Hi again, I found that a keystone extension is required to interact between s3 and keystone and it’s possible to get the list of the installed extensions.
When I request post http://10.194.167.23:5000/v2.0/extension, I got in the response body <?xml version="1.0" encoding="UTF-8"?> <extensions xmlns="http://docs.openstack.org/identity/api/v2.0";> <extension updated="2014-02-24T20:51:0-00:00" name="OpenStack Revoke API" namespace="http://docs.openstack.org/identity/api/ext/OS-REVOKE/v1.0"; alias="OS-REVOKE"> <links> <link href="https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-revoke-ext.md"; type="text/html" rel="describedby"/> </links> <description>OpenStack revoked token reporting mechanism.</description> </extension> <extension updated="2013-12-17T12:00:0-00:00" name="OpenStack Federation APIs" namespace="http://docs.openstack.org/identity/api/ext/OS-FEDERATION/v1.0"; alias="OS-FEDERATION"> <links> <link href="https://github.com/openstack/identity-api"; type="text/html" rel="describedby"/> </links> <description>OpenStack Identity Providers Mechanism.</description> </extension> <extension updated="2013-07-07T12:00:0-00:00" name="OpenStack Keystone User CRUD" namespace="http://docs.openstack.org/identity/api/ext/OS-KSCRUD/v1.0"; alias="OS-KSCRUD"> <links> <link href="https://github.com/openstack/identity-api"; type="text/html" rel="describedby"/> </links> <description>OpenStack extensions to Keystone v2.0 API enabling User Operations.</description> </extension> <extension updated="2013-07-07T12:00:0-00:00" name="OpenStack EC2 API" namespace="http://docs.openstack.org/identity/api/ext/OS-EC2/v1.0"; alias="OS-EC2"> <links> <link href="https://github.com/openstack/identity-api"; type="text/html" rel="describedby"/> </links> <description>OpenStack EC2 Credentials backend.</description> </extension> <extension updated="2014-01-20T12:00:0-00:00" name="OpenStack Simple Certificate API" namespace="http://docs.openstack.org/identity/api/ext/OS-SIMPLE-CERT/v1.0"; alias="OS-SIMPLE-CERT"> <links> <link href="https://github.com/openstack/identity-api"; type="text/html" rel="describedby"/> </links> <description>OpenStack simple certificate retrieval extension</description> </extension> </extensions> In other words, no S3 extension But, when I request post http://10.194.167.23:35357/v2.0/extension, I got in the response body <?xml version="1.0" encoding="UTF-8"?> <extensions xmlns="http://docs.openstack.org/identity/api/v2.0";> <extension updated="2013-07-07T12:00:0-00:00" name="OpenStack S3 API" namespace="http://docs.openstack.org/identity/api/ext/s3tokens/v1.0"; alias="s3tokens"> <links> <link href="https://github.com/openstack/identity-api"; type="text/html" rel="describedby"/> </links> <description>OpenStack S3 API.</description> </extension> <extension updated="2013-07-23T12:00:0-00:00" name="OpenStack Keystone Endpoint Filter API" namespace="http://docs.openstack.org/identity/api/ext/OS-EP-FILTER/v1.0"; alias="OS-EP-FILTER"> <links> <link href="https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-ep-filter-ext.md"; type="text/html" rel="describedby"/> </links> <description>OpenStack Keystone Endpoint Filter API.</description> </extension> <extension updated="2014-02-24T20:51:0-00:00" name="OpenStack Revoke API" namespace="http://docs.openstack.org/identity/api/ext/OS-REVOKE/v1.0"; alias="OS-REVOKE"> <links> <link href="https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-revoke-ext.md"; type="text/html" rel="describedby"/> </links> <description>OpenStack revoked token reporting mechanism.</description> </extension> <extension updated="2013-12-17T12:00:0-00:00" name="OpenStack Federation APIs" namespace="http://docs.openstack.org/identity/api/ext/OS-FEDERATION/v1.0"; alias="OS-FEDERATION"> <links> <link href="https://github.com/openstack/identity-api"; type="text/html" rel="describedby"/> </links> <description>OpenStack Identity Providers Mechanism.</description> </extension> <extension updated="2013-07-11T17:14:00-00:00" name="OpenStack Keystone Admin" namespace="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"; alias="OS-KSADM"> <links> <link href="https://github.com/openstack/identity-api"; type="text/html" rel="describedby"/> </links> <description>OpenStack extensions to Keystone v2.0 API enabling Administrative Operations.</description> </extension> <extension updated="2014-01-20T12:00:0-00:00" name="OpenStack Simple Certificate API" namespace="http://docs.openstack.org/identity/api/ext/OS-SIMPLE-CERT/v1.0"; alias="OS-SIMPLE-CERT"> <links> <link href="https://github.com/openstack/identity-api"; type="text/html" rel="describedby"/> </links> <description>OpenStack simple certificate retrieval extension</description> </extension> <extension updated="2013-07-07T12:00:0-00:00" name="OpenStack EC2 API" namespace="http://docs.openstack.org/identity/api/ext/OS-EC2/v1.0"; alias="OS-EC2"> <links> <link href="https://github.com/openstack/identity-api"; type="text/html" rel="describedby"/> </links> <description>OpenStack EC2 Credentials backend.</description> </extension> </extensions> It seems much better. Nevertheless, when I changed the keystone url in ceph.conf in order to use 35357 port, I got in the keystone log a 401 error (unauthorized) 2015-05-06 13:41:40.502 10431 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 10.193.108.238 2015-05-06 13:41:40.505 10431 INFO eventlet.wsgi.server [-] 10.193.108.238 - - [06/May/2015 13:41:40] "POST /v2.0/s3tokens HTTP/1.1" 401 333 0.020001 As I don’t manage the keystone configuration, I will have to submit this issue to the administrator. Best regards De : CHEVALIER Ghislain IMT/OLPS Envoyé : mercredi 6 mai 2015 11:48 À : ceph-users Objet : RE: [ceph-users] Rados Gateway and keystone Addendum In the keystone log, I got 2015-05-06 11:42:24.594 10435 INFO eventlet.wsgi.server [-] 10.193.108.238 - - [06/May/2015 11:42:24] "POST /v2.0/s3tokens HTTP/1.1" 404 247 0.003872 Something is missing This is my new quest… De : CHEVALIER Ghislain IMT/OLPS Envoyé : mercredi 6 mai 2015 10:24 À : ceph-users Objet : RE: [ceph-users] Rados Gateway and keystone Hi, Coming back to that issue. My endpoint wasn’t right set up. I changed it to myrgw:myport (rgwow:8080) in the cloudberry profile or in the curl request and I got a 403 error due to a potential bad role returned by keystone. In the radosgw log, I got 2015-05-05 14:58:23.895961 7fb9f4fe9700 1 ====== starting new request req=0x7fba040177c0 ===== 2015-05-05 14:58:23.895975 7fb9f4fe9700 2 req 82:0.000015::GET /::initializing 2015-05-05 14:58:23.896009 7fb9f4fe9700 10 s->object=<NULL> s->bucket=<NULL> 2015-05-05 14:58:23.896014 7fb9f4fe9700 2 req 82:0.000054:s3:GET /::getting op 2015-05-05 14:58:23.896018 7fb9f4fe9700 2 req 82:0.000058:s3:GET /:list_buckets:authorizing 2015-05-05 14:58:23.896022 7fb9f4fe9700 2 req 82:0.000062:s3:GET /:list_buckets:reading permissions 2015-05-05 14:58:23.896027 7fb9f4fe9700 2 req 82:0.000067:s3:GET /:list_buckets:init op 2015-05-05 14:58:23.896030 7fb9f4fe9700 2 req 82:0.000070:s3:GET /:list_buckets:verifying op mask 2015-05-05 14:58:23.896032 7fb9f4fe9700 20 required_mask= 1 user.op_mask=7 2015-05-05 14:58:23.896033 7fb9f4fe9700 2 req 82:0.000073:s3:GET /:list_buckets:verifying op permissions 2015-05-05 14:58:23.896036 7fb9f4fe9700 2 req 82:0.000075:s3:GET /:list_buckets:verifying op params 2015-05-05 14:58:23.896037 7fb9f4fe9700 2 req 82:0.000077:s3:GET /:list_buckets:executing 2015-05-05 14:58:23.898267 7fb9f4fe9700 5 nothing to log for operation 2015-05-05 14:58:23.898286 7fb9f4fe9700 2 req 82:0.002326:s3:GET /:list_buckets:http status=200 2015-05-05 14:58:23.898293 7fb9f4fe9700 1 ====== req done req=0x7fba040177c0 http_status=200 ====== 