> and need to use openstack client.

Yes, you have to for v3 anyway.

Shinobu

----- Original Message -----
From: "Robert Duncan" <robert.dun...@ncirl.ie>
To: "Luis Periquito" <periqu...@gmail.com>
Cc: "Shinobu Kinjo" <ski...@redhat.com>, "Abhishek L" 
<abhishek.lekshma...@gmail.com>, "ceph-users" <ceph-us...@ceph.com>
Sent: Friday, September 25, 2015 11:29:14 PM
Subject: RE: [ceph-users] radosgw and keystone version 3 domains

A few other things that don’t work –

-appending /v3 into the rgw.conf file (worth a try)
-adding the user into the default domain
- removing the v2 endpoints from the keystone catalog
-using a domain scoped token in rgw.conf
-using admin username and password in rgw.conf

According to keystone documents we shouldn’t use a versioned endpoint in the 
catalog anymore as ports 5000 and 35357 have a http 300 ‘multiple choices’

Although – horizon doesn’t work without explicitly stating ‘use identity v3’ – 
anyway, keystone python client is pretty much broken as we can’t list domain 
users or their projects(tenants) and need to use openstack client.
This is the crux of the issue, if keystone v2 could only list domain users as 
having a role on a project, but it doesn’t understand the domain id part of the 
token – arrghhh!

curl -i 172.25.60.2:35357
HTTP/1.1 300 Multiple Choices
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 759
Date: Fri, 25 Sep 2015 14:11:08 GMT
Connection: close

{"versions": {"values": [{"status": "stable", "updated": 
"2013-03-06T00:00:00Z", "media-types": [{"base": "application/json", "type": 
"application/vnd.openstack.identity-v3+json"}, {"base": "application/xml", 
"type": "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links": 
[{"href": "http://172.25.60.2:35357/v3/";, "rel": "self"}]}, {"status": 
"stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": 
"application/json", "type": "application/vnd.openstack.identity-v2.0+json"}, 
{"base": "application/xml", "type": 
"application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0", "links": 
[{"href": "http://172.25.60                                                     
                                         .2:35357/v2.0/", "rel": "self"}, 
{"href": "http://docs.openstack.org/";, "type":


From: Luis Periquito [mailto:periqu...@gmail.com]
Sent: 25 September 2015 14:37
To: Robert Duncan
Cc: Shinobu Kinjo; Abhishek L; ceph-users
Subject: Re: [ceph-users] radosgw and keystone version 3 domains

This was reported in http://tracker.ceph.com/issues/8052 about a year ago. This 
ticket hasn't been updated...

On Fri, Sep 25, 2015 at 1:37 PM, Robert Duncan 
<robert.dun...@ncirl.ie<mailto:robert.dun...@ncirl.ie>> wrote:
I would be interested if anyone even has a work around to this - no matter how 
arcane.
If anyone gets this to work I would be most obliged

-----Original Message-----
From: Shinobu Kinjo [mailto:ski...@redhat.com<mailto:ski...@redhat.com>]
Sent: 25 September 2015 13:31
To: Luis Periquito
Cc: Abhishek L; Robert Duncan; ceph-users
Subject: Re: [ceph-users] radosgw and keystone version 3 domains

Thanks for the info.

Shinobu

----- Original Message -----
From: "Luis Periquito" <periqu...@gmail.com<mailto:periqu...@gmail.com>>
To: "Shinobu Kinjo" <ski...@redhat.com<mailto:ski...@redhat.com>>
Cc: "Abhishek L" 
<abhishek.lekshma...@gmail.com<mailto:abhishek.lekshma...@gmail.com>>, "Robert 
Duncan" <robert.dun...@ncirl.ie<mailto:robert.dun...@ncirl.ie>>, "ceph-users" 
<ceph-us...@ceph.com<mailto:ceph-us...@ceph.com>>
Sent: Friday, September 25, 2015 8:52:48 PM
Subject: Re: [ceph-users] radosgw and keystone version 3 domains

I'm having the exact same issue, and after looking it seems that radosgw is 
hardcoded to authenticate using v2 api.

from the config file: rgw keystone url = http://openstackcontrol.lab:35357/

the "/v2.0/" is hardcoded and gets appended to the authentication request.

a snippet taken from radosgw (ran with "-d --debug-ms=1 --debug-rgw=20"
options)

