Hi,
there have been multiple discussions on this list without any
satisfying solution for all possible configurations. One of the
changes [1] made in Pacific was to use hostname instead of IP, but it
only uses the shortname (you can check the "hostname" in 'ceph service
dump' output. But this seems to only impact the dashboard access if
you have ssl-verify set to true. I'm still waiting for a solution as
well for a customer cluster which uses wildcard certificates only,
until then we let ssl-verify disabled. But I didn't check the tracker
for any pending tickets, so someone might be working on it.
Regards,
Eugen
[1] https://github.com/ceph/ceph/pull/47207/files
Zitat von Christopher Durham <caduceus42@xxxxxxx>:
Hi,
I am using 17.2.6 on Rocky Linux 8
The ceph mgr dashboard, in my situation, (bare metal install,
upgraded from 15->16-> 17.2.6), can no longer hit the
ObjectStore->(Daemons,Users,Buckets) pages.
When I try to hit those pages, it gives an error:
RGW REST API failed request with status code 403 {"Code":
"AccessDenied", RequestId: "xxxxxxx", HostId: "yyyy-<my zone>"}
The log of the rgw server it hit has:
"GET /admin/metadata/user?myself HTTP/1.1" 403 125
It appears that the mgr dashboard setting RGW_API_HOST is no longer
an option that can be set, nor does that name exist anywhere under
/usr/share/ceph/mgr/dashboard, and:
# ceph dashboard set-rgw-api-host <host>
is no longer in existence in 17.2.6
However, since my situation is an upgrade, the config value still
exists in my config, and I can retrieve it with:
# ceph dashboard get-rgw-api-host
To get the to work in my situation, I have modified
/usr/share/ceph/mgr/dashboard/settings.py and re-added RGW_API_HOST
to the Options class using
RGW_API_HOST = Settings('', [dict,str])
I then modified
/usr/share/ceph/mgr/dashboard/services/rgw_request.py such that each
rgw daemon retrieved has its 'host' member set to
Settings.RGW_API_HOST.
Then after restarting the mgr, I was able to access the
Objectstore->(Daemons,Users,Buckets) pages in the dashboard.
HOWEVER, I know this is NOT the right way to fix this, it is a hack.
It seems like the dashboard is trying to contact an rgw server
individually. For us, the RGW_API_HOST is
a name in DNS: s3.my.dom, that has multiple A records, one for each
of our rgw servers, each of which have the *same* SSL cert with CN
and SubjectAltNames that allow
the cert to present itself as both s3.my.dom as well as the
individual host name (SubjectAltName has ALL the rgw servers in it).
This works well for us and has
done so since 15.x.y, The endpoint for the zone is set to s3.my.dom.
Thus my users only have a single endpoint to care about, unless
there is a failure situation onan rgw server. (We have other ways of
handling that).
Any thoughts on the CORRECT way to handle this so I can have the
ceph dashboard work with the ObjectStore->(Daemons,Users,Buckets)
pages? Thanks.
-Chris
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
