Re: RGW cannot list or create openidconnect providers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Have you added oidc-provider caps to the user that is trying to create the
openid connect provider/ list openid connect providers, in your case the
user which has the access key as 'L70QT3LN71SQXWHS97Y4'. (
https://docs.ceph.com/en/quincy/radosgw/oidc/)

Thanks,
Pritha

On Fri, Feb 17, 2023 at 4:54 AM <mat@xxxxxxxxxx> wrote:

> Hello,
>
> I'm attempting to setup an OpenIDConnect provider with RGW. I'm doing this
> using the boto3 API & Python. However it seems that the APIs are failing in
> some unexpected ways because radosgw was not setup correctly. There is
> sample code below, and yes, I know there are "secrets" in it - but this is
> an offline test lab so I am fine with this.
>
> The first error shows this in the logs.
>
> 2023-02-16T00:45:26.860-0500 7fe19fef7700  1 ====== starting new request
> req=0x7fe2ccb54680 =====
> 2023-02-16T00:45:26.904-0500 7fe19def3700  0 req 17562030806519127926
> 0.044000439s ERROR: listing filtered objects failed: OIDC pool:
> default.rgw.meta: oidc_url.: (2) No such file or directory
> 2023-02-16T00:45:26.904-0500 7fe19aeed700  1 ====== req done
> req=0x7fe2ccb54680 op status=-2 http_status=404 latency=0.044000439s ======
> 2023-02-16T00:45:26.904-0500 7fe19aeed700  1 beast: 0x7fe2ccb54680:
> 10.20.104.178 - authentik [16/Feb/2023:00:45:26.860 -0500] "POST /
> HTTP/1.1" 404 189 - "Boto3/1.26.71 Python/3.11.1
> Linux/6.0.6-76060006-generic Botocore/1.29.72" - latency=0.044000439s
>
> So the object "oidc_url" is missing from the "default.rgw.meta" pool?
>
> rados --pool default.rgw.meta ls --all
> users.uid       root.buckets
> users.uid       authentik.buckets
> root    test4
> root    .bucket.meta.test2:3866fac0-854b-48b5-b3b7-bf84a166a404.1165645.1
> users.keys      ZVBTLTYRRPY7JU39WOR9
> users.uid       authentik
> users.uid       cephadmin
> users.keys      NIVIV0JSKD9D2LDC3IH4
> users.uid       root
> users.email     tester@xxxxxxx
> users.keys      L70QT3LN71SQXWHS97Y4
> root    .bucket.meta.test:3866fac0-854b-48b5-b3b7-bf84a166a404.1204730.1
> root    .bucket.meta.test4:3866fac0-854b-48b5-b3b7-bf84a166a404.1204730.2
> root    test
> root    test2
>
> Well the object is clearly not there and I do not know how to fix this.
>
> The second error produces this error in the log:
>
> 2023-02-16T01:11:29.304-0500 7fe1976e6700  1 ====== starting new request
> req=0x7fe2ccb54680 =====
> 2023-02-16T01:11:29.312-0500 7fe18c6d0700  1 ====== req done
> req=0x7fe2ccb54680 op status=-22 http_status=400 latency=0.008000083s ======
> 2023-02-16T01:11:29.312-0500 7fe18c6d0700  1 beast: 0x7fe2ccb54680:
> 10.20.104.178 - authentik [16/Feb/2023:01:11:29.304 -0500] "POST /
> HTTP/1.1" 400 189 - "Boto3/1.26.71 Python/3.11.1
> Linux/6.0.6-76060006-generic Botocore/1.29.72" - latency=0.008000083s
>
> Its much less clear what is going on here, it just returns 400. Boto
> raises this exception, "botocore.exceptions.ClientError: An error occurred
> (Unknown) when calling the CreateOpenIDConnectProvider operation: Unknown".
>
> Has anyone seen this before and know how to setup the correct objects for
> OpenidConnect?
>
> Version info
> ==============================================
> ceph version 17.2.5 (e04241aa9b639588fa6c864845287d2824cb6b55) quincy
> (stable)
>
>
> Examples below
> ==============================================
>
> # creating the client works fine - I can see my user authenticate in the
> radosgw logs
> access_key_id = 'L70QT3LN71SQXWHS97Y4'
> secret_access_key = 'QEXLa5V0Zm38068n3goDtm8V6WlaDwxVmAq9W2XV'
> iam = boto3.client('iam',
>   aws_access_key_id=access_key_id,
>   aws_secret_access_key=secret_access_key,
>   region_name="default",
>   endpoint_url="https://s3.lab";)
>
> # First error
> providers_response = iam.list_open_id_connect_providers()
>
> # Second Error
> oidc_response = iam.create_open_id_connect_provider(
>   # Issuer URL
>   Url="https://login.lab/application/o/d7d64496e26c156ca9ea0802c5d7ed1c/";,
>   ClientIDList=['authentik'],
>
> ThumbprintList=['BDCC44F40254E7E1258DA4698833FFE2E8AECA3D3799044D8A1F97F7DFF20511'])
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx



[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux