118b693301 | RegionOne | swift | object-store | True | internal | http://ciosmon06.desy.de:7480/swift/v1/ | | 4719a266432f45bda380c52486421e62 | RegionOne | swift | object-store | True | public | http://ciosmon06.desy.de:7480/swift/v1/ | | e68b3990e74447bfa35a5d6aa66ca2aa | RegionOne | swift | object-store | True | admin | http://ciosmon06.desy.de:7480/swift/v1/ | root@it-build:~# openstack container list Unrecognized schema in response body. (HTTP 401) (Request-ID: tx000000000000000000007-005f914731-26173f-default) [root@ciosmon06 ~]# tail -f /var/log/ceph/ceph-client.rgw.ciosmon06.log 2020-10-22 10:47:45.535 7efea6f5f700 1 ====== req done req=0x562f3de148f0 op status=0 http_status=401 latency=0.000999999s ====== 2020-10-22 10:47:45.798 7efea675e700 1 ====== starting new request req=0x562f3de148f0 ===== 2020-10-22 10:47:45.798 7efea675e700 1 ====== req done req=0x562f3de148f0 op status=0 http_status=401 latency=0s ====== root@it-build:~# openstack ec2 credentials create +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | access | 91fe4a54ac4547b2a127fc4599bd7580 | | links | {'self': 'https://keystone-intern.desy.de:5000/v3/users/926c750033e668f0af2330b1c7c723a05b86fa393655369fdb1a5622ae65dac8/credentials/OS-EC2/91fe4a54ac4547b2a127fc4599bd7580'} | | project_id | 286f5d2b38ae4595ba9ff8129e754f54 | | secret | e8e0035d228743cfb40083d84d6f3580 | | trust_id | None | | user_id | 926c750033e668f0af2330b1c7c723a05b86fa393655369fdb1a5622ae65dac8 | +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ root@it-build:~# /usr/local/bin/aws configure AWS Access Key ID [****************780b]: 91fe4a54ac4547b2a127fc4599bd7580 AWS Secret Access Key [****************c4dc]: e8e0035d228743cfb40083d84d6f3580 Default region name [default]: Default output format [None]: root@it-build:~# /usr/local/bin/aws --endpoint='http://ciosmon06.desy.de:7480/swift/v1/' s3 ls s3:// An error occurred (404) when calling the ListBuckets operation: Not Found root@it-build:~# /usr/local/bin/aws --endpoint='http://ciosmon06.desy.de:7480' s3 ls s3:// An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: Unknown [root@ciosmon06 ~]# tail -f /var/log/ceph/ceph-client.rgw.ciosmon06.log 2020-10-22 10:49:57.886 7efea2f57700 1 ====== starting new request req=0x562f3de248f0 ===== 2020-10-22 10:49:57.888 7efea2f57700 1 ====== req done req=0x562f3de248f0 op status=-2 http_status=404 latency=0.002s ====== 2020-10-22 10:50:22.344 7efea0752700 1 ====== starting new request req=0x562f3de488f0 ===== 2020-10-22 10:50:22.346 7efea0752700 1 ====== req done req=0x562f3de488f0 op status=0 http_status=403 latency=0.002s ====== ----- Original Message ----- From: "Burkhard Linke" <Burkhard.Linke@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> To: "ceph-users" <ceph-users@xxxxxxx> Sent: Thursday, 22 October, 2020 10:11:22 Subject: Re: Need help integrating radosgw with keystone for openstack swift Hi, in our setup (ceph 15.2.4, openstack train) the swift endpoint URLs are different, e.g. # openstack endpoint list --service swift +----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------------------------------+ | 521a556e391c40cc8d242f0f61a22812 | RegionOne | swift | object-store | True | public | https://s3.<redacted>/swift/v1 | .... And a somewhat related personal opinion: do not use swift. The API requires using openstack credentials, and in many cases these credentials are the main user credentials used for accessing openstack (there are other methods, but most users are not aware of this). If instances want to access data in the object storage, you have to store the credentials in the instance. If an instance is exposed to the internet, it may be attacked and broken into; as a result the openstack credentials might end up in the wrong hands. I'm not sure whether using other methods like application credentials can reduce the problem e.g. by restricting them to certain services. But you can encourage users to use the S3 interface instead. S3 credentials can be created in the openstack web interface and by command line; they are scoped to a certain project only, and if you do not use some AWS compatibility layer they can _only_ be used for authentication in the S3 API. It's probably still a problem if they are stolen, but it is not as worse as openstack credentials... Just my 0.02 euro Regards, Burkhard _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |