Hello, okay I got the problem solved. On Ceph side: Don't use mgr in ceph config set ... command. I have two RGWs so I needed to set these commands twice. For example: `ceph config set client.rgw.name.host01.xxx rgw_keystone_url XXX` ... and then all these commands again for the second host: `ceph config set client.rgw.name.host02.xxx rgw_keystone_url XXX` ... Check which WHO you have to use with `ceph config dump`. Make sure to set `rgw_swift_account_in_url` to `true`! On OpenStack side use `.../swift/v1/AUTH_%(project_id)s` instead of `.../swift/v1/AUTH_%(tenant_id)s` for all 3 interfaces (admin, public, internal). Idk why, but that also solved the problem for me. Greetings, Marcus ------------------------------------------------- Marcus Bahn Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen - SCAI Schloss Birlinghoven 53757 Sankt Augustin Germany Phone: +49 2241 14-4202 E-Mail: [ mailto:marcus.bahn@xxxxxxxxxxxxxxxxxx | marcus.bahn@xxxxxxxxxxxxxxxxxx ] Von: "Marcus Bahn" <marcus.bahn@xxxxxxxxxxxxxxxxxx> An: "ceph-users" <ceph-users@xxxxxxx> CC: "malin roth" <malin.roth@xxxxxxxxxxxxxxxxxx>, "Horst Schwichtenberg" <horst.schwichtenberg@xxxxxxxxxxxxxxxxxx> Gesendet: Mittwoch, 13. April 2022 16:57:58 Betreff: Cephadm + OpenStack Keystone Authentication Hello everyone, I'm currently having a problem to use Cephadm and integrate the RadosGW and Object Storage into OpenStack. If I try to use Object Storage via Swift in OpenStack it does not work. While trying in Horizon, I simply get logged out of the admin user with the error message: "Unauthorized. Redirect to login." and "Unable to get the Swift container listing.". On OpenStack node to test the authentication: ``` [root@xxx ~]# swift list Account GET failed: https://PublicIP:8080/swift/v1/AUTH_c72e4eab833447ea92816a3f9925cd0b?format=json 401 Unauthorized [first 60 chars of response] b'{"Code":"AccessDenied","RequestId":"tx0000019cf2e2cfa84bc21-' Failed Transaction ID: tx0000019cf2e2cfa84bc21-006256e07e-a79117-default ``` All RGW's are up and running. ceph orch ls rgw.name ?:8000 2/2 61s ago 9d host01;host02 Just fyi, the RGWs use port 8000, but on my haproxy.cfg for my public server, I expose and use port 8080 that lead to the RGWs with Port 8000. That works, as I tested that with an S3 client. What I did: On OpenStack side: ``` openstack service create --name=swift --description="Swift Service" object-store openstack endpoint create --region RegionOne object-store public "https://publicIP:8080/swift/v1/AUTH_%(tenant_id)s" openstack endpoint create --region RegionOne object-store internal https://publicIP:8080/swift/v1/AUTH_%(tenant_id)s" openstack endpoint create --region RegionOne object-store admin https://publicIP:8080/swift/v1/AUTH_%(tenant_id)s" ``` And created the user `object` with a password. This user has the admin role in service project and in my project. The port 8080 itself is open and functioning. On Ceph Node: ``` ceph config set mgr rgw_keystone_api_version 3 ceph config set mgr rgw_keystone_url https://publicIP:5000 ceph config set mgr rgw_keystone_admin_user object ceph config set mgr rgw_keystone_password XXX ceph config set mgr rgw_keystone_admin_password XXX ceph config set mgr rgw_keystone_admin_domain Default ceph config set mgr rgw_keystone_admin_project service ceph config set mgr rgw_keystone_accepted_roles admin,member,_member_ ceph config set mgr rgw_keystone_token_cache_size 100 ceph config set mgr rgw_keystone_implicit_tenants false ceph config set mgr rgw_s3_auth_use_keystone true ceph config set mgr rgw_keystone_verify_ssl false ceph config set mgr rgw_swift_account_in_url true ceph orch redeploy rgw.xxx ``` I used this documentation as reference: [ https://docs.ceph.com/en/latest/radosgw/keystone/#integrating-with-openstack-keystone | https://docs.ceph.com/en/latest/radosgw/keystone/#integrating-with-openstack-keystone ] Sadly, I can't find any documentation that's CephAdm specific. Or am I overseeing something? Does anybody have an idea what and where I did something wrong? Is the use of `ceph config set mgr ...` right? cephadm version Using recent ceph image quay.io/ceph/ceph@sha256:xxx ceph version 16.2.7 (dd0603118f56ab514f133c8d2e3adfc983942503) pacific (stable) OpenStack Version: Wallaby I hope that everything is included that's needed. Thanks and best regards, Marcus ------------------------------------------------- Marcus Bahn Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen - SCAI Schloss Birlinghoven 53757 Sankt Augustin Germany Phone: +49 2241 14-4202 E-Mail: [ mailto:marcus.bahn@xxxxxxxxxxxxxxxxxx | marcus.bahn@xxxxxxxxxxxxxxxxxx ] _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |