Hi,
I am using indeed OpenStack Ussuri release. I changed the "gw swift
account in url = true" directly with ceph config set ... command. Also
checked that rgw_keystone_accepted_roles is correctly set and not the admin
one. Also tested disabling rgw_keystone_verify_ssl.
Should radosgw communicate with keystone somehow? I can not see my
ceph-cluster requesting anything from keystone through any interface
(tcpdump checked this one). I have tested restarting the radosgw with
command "ceph orch restart rgw.default.ou" and seems that it brings the
container down and up. Not sure though it is enough to bring the settings
in use.q
Current status is:
1) swift command seems to be able to authenticate with keystone at the
very beginning, this is done in the client side.
2) swift command makes a request to radosgw and gets 401
INFO:swiftclient:REQ: curl -i <radosgw url here>/swift/v1/AUTH_<some
id here>/test3 -X POST -H "X-Auth-Token: <token here>" -H "Content-Length:
0"
INFO:swiftclient:RESP STATUS: 401 Unauthorized
Thanks a lot again,
-Mika
On Tue, Jan 5, 2021 at 11:19 AM Wissem MIMOUNA <
wissem.mimouna@xxxxxxxxxxxxxxxx> wrote:
> Hi,
>
> Which version of OpenStack do you have ? I guess , since Usurri ( or may
> be even before ) swift authentification through keystone require the
> account in url . You have to add this option in "/etc/ceph/ceph.conf" ,
> section rgw "rgw swift account in url = true" or do it via setting directly
> . Also , I noticed you did this ==> 3) ceph config set mgr
> rgw_keystone_accepted_admin_roles xxxx || I think , you should use the
> option "rgw keystone accepted roles xxxx" instead.
>
> Regards
>
> -----Message d'origine-----
> De : Mika Saari <mika.saari@xxxxxxxxx>
> Envoyé : mardi 5 janvier 2021 10:03
> À : ceph-users@xxxxxxx
> Objet : Ceph RadosGW & OpenStack swift problem
>
> Hi,
>
> Using Ceph 15.2.8 installed with cephadm. Trying to get RadosGW to work.
> I have managed to get the RadosGW working. I can manage it through a
> dashboard and use aws s3 client to create new buckets etc. When trying to
> use swift I get errors.
>
> Not sure how to continue to track the problem here. Any tips are welcome.
>
> Thank you very much,
> -Mika
>
> ------- What I have done and what are the results. Some data changed
> manually -------
> What I have done:
> At OpenStack Side:
> 1) openstack user create --domain default --password-prompt swift
> 2) openstack role add --project service --user swift admin
> 3) openstack endpoint create --region RegionOne object-store public
> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1_AUTH-5F-25-255C-28project-5Fid-255C-29s&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=-1FtdhjTcNA8jPSUoyoUfsPl5uqTqu4I_ThTOJNLjtg&e=
> 4) openstack endpoint create --region RegionOne object-store
> internal
> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1_AUTH-5F-25-255C-28project-5Fid-255C-29s&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=-1FtdhjTcNA8jPSUoyoUfsPl5uqTqu4I_ThTOJNLjtg&e=
> 5) openstack endpoint create --region RegionOne object-store admin
> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=bm67b3lMVeLC3sNvuyufFCe3AksJgfIgeI8SDorhHMU&e=
>
> At Ceph side:
> 1) ceph config set mgr rgw_keystone_api_version 3
> 2) ceph config set mgr rgw_keystone_url
> https://urldefense.proofpoint.com/v2/url?u=http-3A__controller-3A5000&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=lyXWyh-BXrikPWqWM3dcPW4ZofvjiAxnq-nXsjifnEw&e=
> 3) ceph config set mgr rgw_keystone_accepted_admin_roles admin
> 4) ceph config set mgr rgw_keystone_admin_user swift
> 5) ceph config set mgr rgw_keystone_admin_password swift_test
> 6) ceph config set mgr rgw_keystone_admin_domain default
> 7) ceph config set mgr rgw_keystone_admin_project service
> for project I have tested different projects e.g. service and admin
>
> Now when testing the API using swift client I get next:
> 1) swift post test3 --debug
>
> DEBUG:keystoneclient.auth.identity.v3.base:Making authentication request
> to
> https://urldefense.proofpoint.com/v2/url?u=http-3A__controller-3A5000_v3_auth_tokens&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=-98qpMcc8sdRTdN7AwNPIyGsIK1GaFvi_SC5GtZGUpY&e=
> DEBUG:urllib3.connectionpool:Starting new HTTP connection (1):
> controller:5000
> DEBUG:urllib3.connectionpool:http://controller:5000 "POST /v3/auth/tokens
> HTTP/1.1" 201 7032
>
> . some openstack data here .
>
> DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): ceph1:80
> DEBUG:urllib3.connectionpool:http://ceph1:80 "POST
> /swift/v1/AUTH_adsfasdfasdfasdfasdfasdf/test3 HTTP/1.1" 401 12
> INFO:swiftclient:REQ: curl -i
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1_AUTH-5Fadsfasdfasdfasdfasdfasdf_test3&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=g1inMAENxiOpxc4L8FlmbLypegdcQwgH8drm6aoESZ0&e=
> -X POST -H
> "X-Auth-Token: <Token would be here>" -H "Content-Length: 0"
> INFO:swiftclient:RESP STATUS: 401 Unauthorized
>
> and finally I get
> Container POST failed:
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1_AUTH-5Fadsfasdfasdfasdfasdfasdf_test3&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=g1inMAENxiOpxc4L8FlmbLypegdcQwgH8drm6aoESZ0&e=
> 401 Unauthorized
> b'AccessDenied'
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an
> email to ceph-users-leave@xxxxxxx
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