2015-05-05 14:58:24.227297 7fba215f8700 20 enqueued request req=0x7fba04013580 2015-05-05 14:58:24.227318 7fba215f8700 20 RGWWQ: 2015-05-05 14:58:24.227320 7fba215f8700 20 req: 0x7fba04013580 2015-05-05 14:58:24.227328 7fba215f8700 10 allocated request req=0x7fba04012050 2015-05-05 14:58:24.227454 7fb9f57ea700 20 dequeued request req=0x7fba04013580 2015-05-05 14:58:24.227471 7fb9f57ea700 20 RGWWQ: empty 2015-05-05 14:58:24.227512 7fb9f57ea700 20 DOCUMENT_ROOT=/var/www/radosgw 2015-05-05 14:58:24.227515 7fb9f57ea700 20 FCGI_ROLE=RESPONDER 2015-05-05 14:58:24.227516 7fb9f57ea700 20 GATEWAY_INTERFACE=CGI/1.1 2015-05-05 14:58:24.227517 7fb9f57ea700 20 HTTP_ACCEPT=*/* 2015-05-05 14:58:24.227518 7fb9f57ea700 20 HTTP_AUTHORIZATION=AWS ffd80839282d4183afedff542de10760:9vF6bLQCF4a/bYTgaxPjl1bFro4= 2015-05-05 14:58:24.227520 7fb9f57ea700 20 HTTP_CONNECTION=close 2015-05-05 14:58:24.227521 7fb9f57ea700 20 HTTP_DATE=Tue, 05 May 2015 12:58:24 +0000 2015-05-05 14:58:24.227522 7fb9f57ea700 20 HTTP_HOST=rgwow:8080 2015-05-05 14:58:24.227523 7fb9f57ea700 20 HTTP_USER_AGENT=curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 2015-05-05 14:58:24.227524 7fb9f57ea700 20 PATH=/usr/local/bin:/usr/bin:/bin 2015-05-05 14:58:24.227525 7fb9f57ea700 20 QUERY_STRING=page=¶ms= 2015-05-05 14:58:24.227526 7fb9f57ea700 20 REMOTE_ADDR=10.193.108.105 2015-05-05 14:58:24.227527 7fb9f57ea700 20 REMOTE_PORT=44436 2015-05-05 14:58:24.227528 7fb9f57ea700 20 REQUEST_METHOD=GET 2015-05-05 14:58:24.227528 7fb9f57ea700 20 REQUEST_URI=/ 2015-05-05 14:58:24.227529 7fb9f57ea700 20 SCRIPT_FILENAME=/var/www/radosgw/s3gw.fcgi 2015-05-05 14:58:24.227530 7fb9f57ea700 20 SCRIPT_NAME=/ 2015-05-05 14:58:24.227530 7fb9f57ea700 20 SCRIPT_URI=http://rgwow:8080/ 2015-05-05 14:58:24.227531 7fb9f57ea700 20 SCRIPT_URL=/ 2015-05-05 14:58:24.227532 7fb9f57ea700 20 SERVER_ADDR=10.193.108.236 2015-05-05 14:58:24.227532 7fb9f57ea700 20 SERVER_ADMIN=[no address given] 2015-05-05 14:58:24.227533 7fb9f57ea700 20 SERVER_NAME=rgwow 2015-05-05 14:58:24.227534 7fb9f57ea700 20 SERVER_PORT=8080 2015-05-05 14:58:24.227534 7fb9f57ea700 20 SERVER_PROTOCOL=HTTP/1.1 2015-05-05 14:58:24.227535 7fb9f57ea700 20 SERVER_SIGNATURE= 2015-05-05 14:58:24.227536 7fb9f57ea700 20 SERVER_SOFTWARE=Apache/2.2.22 (Ubuntu) 2015-05-05 14:58:24.227537 7fb9f57ea700 1 ====== starting new request req=0x7fba04013580 ===== 2015-05-05 14:58:24.227551 7fb9f57ea700 2 req 83:0.000014::GET /::initializing 2015-05-05 14:58:24.227557 7fb9f57ea700 10 host=rgwow:8080 rgw_dns_name=rgwow 2015-05-05 14:58:24.227588 7fb9f57ea700 10 s->object=<NULL> s->bucket=<NULL> 2015-05-05 14:58:24.227593 7fb9f57ea700 2 req 83:0.000056:s3:GET /::getting op 2015-05-05 14:58:24.227596 7fb9f57ea700 2 req 83:0.000059:s3:GET /:list_buckets:authorizing 2015-05-05 14:58:24.227600 7fb9f57ea700 20 s3 keystone: trying keystone auth 2015-05-05 14:58:24.227693 7fb9f57ea700 10 get_canon_resource(): dest=/ 2015-05-05 14:58:24.227776 7fb9f57ea700 20 sending request to 10.194.167.23:5000/v2.0/s3tokens 2015-05-05 14:58:24.233049 7fb9f57ea700 5 s3 keystone: user does not hold a matching role; required roles: _member_, Member, admin, swiftoperator 2015-05-05 14:58:24.233121 7fb9f57ea700 20 get_obj_state: rctx=0x7fba6c0021e0 obj=.users:ffd80839282d4183afedff542de10760 state=0x7fba6c00b1a8 s->prefetch_data=0 2015-05-05 14:58:24.233135 7fb9f57ea700 10 cache get: name=.users+ffd80839282d4183afedff542de10760 : miss 2015-05-05 14:58:24.235002 7fb9f57ea700 10 cache put: name=.users+ffd80839282d4183afedff542de10760 2015-05-05 14:58:24.235025 7fb9f57ea700 10 adding .users+ffd80839282d4183afedff542de10760 to cache LRU end 2015-05-05 14:58:24.235038 7fb9f57ea700 5 error reading user info, uid=ffd80839282d4183afedff542de10760 can't authenticate 2015-05-05 14:58:24.235041 7fb9f57ea700 10 failed to authorize request 2015-05-05 14:58:24.235098 7fb9f57ea700 