Re: Ceph RadosGW & OpenStack swift problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

The radosgw should have a dedicated user (different from you swift user) for authentifiation with keystone ( openstack) in the project "service" and you should also add the role "_member_" in the rgw_keystone_accepted_roles.

Regards

-----Message d'origine-----
De : Mika Saari <mika.saari@xxxxxxxxx> 
Envoyé : jeudi 7 janvier 2021 11:35
À : ceph-users@xxxxxxx
Objet :  Re: Ceph RadosGW & OpenStack swift problem

Hi,

  I have added debug_rgw 20 to configuration. When checking docker logs -f <radosgw container id> I get this error for my radowgw request (swift post
test3  --debug)

  Would there be a way to get more debug information from radosgw to solve this 401 problem ?

  Thanks a lot,
    -Mika

  --- clip clip ----
debug 2021-01-07T10:32:42.269+0000 7f1ae111b700  1 ====== starting new request req=0x7f1b5b32a6b0 ===== debug 2021-01-07T10:32:42.269+0000 7f1ae111b700  1 op->ERRORHANDLER:
err_no=-1 new_err_no=-1
debug 2021-01-07T10:32:42.269+0000 7f1ae111b700  1 ====== req done
req=0x7f1b5b32a6b0 op status=0 http_status=401 latency=0s ====== debug 2021-01-07T10:32:42.269+0000 7f1ae111b700  1 beast: 0x7f1b5b32a6b0:
10.0.2.10 - - [2021-01-07T10:32:42.269372+0000] "POST
/swift/v1/AUTH_50f0ce372a4a4ed6a41126852358f097/test3 HTTP/1.1" 401 12 - "python-swiftclient-3.9.0" -
  --- clip clip ----


On Tue, Jan 5, 2021 at 8:00 PM Mika Saari <mika.saari@xxxxxxxxx> wrote:

