Hi, Coming back to that issue.
My endpoint wasn’t right set up. I changed it to myrgw:myport (rgwow:8080) in the cloudberry profile or in the curl request and I got a 403 error due to a potential bad role returned by keystone. In the radosgw log, I got 2015-05-05 14:58:23.895961 7fb9f4fe9700 1 ====== starting new request req=0x7fba040177c0 ===== 2015-05-05 14:58:23.895975 7fb9f4fe9700 2 req 82:0.000015::GET /::initializing 2015-05-05 14:58:23.896009 7fb9f4fe9700 10 s->object=<NULL> s->bucket=<NULL> 2015-05-05 14:58:23.896014 7fb9f4fe9700 2 req 82:0.000054:s3:GET /::getting op 2015-05-05 14:58:23.896018 7fb9f4fe9700 2 req 82:0.000058:s3:GET /:list_buckets:authorizing 2015-05-05 14:58:23.896022 7fb9f4fe9700 2 req 82:0.000062:s3:GET /:list_buckets:reading permissions 2015-05-05 14:58:23.896027 7fb9f4fe9700 2 req 82:0.000067:s3:GET /:list_buckets:init op 2015-05-05 14:58:23.896030 7fb9f4fe9700 2 req 82:0.000070:s3:GET /:list_buckets:verifying op mask 2015-05-05 14:58:23.896032 7fb9f4fe9700 20 required_mask= 1 user.op_mask=7 2015-05-05 14:58:23.896033 7fb9f4fe9700 2 req 82:0.000073:s3:GET /:list_buckets:verifying op permissions 2015-05-05 14:58:23.896036 7fb9f4fe9700 2 req 82:0.000075:s3:GET /:list_buckets:verifying op params 2015-05-05 14:58:23.896037 7fb9f4fe9700 2 req 82:0.000077:s3:GET /:list_buckets:executing 2015-05-05 14:58:23.898267 7fb9f4fe9700 5 nothing to log for operation 2015-05-05 14:58:23.898286 7fb9f4fe9700 2 req 82:0.002326:s3:GET /:list_buckets:http status=200 2015-05-05 14:58:23.898293 7fb9f4fe9700 1 ====== req done req=0x7fba040177c0 http_status=200 ====== 2015-05-05 14:58:24.227297 7fba215f8700 20 enqueued request req=0x7fba04013580 2015-05-05 14:58:24.227318 7fba215f8700 20 RGWWQ: 2015-05-05 14:58:24.227320 7fba215f8700 20 req: 0x7fba04013580 2015-05-05 14:58:24.227328 7fba215f8700 10 allocated request req=0x7fba04012050 2015-05-05 14:58:24.227454 7fb9f57ea700 20 dequeued request req=0x7fba04013580 2015-05-05 14:58:24.227471 7fb9f57ea700 20 RGWWQ: empty 2015-05-05 14:58:24.227512 7fb9f57ea700 20 DOCUMENT_ROOT=/var/www/radosgw 2015-05-05 14:58:24.227515 7fb9f57ea700 20 FCGI_ROLE=RESPONDER 2015-05-05 14:58:24.227516 7fb9f57ea700 20 GATEWAY_INTERFACE=CGI/1.1 2015-05-05 14:58:24.227517 7fb9f57ea700 20 HTTP_ACCEPT=*/* 2015-05-05 14:58:24.227518 7fb9f57ea700 20 HTTP_AUTHORIZATION=AWS ffd80839282d4183afedff542de10760:9vF6bLQCF4a/bYTgaxPjl1bFro4= 2015-05-05 14:58:24.227520 7fb9f57ea700 20 HTTP_CONNECTION=close 2015-05-05 14:58:24.227521 7fb9f57ea700 20 HTTP_DATE=Tue, 05 May 2015 12:58:24 +0000 2015-05-05 14:58:24.227522 7fb9f57ea700 20 HTTP_HOST=rgwow:8080 2015-05-05 14:58:24.227523 7fb9f57ea700 20 HTTP_USER_AGENT=curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 2015-05-05 14:58:24.227524 7fb9f57ea700 20 PATH=/usr/local/bin:/usr/bin:/bin 2015-05-05 14:58:24.227525 7fb9f57ea700 20 QUERY_STRING=page=¶ms= 2015-05-05 14:58:24.227526 7fb9f57ea700 20 REMOTE_ADDR=10.193.108.105 2015-05-05 14:58:24.227527 7fb9f57ea700 20 REMOTE_PORT=44436 2015-05-05 14:58:24.227528 7fb9f57ea700 20 REQUEST_METHOD=GET 2015-05-05 14:58:24.227528 7fb9f57ea700 20 REQUEST_URI=/ 2015-05-05 14:58:24.227529 7fb9f57ea700 20 SCRIPT_FILENAME=/var/www/radosgw/s3gw.fcgi 2015-05-05 14:58:24.227530 7fb9f57ea700 20 SCRIPT_NAME=/ 2015-05-05 14:58:24.227530 7fb9f57ea700 20 SCRIPT_URI=http://rgwow:8080/ 2015-05-05 14:58:24.227531 7fb9f57ea700 20 SCRIPT_URL=/ 2015-05-05 14:58:24.227532 7fb9f57ea700 20 SERVER_ADDR=10.193.108.236 2015-05-05 14:58:24.227532 7fb9f57ea700 20 SERVER_ADMIN=[no address given] 2015-05-05 14:58:24.227533 7fb9f57ea700 20 SERVER_NAME=rgwow 2015-05-05 14:58:24.227534 7fb9f57ea700 20 SERVER_PORT=8080 2015-05-05 14:58:24.227534 7fb9f57ea700 20 SERVER_PROTOCOL=HTTP/1.1 2015-05-05 14:58:24.227535 7fb9f57ea700 20 SERVER_SIGNATURE= 2015-05-05 14:58:24.227536 7fb9f57ea700 20 SERVER_SOFTWARE=Apache/2.2.22 (Ubuntu) 2015-05-05 14:58:24.227537 7fb9f57ea700 1 ====== starting new request req=0x7fba04013580 ===== 2015-05-05 14:58:24.227551 7fb9f57ea700 2 req 83:0.000014::GET /::initializing 2015-05-05 14:58:24.227557 7fb9f57ea700 10 host=rgwow:8080 rgw_dns_name=rgwow 2015-05-05 14:58:24.227588 7fb9f57ea700 10 s->object=<NULL> s->bucket=<NULL> 2015-05-05 14:58:24.227593 7fb9f57ea700 2 req 83:0.000056:s3:GET /::getting op 2015-05-05 14:58:24.227596 7fb9f57ea700 2 req 83:0.000059:s3:GET /:list_buckets:authorizing 2015-05-05 14:58:24.227600 7fb9f57ea700 20 s3 keystone: trying keystone auth 2015-05-05 14:58:24.227693 7fb9f57ea700 10 get_canon_resource(): dest=/ 2015-05-05 14:58:24.227776 7fb9f57ea700 20 sending request to 10.194.167.23:5000/v2.0/s3tokens 2015-05-05 14:58:24.233049 7fb9f57ea700 5 s3 keystone: user does not hold a matching role; required roles: _member_, Member, admin, swiftoperator 2015-05-05 14:58:24.233121 7fb9f57ea700 20 get_obj_state: rctx=0x7fba6c0021e0 obj=.users:ffd80839282d4183afedff542de10760 state=0x7fba6c00b1a8 s->prefetch_data=0 2015-05-05 14:58:24.233135 7fb9f57ea700 10 cache get: name=.users+ffd80839282d4183afedff542de10760 : miss 2015-05-05 14:58:24.235002 7fb9f57ea700 10 cache put: name=.users+ffd80839282d4183afedff542de10760 2015-05-05 14:58:24.235025 7fb9f57ea700 10 adding .users+ffd80839282d4183afedff542de10760 to cache LRU end 2015-05-05 14:58:24.235038 7fb9f57ea700 5 error reading user info, uid=ffd80839282d4183afedff542de10760 can't authenticate 2015-05-05 14:58:24.235041 7fb9f57ea700 10 failed to authorize request 2015-05-05 14:58:24.235098 7fb9f57ea700 5 nothing to log for operation 2015-05-05 14:58:24.235102 7fb9f57ea700 2 req 83:0.007565:s3:GET /:list_buckets:http status=403 2015-05-05 14:58:24.235108 7fb9f57ea700 1 ====== req done req=0x7fba04013580 http_status=403 ====== In the keystone request, there is s3tokens. Is it a standard implementation or does the keystone installation require something specific? Best regards De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.com Envoyé : jeudi 16 avril 2015 13:14 À : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone Hi, I finally configure a cloudberry profile by setting what seems to be the right endpoint for object storage according to the openstack environment : myrgw:myport/swift/v1 I got a “204 no content” error even if 2 containers were previously created by a swift operation with object into them. In the log, I saw a dialog between the rgw and keystone but the right service doesn’t seem to be selected and the id became anonymous. Any idea? De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.com<mailto:ghislain.cheval...