2015-09-25 12:40:00.359333 7ff4bcf61700  1 ====== starting new request
req=0x7ff57801b810 =====
2015-09-25 12:40:00.359355 7ff4bcf61700  2 req 1:0.000021::GET 
/swift/v1::initializing
2015-09-25 12:40:00.359358 7ff4bcf61700 10 
host=s3.lab.tech.lastmile.com<http://s3.lab.tech.lastmile.com>
2015-09-25 12:40:00.359363 7ff4bcf61700 20 subdomain= domain= 
s3.lab.tech.lastmile.com<http://s3.lab.tech.lastmile.com> in_hosted_domain=1
2015-09-25 12:40:00.359400 7ff4bcf61700 10 ver=v1 first= req=
2015-09-25 12:40:00.359410 7ff4bcf61700 10 s->object=<NULL> s->bucket=<NULL>
2015-09-25 12:40:00.359419 7ff4bcf61700  2 req 1:0.000085:swift:GET 
/swift/v1::getting op
2015-09-25 12:40:00.359422 7ff4bcf61700  2 req 1:0.000089:swift:GET 
/swift/v1:list_buckets:authorizing
2015-09-25 12:40:00.359428 7ff4bcf61700 20 
token_id=6b67585266ce4aee9e326e72c81865dd
2015-09-25 12:40:00.359451 7ff4bcf61700 20 sending request to 
http://openstackcontrol.lab:35357/v2.0/tokens/6b67585266ce4aee9e326e72c81865dd
2015-09-25 12:40:00.377066 7ff4bcf61700 20 received response: {"error":
{"message": "Non-default domain is not supported (Disable debug mode to 
suppress these details.)", "code": 401, "title": "Unauthorized"}}
2015-09-25 12:40:00.377175 7ff4bcf61700  0 user does not hold a matching role; 
required roles: admin, Member, _member_
2015-09-25 12:40:00.377179 7ff4bcf61700 10 failed to authorize request
2015-09-25 12:40:00.377216 7ff4bcf61700  2 req 1:0.017883:swift:GET 
/swift/v1:list_buckets:http status=401
2015-09-25 12:40:00.377219 7ff4bcf61700  1 ====== req done
req=0x7ff57801b810 http_status=401 ======


From this it seems that radosgw doesn't support auth v3! Are there any plans to 
add that support?


On Sat, Sep 19, 2015 at 6:56 AM, Shinobu Kinjo 
<ski...@redhat.com<mailto:ski...@redhat.com>> wrote:

> What's error message you saw when you tried?
>
> Shinobu
>
> ----- Original Message -----
> From: "Abhishek L" 
> <abhishek.lekshma...@gmail.com<mailto:abhishek.lekshma...@gmail.com>>
> To: "Robert Duncan" <robert.dun...@ncirl.ie<mailto:robert.dun...@ncirl.ie>>
> Cc: ceph-us...@ceph.com<mailto:ceph-us...@ceph.com>
> Sent: Friday, September 18, 2015 12:29:20 PM
> Subject: Re: [ceph-users] radosgw and keystone version 3 domains
>
> On Fri, Sep 18, 2015 at 4:38 AM, Robert Duncan
> <robert.dun...@ncirl.ie<mailto:robert.dun...@ncirl.ie>>
> wrote:
> >
> > Hi
> >
> >
> >
> > It seems that radosgw cannot find users in Keystone V3 domains, that
> > is,
> >
> > When keystone is configured for domain specific  drivers radossgw
> > cannot
> find the users in the keystone users table (as they are not there)
> >
> > I have a deployment in which ceph providers object block ephemeral
> > and
> user storage, however any user outside of the ‘default’ sql backed
> domain cannot be found by radosgw.
> >
> > Has anyone seen this issue before when using ceph in openstack? Is
> > it
> possible to configure radosgw to use a keystone v3 url?
>
> I'm not sure whether keystone v3 support for radosgw is there yet,
> particularly for the swift api. Currently keystone v2 api is
> supported, and due to the change in format between v2 and v3 tokens,
> I'm not sure whether swift apis will work with v3 yet, though keystone
> v3 *might* just work on the s3 interface due to the different format used.
>
>
> >
> >
> > Thanks,
> >
> > Rob.
> >
> > ________________________________
> >
> > The information contained and transmitted in this e-mail is
> > confidential
> information, and is intended only for the named recipient to which it
> is addressed. The content of this e-mail may not have been sent with
> the authority of National College of Ireland. Any views or opinions
> presented are solely those of the author and do not necessarily
> represent those of National College of Ireland. If the reader of this
> message is not the named recipient or a person responsible for
> delivering it to the named recipient, you are notified that the
> review, dissemination, distribution, transmission, printing or
> copying, forwarding, or any other use of this message or any part of
> it, including any attachments, is strictly prohibited. If you have
> received this communication in error, please delete the e-mail and
> destroy all record of this communication. Thank you for your assistance.
> >
> > ________________________________
> >
> > _______________________________________________
> > ceph-users mailing list
> > ceph-users@lists.ceph.com<mailto:ceph-users@lists.ceph.com>
> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> >
> _______________________________________________
> ceph-users mailing list
> ceph-users@lists.ceph.com<mailto:ceph-users@lists.ceph.com>
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> _______________________________________________
> ceph-users mailing list
> ceph-users@lists.ceph.com<mailto:ceph-users@lists.ceph.com>
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
________________________________

The information contained and transmitted in this e-mail is confidential 
information, and is intended only for the named recipient to which it is 
addressed. The content of this e-mail may not have been sent with the authority 
of National College of Ireland. Any views or opinions presented are solely 
those of the author and do not necessarily represent those of National College 
of Ireland. If the reader of this message is not the named recipient or a 
person responsible for delivering it to the named recipient, you are notified 
that the review, dissemination, distribution, transmission, printing or 
copying, forwarding, or any other use of this message or any part of it, 
including any attachments, is strictly prohibited. If you have received this 
communication in error, please delete the e-mail and destroy all record of this 
communication. Thank you for your assistance.
________________________________

_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to