I'm in the process of adding the radosgw service to our OpenStack cloud
and hoping to re-use keystone for discovery and auth. Things seem to
work fine with many keystone tenants, but as soon as we try to do
something in a project with a '-' in its name everything fails.
Here's an example, using the openstack swift cli:
root@cloudcontrol2001-dev:~# OS_PROJECT_ID="testlabs" openstack
container create 'makethiscontainer'
+---------------+-------------------+----------------------------------------------------+
| account | container |
x-trans-id |
+---------------+-------------------+----------------------------------------------------+
| AUTH_testlabs | makethiscontainer |
tx0000008c311dbda86c695-0064ac5fad-6927acd-default |
+---------------+-------------------+----------------------------------------------------+
root@cloudcontrol2001-dev:~# OS_PROJECT_ID="service" openstack container
create 'makethiscontainer'
+--------------+-------------------+----------------------------------------------------+
| account | container |
x-trans-id |
+--------------+-------------------+----------------------------------------------------+
| AUTH_service | makethiscontainer |
tx00000b341a22866f65e44-0064ac5fb7-6927acd-default |
+--------------+-------------------+----------------------------------------------------+
root@cloudcontrol2001-dev:~# OS_PROJECT_ID="admin-monitoring" openstack
container create 'makethiscontainer'
Bad Request (HTTP 400) (Request-ID:
tx00000f7326bb541b4d2a9-0064ac5fc2-6927acd-default)
Before I dive into the source code, is this a known issue and/or
something I can configure? Dash-named-projects work fine in keystone and
seem to also work fine with standalone rados; I assume the issue is
somewhere in the communication between the two. I suspected the implicit
user creation code, but that seems to be working properly:
# radosgw-admin user list
[
"cloudvirt-canary$cloudvirt-canary",
"testlabs$testlabs",
"paws-dev$paws-dev",
"andrewtestproject$andrewtestproject",
"admin-monitoring$admin-monitoring",
"taavi-test-project$taavi-test-project",
"admin$admin",
"taavitestproject$taavitestproject",
"bastioninfra-codfw1dev$bastioninfra-codfw1dev",
]
Here is the radosgw section of my ceph.conf:
[client.radosgw]
host = 10.192.20.9
keyring = /etc/ceph/ceph.client.radosgw.keyring
rgw frontends = "civetweb port=18080"
rgw_keystone_verify_ssl = false
rgw_keystone_api_version = 3
rgw_keystone_url = https://openstack.codfw1dev.wikimediacloud.org:25000
rgw_keystone_accepted_roles = 'reader, admin, member'
rgw_keystone_implicit_tenants = true
rgw_keystone_admin_domain = default
rgw_keystone_admin_project = service
rgw_keystone_admin_user = swift
rgw_keystone_admin_password = (redacted)
rgw_s3_auth_use_keystone = true
rgw_swift_account_in_url = true
rgw_user_default_quota_max_objects = 4096
rgw_user_default_quota_max_size = 8589934592
And here's a debug log of a failed transaction:
https://phabricator.wikimedia.org/P49539
Thanks in advance!
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
