Hi!
I tried to call the API endpoint directly with curl using the dashboard
credentials and I found that it gives me back:
# curl "https://rgw.domain.com/admin/metadata/user"; --aws-sigv4
"aws:amz:ZONEGROUP:s3" --user "DASHBOARDKEY:DASHBOARDSECRET"
{"Code":"SignatureDoesNotMatch","Message":"","RequestId":"tx000003fa7fe095d8f0fd6-006a15466e-338043-eros","HostId":"338043-zone-zonegroup"}
when curl is version 7.76.1 (Rocky 9), but when is a newer version
(8.5.0 on Ubuntu 22.04 and 8.9.1 on Rocky 10) it correctly answer my query!
When I tried with more verbosity I see that the oldest version is
"signing" only 2 headers (SignedHeaders=host;x-amz-date) and the newer
ones 3 (SignedHeaders=host;x-amz-content-sha256;x-amz-date).
In general, could the problem be something related to a missmatch
between the client and the server API?
Cheers
Iztok
On 25/05/26 12:29, Iztok Gregori wrote:
Hi Eugen!
On 23/05/26 23:54, Eugen Block via ceph-users wrote:
Hi,
I might be wrong, but I don't think it's a cert issue. If you look in
the mgr log, do you see more information that just the
SignatureDoesNotMatch error?
On further investigations I'm also convinced that is nothing to do with
the certificates but more about the permissions of the 'dashboard' user.
This is the exception that is thrown from the mgr logs:
[dashboard INFO rgw_client] Found RGW daemon with configuration:
host=node-01.domain.com, port=4443, ssl=True
[dashboard INFO rgw_client] Found RGW daemon with configuration:
host=node-03.domain.com, port=4443, ssl=True
[dashboard INFO rgw_client] Found RGW daemon with configuration:
host=node-02.domain.com, port=4443, ssl=True
[dashboard INFO rgw_client] Found RGW daemon with configuration:
host=node-04.domain.com, port=4443, ssl=True
[dashboard INFO rgw_client] Found RGW daemon with configuration:
host=node-05.domain.com, port=4443, ssl=True
[dashboard INFO request] [::ffff:140.105.2.28:41732] [GET] [200]
[0.005s] [admin] [308.0B] /api/health/snapshot
[dashboard INFO request] [::ffff:140.105.2.28:41732] [GET] [200]
[0.007s] [admin] [22.0B] /api/prometheus/alertgroup
[dashboard INFO request] [::ffff:140.105.2.28:41732] [GET] [200]
[0.012s] [admin] [376.0B] /api/multi-cluster/get_config
[dashboard INFO request] [::ffff:140.105.2.28:41760] [GET] [200]
[0.028s] [admin] [1.2K] /api/summary
[dashboard ERROR rest_client] RGW REST API failed GET req status: 403
[dashboard ERROR rgw_client] RGW REST API failed request with status
code 403
(b'{"Code":"SignatureDoesNotMatch","Message":"","RequestId":"tx00000629cfb33d5e'
b'da4c7-006a141bf6-308299-eros","HostId":"308299-zone-zonegroup"}')
Traceback (most recent call last):
File "/usr/share/ceph/mgr/dashboard/services/rgw_client.py", line
413, in __init__
self.userid = self._get_user_id(self.admin_path) if
self.got_keys_from_config \
File "/usr/share/ceph/mgr/dashboard/rest_client.py", line 538, in
func_wrapper
return func(
File "/usr/share/ceph/mgr/dashboard/services/rgw_client.py", line
448, in _get_user_id
response = request()
File "/usr/share/ceph/mgr/dashboard/rest_client.py", line 324, in
__call__
resp = self.rest_client.do_request(method, self._gen_path(), params,
File "/usr/share/ceph/mgr/dashboard/rest_client.py", line 422, in
do_request
raise RequestException(
dashboard.rest_client.RequestException: RGW REST API failed request
with status code 403
(b'{"Code":"SignatureDoesNotMatch","Message":"","RequestId":"tx00000629cfb33d5e'
b'da4c7-006a141bf6-308299-zone","HostId":"308299-zone-zonegroup"}')
Could it be mismatching dashboard-rgw-api settings? Have you checked
these settings?
ceph dashboard get-rgw-api-admin-resource
It's the default, 'admin'. I also reset the value with "reset-rgw-api-
admin-resource", so technically now is 'unset'. Question what should be
the value if not 'admin'?
ceph dashboard get-rgw-api-access-key
ceph dashboard get-rgw-api-secret-key
They should match with:
radosgw-admin user info --uid dashboard | jq -r '.keys'
The values are matching, I'see in both get-rgw-api-secret-key and get-
rgw-api-access-key something like this:
{'<REALM>': '<(ACCESS}SECRET)_KEY>'}
But as I wrote, it might something else, I would expect the mgr log to
contain more details.
Indeed, I'll tried to backtrace the error in the code and I see that is
failing in the rgw_client.py when is trying to get the user_id "of the
user that is used to communicate with the RGW Admin Ops API". I suppose
that is the 'admin' user from rgw-api-admin-resource, am I right?
I didn't had time till now to investigate further.
Thanks!
Iztok
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
