Hi,
The radosgw should have a dedicated user (different from you swift user) for authentifiation with keystone ( openstack) in the project "service" and you should also add the role "_member_" in the rgw_keystone_accepted_roles.
Regards
-----Message d'origine-----
De : Mika Saari <mika.saari@xxxxxxxxx>
Envoyé : jeudi 7 janvier 2021 11:35
À : ceph-users@xxxxxxx
Objet : Re: Ceph RadosGW & OpenStack swift problem
Hi,
I have added debug_rgw 20 to configuration. When checking docker logs -f <radosgw container id> I get this error for my radowgw request (swift post
test3 --debug)
Would there be a way to get more debug information from radosgw to solve this 401 problem ?
Thanks a lot,
-Mika
--- clip clip ----
debug 2021-01-07T10:32:42.269+0000 7f1ae111b700 1 ====== starting new request req=0x7f1b5b32a6b0 ===== debug 2021-01-07T10:32:42.269+0000 7f1ae111b700 1 op->ERRORHANDLER:
err_no=-1 new_err_no=-1
debug 2021-01-07T10:32:42.269+0000 7f1ae111b700 1 ====== req done
req=0x7f1b5b32a6b0 op status=0 http_status=401 latency=0s ====== debug 2021-01-07T10:32:42.269+0000 7f1ae111b700 1 beast: 0x7f1b5b32a6b0:
10.0.2.10 - - [2021-01-07T10:32:42.269372+0000] "POST
/swift/v1/AUTH_50f0ce372a4a4ed6a41126852358f097/test3 HTTP/1.1" 401 12 - "python-swiftclient-3.9.0" -
--- clip clip ----
On Tue, Jan 5, 2021 at 8:00 PM Mika Saari <mika.saari@xxxxxxxxx> wrote:
> Hi,
>
> I am using indeed OpenStack Ussuri release. I changed the "gw swift
> account in url = true" directly with ceph config set ... command. Also
> checked that rgw_keystone_accepted_roles is correctly set and not the
> admin one. Also tested disabling rgw_keystone_verify_ssl.
>
> Should radosgw communicate with keystone somehow? I can not see my
> ceph-cluster requesting anything from keystone through any interface
> (tcpdump checked this one). I have tested restarting the radosgw with
> command "ceph orch restart rgw.default.ou" and seems that it brings
> the container down and up. Not sure though it is enough to bring the
> settings in use.q
>
> Current status is:
> 1) swift command seems to be able to authenticate with keystone at
> the very beginning, this is done in the client side.
> 2) swift command makes a request to radosgw and gets 401
> INFO:swiftclient:REQ: curl -i <radosgw url
> here>/swift/v1/AUTH_<some id here>/test3 -X POST -H "X-Auth-Token:
> here><token " -H "Content-Length: 0"
> INFO:swiftclient:RESP STATUS: 401 Unauthorized
>
> Thanks a lot again,
> -Mika
>
> On Tue, Jan 5, 2021 at 11:19 AM Wissem MIMOUNA <
> wissem.mimouna@xxxxxxxxxxxxxxxx> wrote:
>
>> Hi,
>>
>> Which version of OpenStack do you have ? I guess , since Usurri ( or
>> may be even before ) swift authentification through keystone require
>> the account in url . You have to add this option in
>> "/etc/ceph/ceph.conf" , section rgw "rgw swift account in url = true" or do it via setting directly
>> . Also , I noticed you did this ==> 3) ceph config set mgr
>> rgw_keystone_accepted_admin_roles xxxx || I think , you should use
>> the option "rgw keystone accepted roles xxxx" instead.
>>
>> Regards
>>
>> -----Message d'origine-----
>> De : Mika Saari <mika.saari@xxxxxxxxx> Envoyé : mardi 5 janvier 2021
>> 10:03 À : ceph-users@xxxxxxx Objet : Ceph RadosGW &
>> OpenStack swift problem
>>
>> Hi,
>>
>> Using Ceph 15.2.8 installed with cephadm. Trying to get RadosGW to work.
>> I have managed to get the RadosGW working. I can manage it through a
>> dashboard and use aws s3 client to create new buckets etc. When
>> trying to use swift I get errors.
>>
>> Not sure how to continue to track the problem here. Any tips are
>> welcome.
>>
>> Thank you very much,
>> -Mika
>>
>> ------- What I have done and what are the results. Some data changed
>> manually -------
>> What I have done:
>> At OpenStack Side:
>> 1) openstack user create --domain default --password-prompt swift
>> 2) openstack role add --project service --user swift admin
>> 3) openstack endpoint create --region RegionOne object-store
>> public https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1_AUTH-5F-25-255C-28project-5Fid-255C-29s&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=-1FtdhjTcNA8jPSUoyoUfsPl5uqTqu4I_ThTOJNLjtg&e=
>> 4) openstack endpoint create --region RegionOne object-store
>> internal
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1_AUTH-5F-25-255C-28project-5Fid-255C-29s&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=-1FtdhjTcNA8jPSUoyoUfsPl5uqTqu4I_ThTOJNLjtg&e=
>> 5) openstack endpoint create --region RegionOne object-store
>> admin
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1&d=
>> DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Ktt
>> b6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=bm67b3lMVeLC
>> 3sNvuyufFCe3AksJgfIgeI8SDorhHMU&e=
>>
>> At Ceph side:
>> 1) ceph config set mgr rgw_keystone_api_version 3
>> 2) ceph config set mgr rgw_keystone_url
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__controller-3A5000&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7eX4&s=lyXWyh-BXrikPWqWM3dcPW4ZofvjiAxnq-nXsjifnEw&e=
>> 3) ceph config set mgr rgw_keystone_accepted_admin_roles admin
>> 4) ceph config set mgr rgw_keystone_admin_user swift
>> 5) ceph config set mgr rgw_keystone_admin_password swift_test
>> 6) ceph config set mgr rgw_keystone_admin_domain default
>> 7) ceph config set mgr rgw_keystone_admin_project service
>> for project I have tested different projects e.g. service and
>> admin
>>
>> Now when testing the API using swift client I get next:
>> 1) swift post test3 --debug
>>
>> DEBUG:keystoneclient.auth.identity.v3.base:Making authentication
>> request to
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__controller-3A5000
>> _v3_auth_tokens&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA&r=h1fIFv3Ydv-kdH6KK
>> a6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U46oD9d1KMRwdpbF9VLg7
>> eX4&s=-98qpMcc8sdRTdN7AwNPIyGsIK1GaFvi_SC5GtZGUpY&e=
>> DEBUG:urllib3.connectionpool:Starting new HTTP connection (1):
>> controller:5000
>> DEBUG:urllib3.connectionpool:http://controller:5000 "POST
>> /v3/auth/tokens HTTP/1.1" 201 7032
>>
>> . some openstack data here .
>>
>> DEBUG:urllib3.connectionpool:Starting new HTTP connection (1):
>> ceph1:80
>> DEBUG:urllib3.connectionpool:http://ceph1:80 "POST
>> /swift/v1/AUTH_adsfasdfasdfasdfasdfasdf/test3 HTTP/1.1" 401 12
>> INFO:swiftclient:REQ: curl -i
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1_AU
>> TH-5Fadsfasdfasdfasdfasdfasdf_test3&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA
>> &r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U
>> 46oD9d1KMRwdpbF9VLg7eX4&s=g1inMAENxiOpxc4L8FlmbLypegdcQwgH8drm6aoESZ0
>> &e=
>> -X POST -H
>> "X-Auth-Token: <Token would be here>" -H "Content-Length: 0"
>> INFO:swiftclient:RESP STATUS: 401 Unauthorized
>>
>> and finally I get
>> Container POST failed:
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__ceph1_swift_v1_AU
>> TH-5Fadsfasdfasdfasdfasdfasdf_test3&d=DwICAg&c=1tDFxPZjcWEmlmmx4CZtyA
>> &r=h1fIFv3Ydv-kdH6KKa6lmB20LbjUiXP9Kttb6tTs__E&m=EmlYLMTNHaWmSJrApw1U
>> 46oD9d1KMRwdpbF9VLg7eX4&s=g1inMAENxiOpxc4L8FlmbLypegdcQwgH8drm6aoESZ0
>> &e=
>> 401 Unauthorized
>> b'AccessDenied'
>> _______________________________________________
>> ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an
>> email to ceph-users-leave@xxxxxxx
>>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