@orange.com> Envoyé : mercredi 15 avril 2015 18:39 À : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone Hi, Despite the creation of ec2 credentials which provides an accesskey and a secretkey for a user, it’s always impossible to connect using S3 (Forbidden/Access denied). All is right using swift (create container, list container, get object, put object, delete object) I use cloudberry client to do so. Does someone know how I can check if the interoperability between keystone and the rgw is correctly set up? In the rgw pools? in the radosgw metadata? Best regards De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.com<mailto:ghislain.cheval...@orange.com> Envoyé : mercredi 15 avril 2015 13:16 À : Erik McCormick Cc : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone Thanks a lot That helps. De : Erik McCormick [mailto:emccorm...@cirrusseven.com] Envoyé : lundi 13 avril 2015 18:32 À : CHEVALIER Ghislain IMT/OLPS Cc : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone I haven't really used the S3 stuff much, but the credentials should be in keystone already. If you're in horizon, you can download them under Access and Security->API Access. Using the CLI you can use the openstack client like "openstack credential <list | show | create | delete | set>" or with the keystone client like "keystone ec2-credentials-list", etc. Then you should be able to feed those credentials to the rgw like a normal S3 API call. Cheers, Erik On Mon, Apr 13, 2015 at 10:16 AM, <ghislain.cheval...@orange.com<mailto:ghislain.cheval...@orange.com>> wrote: Hi all, Coming back to that issue. I successfully used keystone users for the rados gateway and the swift API but I still don't understand how it can work with S3 API and i.e. S3 users (AccessKey/SecretKey) I found a swift3 initiative but I think It's only compliant in a pure OpenStack swift environment by setting up a specific plug-in. https://github.com/stackforge/swift3 A rgw can be, at the same, time under keystone control and standard radosgw-admin if - for swift, you use the right authentication service (keystone or internal) - for S3, you use the internal authentication service So, my questions are still valid. How can a rgw work for S3 users if there are stored in keystone? Which is the accesskey and secretkey? What is the purpose of "rgw s3 auth use keystone" parameter ? Best regards ---------------------- De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com<mailto:ceph-users-boun...@lists.ceph.com>] De la part de ghislain.cheval...@orange.com<mailto:ghislain.cheval...@orange.com> Envoyé : lundi 23 mars 2015 14:03 À : ceph-users Objet : [ceph-users] Rados Gateway and keystone Hi All, I just would to be sure about keystone configuration for Rados Gateway. I read the documentation http://ceph.com/docs/master/radosgw/keystone/ and http://ceph.com/docs/master/radosgw/config-ref/?highlight=keystone but I didn't catch if after having configured the rados gateway (ceph.conf) in order to use keystone, it becomes mandatory to create all the users in it. In other words, can a rgw be, at the same, time under keystone control and standard radosgw-admin ? How does it work for S3 users ? What is the purpose of "rgw s3 auth use keystone" parameter ? Best regards - - - - - - - - - - - - - - - - - Ghislain Chevalier +33299124432<tel:%2B33299124432> +33788624370<tel:%2B33788624370> ghislain.cheval...@orange.com<mailto:ghislain.cheval...@orange.com> _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com<mailto:ceph-users@lists.ceph.com> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