> Hi,
>
>   I am using indeed OpenStack Ussuri release. I changed the "gw swift 
> account in url = true" directly with ceph config set ... command. Also 
> checked that rgw_keystone_accepted_roles is correctly set and not the 
> admin one. Also tested disabling rgw_keystone_verify_ssl.
>
>   Should radosgw communicate with keystone somehow? I can not see my 
> ceph-cluster requesting anything from keystone through any interface 
> (tcpdump checked this one). I have tested restarting the radosgw with 
> command "ceph orch restart rgw.default.ou" and seems that it brings 
> the container down and up. Not sure though it is enough to bring the 
> settings in use.q
>
>   Current status is:
>     1) swift command seems to be able to authenticate with keystone at 
> the very beginning, this is done in the client side.
>     2) swift command makes a request to radosgw and gets 401
>        INFO:swiftclient:REQ: curl -i <radosgw url
> here>/swift/v1/AUTH_<some id here>/test3 -X POST -H "X-Auth-Token: 
> here><token " -H "Content-Length: 0"
>       INFO:swiftclient:RESP STATUS: 401 Unauthorized
>
>   Thanks a lot again,
>      -Mika
>
> On Tue, Jan 5, 2021 at 11:19 AM Wissem MIMOUNA < 
> wissem.mimouna@xxxxxxxxxxxxxxxx> wrote:
>
>> Hi,
>>
>> Which version of OpenStack do you have ? I guess , since Usurri ( or 
>> may be even before ) swift authentification through keystone require 
>> the account in url . You have to add this option in 
>> "/etc/ceph/ceph.conf" , section rgw "rgw swift account in url = true" or do it via setting directly
>> . Also , I noticed you did  this ==>     3) ceph config set mgr
>> rgw_keystone_accepted_admin_roles xxxx ||  I think , you should use 
>> the option "rgw keystone accepted roles xxxx" instead.
>>
>> Regards
>>
>> -----Message d'origine-----
>> De : Mika Saari <mika.saari@xxxxxxxxx> Envoyé : mardi 5 janvier 2021 
>> 10:03 À : ceph-users@xxxxxxx Objet :  Ceph RadosGW & 
>> OpenStack swift problem
>>
>> Hi,
>>
>>   Using Ceph 15.2.8 installed with cephadm. Trying to get RadosGW to work.
>> I have managed to get the RadosGW working. I can manage it through a 
>> dashboard and use aws s3 client to create new buckets etc. When 
>> trying to use swift I get errors.
>>
>>   Not sure how to continue to track the problem here. Any tips are 
>> welcome.
>>
>>     Thank you very much,
>>       -Mika
>>
>> ------- What I have done and what are the results. Some data changed 
>> manually  -------
>>   What I have done:
>>     At OpenStack Side:
>>       1) openstack user create --domain default --password-prompt swift
>>       2) openstack role add --project service --user swift admin
>>       3) openstack endpoint create --region RegionOne object-store 
>> public https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1_AUTH-5F-25-255C-28project-5Fid-255C-29s&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=-1FtdhjTcNA8jPSUoyoUfsPl5uqTqu4I_ThTOJNLjtg&e=
>>       4) openstack endpoint create --region RegionOne object-store 
>> internal 
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1_AUTH-5F-25-255C-28project-5Fid-255C-29s&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=-1FtdhjTcNA8jPSUoyoUfsPl5uqTqu4I_ThTOJNLjtg&e=
>>       5) openstack endpoint create --region RegionOne object-store 
>> admin 
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1&d=
>> DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Ktt
>> b6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=bm67b3lMVeLC
>> 3sNvuyufFCe3AksJgfIgeI8SDorhHMU&e=
>>
>>   At Ceph side:
>>     1) ceph config set mgr rgw_keystone_api_version 3
>>     2) ceph config set mgr rgw_keystone_url 
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__controller-3A5000&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=lyXWyh-BXrikPWqWM3dcPW4ZofvjiAxnq-nXsjifnEw&e=
>>     3) ceph config set mgr rgw_keystone_accepted_admin_roles admin
>>     4) ceph config set mgr rgw_keystone_admin_user swift
>>     5) ceph config set mgr rgw_keystone_admin_password swift_test
>>     6) ceph config set mgr rgw_keystone_admin_domain default
>>     7) ceph config set mgr rgw_keystone_admin_project service
>>       for project I have tested different projects e.g. service and 
>> admin
>>
>>   Now when testing the API using swift client I get next:
>>     1) swift post test3 --debug
>>
>> DEBUG:keystoneclient.auth.identity.v3.base:Making authentication 
>> request to 
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__controller-3A5000
>> _v3_auth_tokens&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KK
>> a6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7
>> eX4&s=-98qpMcc8sdRTdN7AwNPIyGsIK1GaFvi_SC5GtZGUpY&e=
>> DEBUG:urllib3.connectionpool:Starting new HTTP connection (1):
>> controller:5000
>> DEBUG:urllib3.connectionpool:http://controller:5000 "POST 
>> /v3/auth/tokens HTTP/1.1" 201 7032
>>
>> . some openstack data here .
>>
>> DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 
>> ceph1:80
>> DEBUG:urllib3.connectionpool:http://ceph1:80 "POST
>> /swift/v1/AUTH_adsfasdfasdfasdfasdfasdf/test3 HTTP/1.1" 401 12
>> INFO:swiftclient:REQ: curl -i
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1_AU
>> TH-5Fadsfasdfasdfasdfasdfasdf_test3&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA
>> &r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U
>> 46oD9d1KMRwdpbF9VLg7eX4&s=g1inMAENxiOpxc4L8FlmbLypegdcQwgH8drm6aoESZ0
>> &e=
>> -X POST -H
>> "X-Auth-Token: <Token would be here>" -H "Content-Length: 0"
>> INFO:swiftclient:RESP STATUS: 401 Unauthorized
>>
>> and finally I get
>> Container POST failed:
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1_AU
>> TH-5Fadsfasdfasdfasdfasdfasdf_test3&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA
>> &r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U
>> 46oD9d1KMRwdpbF9VLg7eX4&s=g1inMAENxiOpxc4L8FlmbLypegdcQwgH8drm6aoESZ0
>> &e=
>> 401 Unauthorized
>>   b'AccessDenied'
>> _______________________________________________
>> ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an 
>> email to ceph-users-leave@xxxxxxx
>>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx




[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux