Hi, Have you added oidc-provider caps to the user that is trying to create the openid connect provider/ list openid connect providers, in your case the user which has the access key as 'L70QT3LN71SQXWHS97Y4'. ( https://docs.ceph.com/en/quincy/radosgw/oidc/) Thanks, Pritha On Fri, Feb 17, 2023 at 4:54 AM <mat@xxxxxxxxxx> wrote: > Hello, > > I'm attempting to setup an OpenIDConnect provider with RGW. I'm doing this > using the boto3 API & Python. However it seems that the APIs are failing in > some unexpected ways because radosgw was not setup correctly. There is > sample code below, and yes, I know there are "secrets" in it - but this is > an offline test lab so I am fine with this. > > The first error shows this in the logs. > > 2023-02-16T00:45:26.860-0500 7fe19fef7700 1 ====== starting new request > req=0x7fe2ccb54680 ===== > 2023-02-16T00:45:26.904-0500 7fe19def3700 0 req 17562030806519127926 > 0.044000439s ERROR: listing filtered objects failed: OIDC pool: > default.rgw.meta: oidc_url.: (2) No such file or directory > 2023-02-16T00:45:26.904-0500 7fe19aeed700 1 ====== req done > req=0x7fe2ccb54680 op status=-2 http_status=404 latency=0.044000439s ====== > 2023-02-16T00:45:26.904-0500 7fe19aeed700 1 beast: 0x7fe2ccb54680: > 10.20.104.178 - authentik [16/Feb/2023:00:45:26.860 -0500] "POST / > HTTP/1.1" 404 189 - "Boto3/1.26.71 Python/3.11.1 > Linux/6.0.6-76060006-generic Botocore/1.29.72" - latency=0.044000439s > > So the object "oidc_url" is missing from the "default.rgw.meta" pool? > > rados --pool default.rgw.meta ls --all > users.uid root.buckets > users.uid authentik.buckets > root test4 > root .bucket.meta.test2:3866fac0-854b-48b5-b3b7-bf84a166a404.1165645.1 > users.keys ZVBTLTYRRPY7JU39WOR9 > users.uid authentik > users.uid cephadmin > users.keys NIVIV0JSKD9D2LDC3IH4 > users.uid root > users.email tester@xxxxxxx > users.keys L70QT3LN71SQXWHS97Y4 > root .bucket.meta.test:3866fac0-854b-48b5-b3b7-bf84a166a404.1204730.1 > root .bucket.meta.test4:3866fac0-854b-48b5-b3b7-bf84a166a404.1204730.2 > root test > root test2 > > Well the object is clearly not there and I do not know how to fix this. > > The second error produces this error in the log: > > 2023-02-16T01:11:29.304-0500 7fe1976e6700 1 ====== starting new request > req=0x7fe2ccb54680 ===== > 2023-02-16T01:11:29.312-0500 7fe18c6d0700 1 ====== req done > req=0x7fe2ccb54680 op status=-22 http_status=400 latency=0.008000083s ====== > 2023-02-16T01:11:29.312-0500 7fe18c6d0700 1 beast: 0x7fe2ccb54680: > 10.20.104.178 - authentik [16/Feb/2023:01:11:29.304 -0500] "POST / > HTTP/1.1" 400 189 - "Boto3/1.26.71 Python/3.11.1 > Linux/6.0.6-76060006-generic Botocore/1.29.72" - latency=0.008000083s > > Its much less clear what is going on here, it just returns 400. Boto > raises this exception, "botocore.exceptions.ClientError: An error occurred > (Unknown) when calling the CreateOpenIDConnectProvider operation: Unknown". > > Has anyone seen this before and know how to setup the correct objects for > OpenidConnect? > > Version info > ============================================== > ceph version 17.2.5 (e04241aa9b639588fa6c864845287d2824cb6b55) quincy > (stable) > > > Examples below > ============================================== > > # creating the client works fine - I can see my user authenticate in the > radosgw logs > access_key_id = 'L70QT3LN71SQXWHS97Y4' > secret_access_key = 'QEXLa5V0Zm38068n3goDtm8V6WlaDwxVmAq9W2XV' > iam = boto3.client('iam', > aws_access_key_id=access_key_id, > aws_secret_access_key=secret_access_key, > region_name="default", > endpoint_url="https://s3.lab") > > # First error > providers_response = iam.list_open_id_connect_providers() > > # Second Error > oidc_response = iam.create_open_id_connect_provider( > # Issuer URL > Url="https://login.lab/application/o/d7d64496e26c156ca9ea0802c5d7ed1c/", > ClientIDList=['authentik'], > > ThumbprintList=['BDCC44F40254E7E1258DA4698833FFE2E8AECA3D3799044D8A1F97F7DFF20511']) > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx > > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx