Re: Cephadm + OpenStack Keystone Authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello, 

okay I got the problem solved. 

On Ceph side: 
Don't use mgr in ceph config set ... command. I have two RGWs so I needed to set these commands twice. 
For example: 
`ceph config set client.rgw.name.host01.xxx rgw_keystone_url XXX` 
... 
and then all these commands again for the second host: 
`ceph config set client.rgw.name.host02.xxx rgw_keystone_url XXX` 
... 
Check which WHO you have to use with `ceph config dump`. 

Make sure to set `rgw_swift_account_in_url` to `true`! 

On OpenStack side use `.../swift/v1/AUTH_%(project_id)s` instead of `.../swift/v1/AUTH_%(tenant_id)s` for all 3 interfaces (admin, public, internal). Idk why, but that also solved the problem for me. 

Greetings, 
Marcus 

------------------------------------------------- 
Marcus Bahn 
Fraunhofer-Institut für Algorithmen 
und Wissenschaftliches Rechnen - SCAI 

Schloss Birlinghoven 
53757 Sankt Augustin 
Germany 
Phone: +49 2241 14-4202 
E-Mail: [ mailto:marcus.bahn@xxxxxxxxxxxxxxxxxx | marcus.bahn@xxxxxxxxxxxxxxxxxx ] 


Von: "Marcus Bahn" <marcus.bahn@xxxxxxxxxxxxxxxxxx> 
An: "ceph-users" <ceph-users@xxxxxxx> 
CC: "malin roth" <malin.roth@xxxxxxxxxxxxxxxxxx>, "Horst Schwichtenberg" <horst.schwichtenberg@xxxxxxxxxxxxxxxxxx> 
Gesendet: Mittwoch, 13. April 2022 16:57:58 
Betreff:  Cephadm + OpenStack Keystone Authentication 

Hello everyone, 

I'm currently having a problem to use Cephadm and integrate the RadosGW and Object Storage into OpenStack. 
If I try to use Object Storage via Swift in OpenStack it does not work. While trying in Horizon, I simply get logged out of the admin user with the error message: "Unauthorized. Redirect to login." and "Unable to get the Swift container listing.". 
On OpenStack node to test the authentication: 
``` 
[root@xxx ~]# swift list 
Account GET failed: https://PublicIP:8080/swift/v1/AUTH_c72e4eab833447ea92816a3f9925cd0b?format=json 401 Unauthorized [first 60 chars of response] b'{"Code":"AccessDenied","RequestId":"tx0000019cf2e2cfa84bc21-' 
Failed Transaction ID: tx0000019cf2e2cfa84bc21-006256e07e-a79117-default 
``` 

All RGW's are up and running. 
ceph orch ls 
rgw.name ?:8000 2/2 61s ago 9d host01;host02 

Just fyi, the RGWs use port 8000, but on my haproxy.cfg for my public server, I expose and use port 8080 that lead to the RGWs with Port 8000. That works, as I tested that with an S3 client. 

What I did: 
On OpenStack side: 
``` 
openstack service create --name=swift --description="Swift Service" object-store 
openstack endpoint create --region RegionOne object-store public "https://publicIP:8080/swift/v1/AUTH_%(tenant_id)s" 
openstack endpoint create --region RegionOne object-store internal https://publicIP:8080/swift/v1/AUTH_%(tenant_id)s" 
openstack endpoint create --region RegionOne object-store admin https://publicIP:8080/swift/v1/AUTH_%(tenant_id)s" 
``` 
And created the user `object` with a password. This user has the admin role in service project and in my project. 
The port 8080 itself is open and functioning. 


On Ceph Node: 
``` 
ceph config set mgr rgw_keystone_api_version 3 
ceph config set mgr rgw_keystone_url https://publicIP:5000 
ceph config set mgr rgw_keystone_admin_user object 
ceph config set mgr rgw_keystone_password XXX 
ceph config set mgr rgw_keystone_admin_password XXX 
ceph config set mgr rgw_keystone_admin_domain Default 
ceph config set mgr rgw_keystone_admin_project service 
ceph config set mgr rgw_keystone_accepted_roles admin,member,_member_ 
ceph config set mgr rgw_keystone_token_cache_size 100 
ceph config set mgr rgw_keystone_implicit_tenants false 
ceph config set mgr rgw_s3_auth_use_keystone true 
ceph config set mgr rgw_keystone_verify_ssl false 
ceph config set mgr rgw_swift_account_in_url true 
ceph orch redeploy rgw.xxx 
``` 


I used this documentation as reference: 
[ https://docs.ceph.com/en/latest/radosgw/keystone/#integrating-with-openstack-keystone | https://docs.ceph.com/en/latest/radosgw/keystone/#integrating-with-openstack-keystone ] 
Sadly, I can't find any documentation that's CephAdm specific. Or am I overseeing something? 

Does anybody have an idea what and where I did something wrong? 
Is the use of `ceph config set mgr ...` right? 

cephadm version 
Using recent ceph image quay.io/ceph/ceph@sha256:xxx 
ceph version 16.2.7 (dd0603118f56ab514f133c8d2e3adfc983942503) pacific (stable) 

OpenStack Version: Wallaby 

I hope that everything is included that's needed. 

Thanks and best regards, 
Marcus 

------------------------------------------------- 
Marcus Bahn 
Fraunhofer-Institut für Algorithmen 
und Wissenschaftliches Rechnen - SCAI 

Schloss Birlinghoven 
53757 Sankt Augustin 
Germany 
Phone: +49 2241 14-4202 
E-Mail: [ mailto:marcus.bahn@xxxxxxxxxxxxxxxxxx | marcus.bahn@xxxxxxxxxxxxxxxxxx ] 
_______________________________________________ 
ceph-users mailing list -- ceph-users@xxxxxxx 
To unsubscribe send an email to ceph-users-leave@xxxxxxx 
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx




[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux