Hi Yehuda, thanks for your quick reply.
On Wed, May 15, 2013 at 4:08 PM, Yehuda Sadeh <[email protected]> wrote: > On Wed, May 15, 2013 at 6:45 AM, Davide Fanciola <[email protected]> > wrote: > > Hello everyone, > > > > i'm trying to setup the radosgw with keystone integration and having a > few > > problems, hopefully due to my noobism. > > I'm using Ubuntu 13.04 with ceph-0.61.2-1raring and > > keystone-2013.1-0ubuntu1. > > > > I followed the docs at http://ceph.com/docs/master/radosgw/config/ and > > managed to have a "working" setup. > > Actually i have created a swift user and key using the internal > > authentication system and another user in keystone. > > I've successfully tested the access for both user with slightly different > > syntax on the swift command line. > > > > RGW User: > > $ swift -V 1.0 -A http://rgw.dns/auth -U user:subuser -K theKey stat > > > > Keystone User: > > $ swift -V 2.0 -A http://keystone.dns:5000/v2.0 -U tenant:user -K > > thePassword stat > > > > Now the problem i'm having is that if this two users create a > > bucket/container with the same name, the second user receive a permission > > error. > > > > From my understanding this is due to the fact that the returned > > "X-Storage-Url" do not contain any part specific to the user, i.e the > url is > > always "http://rgw.dns/swift/v1";. > > When I check the API documentation, the storage url is normally given in > the > > form of "http://rgw.dns/swift/v1/{USER_OR_TENANT_ID_OR_NAME}";. > > The only config options that looks like pertinent are "rgw swift url" and > > "rgw swift url prefix" but i don't see how to inject dynamic values (i.e. > > the tenant id) > > Am I completely on the wrong track here? > > Yeah, that's unrelated. It's used by the gateway to identify whether > it's swift or not, and to generate the storage-url by the rgw > swift-auth. > > > My final goal would be to have a sort of namespace for each keystone > tenant > > (or RGW user). > > Tenant's users (RGW subusers) would be confined in that namespace and > able > > to access each other files based on ACL's. > > Is this use case supported by the couple radosgw/keystone? > > Not currently. At the moment all rgw users share a single namespace. > The rgw user <-> tenant mapping is more like the way S3 handles it. I > just created issue #5073 to allow that. > So for the moment, the only way to ensure this would be at the application level? > > > > > > The second problem is that i'm not sure the keystone revocation process > is > > functioning correctly, here's what the logs shows: > > > > 2013-05-15 15:08:22.452380 7fa816bf9700 0 ERROR: signer 0 status = > > SigningCertNotTrusted > > 2013-05-15 15:08:22.452424 7fa816bf9700 0 ERROR: problem decoding > > 2013-05-15 15:08:22.452443 7fa816bf9700 0 ceph_decode_cms returned -22 > > 2013-05-15 15:08:22.452463 7fa816bf9700 0 ERROR: keystone revocation > > processing returned error r=-22 > > > > I've imported keystone's CA and signing certificate, so not sure what's > > wrong here but looks like the certutil step is not correct or complete. > > > > It's hard to really identify what the problem is. It might be that > you've converted the wrong openssl certificate. > Allright, then maybe something is wrong on the keystone side. I'll regenerate keystone certs, ensure they're used for signing and try again. # openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t "TCu,Cu,Tuw" > Yehuda > > > > > For reference i report here my config for the radosgw : > > > > [client.radosgw.gateway] > > host = ubu-keystone > > keyring = /etc/ceph/keyring.radosgw.gateway > > rgw socket path = /tmp/radosgw.sock > > log file = /var/log/ceph/radosgw.log > > debug rgw = 20 > > # Not using the 100-continue Apache > > rgw print continue = false > > rgw dns name = ubu-keystone > > rgw keystone url = http://ubu-keystone:35357 > > rgw keystone admin token = ADMINTOKEN > > rgw keystone accepted roles = Member, admin, swiftoperator > > rgw keystone token cache size = 500 > > rgw keystone revocation interval = 600 > > nss db path = /var/lib/ceph/nss > > > > > > Thanks in advance, > > Cheers, > > Davide > > > > > > _______________________________________________ > > ceph-users mailing list > > [email protected] > > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > >
_______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
