Oups, dang new gmail gui!
I've managed to send the last email with an previously unknown key
combination ;)
Sorry.
I just wanted to add the commands used to convert the certificates :
# openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey |
certutil -A -d /var/lib/ceph/nss -n ca -t "TCu,Cu,Tuw"
# openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey |
certutil -A -d /var/lib/ceph/nss -n signing_cert -t "TCu,Cu,Tuw"
Is it correct that both certificate are declared with the same type
("TCu,Cu,Tuw") ?
Cheers,
Davide
On Wed, May 15, 2013 at 5:33 PM, Davide Fanciola <[email protected]>wrote:
> Hi Yehuda,
>
> thanks for your quick reply.
>
>
> On Wed, May 15, 2013 at 4:08 PM, Yehuda Sadeh <[email protected]> wrote:
>
>> On Wed, May 15, 2013 at 6:45 AM, Davide Fanciola <[email protected]>
>> wrote:
>> > Hello everyone,
>> >
>> > i'm trying to setup the radosgw with keystone integration and having a
>> few
>> > problems, hopefully due to my noobism.
>> > I'm using Ubuntu 13.04 with ceph-0.61.2-1raring and
>> > keystone-2013.1-0ubuntu1.
>> >
>> > I followed the docs at http://ceph.com/docs/master/radosgw/config/ and
>> > managed to have a "working" setup.
>> > Actually i have created a swift user and key using the internal
>> > authentication system and another user in keystone.
>> > I've successfully tested the access for both user with slightly
>> different
>> > syntax on the swift command line.
>> >
>> > RGW User:
>> > $ swift -V 1.0 -A http://rgw.dns/auth -U user:subuser -K theKey stat
>> >
>> > Keystone User:
>> > $ swift -V 2.0 -A http://keystone.dns:5000/v2.0 -U tenant:user -K
>> > thePassword stat
>> >
>> > Now the problem i'm having is that if this two users create a
>> > bucket/container with the same name, the second user receive a
>> permission
>> > error.
>> >
>> > From my understanding this is due to the fact that the returned
>> > "X-Storage-Url" do not contain any part specific to the user, i.e the
>> url is
>> > always "http://rgw.dns/swift/v1";.
>> > When I check the API documentation, the storage url is normally given
>> in the
>> > form of "http://rgw.dns/swift/v1/{USER_OR_TENANT_ID_OR_NAME}";.
>> > The only config options that looks like pertinent are "rgw swift url"
>> and
>> > "rgw swift url prefix" but i don't see how to inject dynamic values
>> (i.e.
>> > the tenant id)
>> > Am I completely on the wrong track here?
>>
>> Yeah, that's unrelated. It's used by the gateway to identify whether
>> it's swift or not, and to generate the storage-url by the rgw
>> swift-auth.
>
> >
>> > My final goal would be to have a sort of namespace for each keystone
>> tenant
>> > (or RGW user).
>> > Tenant's users (RGW subusers) would be confined in that namespace and
>> able
>> > to access each other files based on ACL's.
>> > Is this use case supported by the couple radosgw/keystone?
>>
>> Not currently. At the moment all rgw users share a single namespace.
>> The rgw user <-> tenant mapping is more like the way S3 handles it. I
>> just created issue #5073 to allow that.
>>
>
>
> So for the moment, the only way to ensure this would be at the application
> level?
>
>
>
>> >
>> >
>> > The second problem is that i'm not sure the keystone revocation process
>> is
>> > functioning correctly, here's what the logs shows:
>> >
>> > 2013-05-15 15:08:22.452380 7fa816bf9700 0 ERROR: signer 0 status =
>> > SigningCertNotTrusted
>> > 2013-05-15 15:08:22.452424 7fa816bf9700 0 ERROR: problem decoding
>> > 2013-05-15 15:08:22.452443 7fa816bf9700 0 ceph_decode_cms returned -22
>> > 2013-05-15 15:08:22.452463 7fa816bf9700 0 ERROR: keystone revocation
>> > processing returned error r=-22
>> >
>> > I've imported keystone's CA and signing certificate, so not sure what's
>> > wrong here but looks like the certutil step is not correct or complete.
>> >
>>
>> It's hard to really identify what the problem is. It might be that
>> you've converted the wrong openssl certificate.
>>
>
>
> Allright, then maybe something is wrong on the keystone side. I'll
> regenerate keystone certs, ensure they're used for signing and try again.
>
>
>
>> Yehuda
>>
>> >
>> > For reference i report here my config for the radosgw :
>> >
>> > [client.radosgw.gateway]
>> > host = ubu-keystone
>> > keyring = /etc/ceph/keyring.radosgw.gateway
>> > rgw socket path = /tmp/radosgw.sock
>> > log file = /var/log/ceph/radosgw.log
>> > debug rgw = 20
>> > # Not using the 100-continue Apache
>> > rgw print continue = false
>> > rgw dns name = ubu-keystone
>> > rgw keystone url = http://ubu-keystone:35357
>> > rgw keystone admin token = ADMINTOKEN
>> > rgw keystone accepted roles = Member, admin, swiftoperator
>> > rgw keystone token cache size = 500
>> > rgw keystone revocation interval = 600
>> > nss db path = /var/lib/ceph/nss
>> >
>> >
>> > Thanks in advance,
>> > Cheers,
>> > Davide
>> >
>> >
>> > _______________________________________________
>> > ceph-users mailing list
>> > [email protected]
>> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>> >
>>
>
>
_______________________________________________
ceph-users mailing list
[email protected]
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