5 nothing to log for operation 2015-05-05 14:58:24.235102 7fb9f57ea700 2 req 83:0.007565:s3:GET /:list_buckets:http status=403 2015-05-05 14:58:24.235108 7fb9f57ea700 1 ====== req done req=0x7fba04013580 http_status=403 ====== In the keystone request, there is s3tokens. Is it a standard implementation or does the keystone installation require something specific? Best regards De : ceph-users [mailto:[email protected]] De la part de [email protected]<mailto:[email protected]> Envoyé : jeudi 16 avril 2015 13:14 À : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone Hi, I finally configure a cloudberry profile by setting what seems to be the right endpoint for object storage according to the openstack environment : myrgw:myport/swift/v1 I got a “204 no content” error even if 2 containers were previously created by a swift operation with object into them. In the log, I saw a dialog between the rgw and keystone but the right service doesn’t seem to be selected and the id became anonymous. Any idea? De : ceph-users [mailto:[email protected]] De la part de [email protected]<mailto:[email protected]> Envoyé : mercredi 15 avril 2015 18:39 À : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone Hi, Despite the creation of ec2 credentials which provides an accesskey and a secretkey for a user, it’s always impossible to connect using S3 (Forbidden/Access denied). All is right using swift (create container, list container, get object, put object, delete object) I use cloudberry client to do so. Does someone know how I can check if the interoperability between keystone and the rgw is correctly set up? In the rgw pools? in the radosgw metadata? Best regards De : ceph-users [mailto:[email protected]] De la part de [email protected]<mailto:[email protected]> Envoyé : mercredi 15 avril 2015 13:16 À : Erik McCormick Cc : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone Thanks a lot That helps. De : Erik McCormick [mailto:[email protected]] Envoyé : lundi 13 avril 2015 18:32 À : CHEVALIER Ghislain IMT/OLPS Cc : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone I haven't really used the S3 stuff much, but the credentials should be in keystone already. If you're in horizon, you can download them under Access and Security->API Access. Using the CLI you can use the openstack client like "openstack credential <list | show | create | delete | set>" or with the keystone client like "keystone ec2-credentials-list", etc. Then you should be able to feed those credentials to the rgw like a normal S3 API call. Cheers, Erik On Mon, Apr 13, 2015 at 10:16 AM, <[email protected]<mailto:[email protected]>> wrote: Hi all, Coming back to that issue. I successfully used keystone users for the rados gateway and the swift API but I still don't understand how it can work with S3 API and i.e. S3 users (AccessKey/SecretKey) I found a swift3 initiative but I think It's only compliant in a pure OpenStack swift environment by setting up a specific plug-in. https://github.com/stackforge/swift3 A rgw can be, at the same, time under keystone control and standard radosgw-admin if - for swift, you use the right authentication service (keystone or internal) - for S3, you use the internal authentication service So, my questions are still valid. How can a rgw work for S3 users if there are stored in keystone? Which is the accesskey and secretkey? What is the purpose of "rgw s3 auth use keystone" parameter ? Best regards ---------------------- De : ceph-users [mailto:[email protected]<mailto:[email protected]>] De la part de [email protected]<mailto:[email protected]> Envoyé : lundi 23 mars 2015 14:03 À : ceph-users Objet : [ceph-users] Rados Gateway and keystone Hi All, I just would to be sure about keystone configuration for Rados Gateway. I read the documentation http://ceph.com/docs/master/radosgw/keystone/ and http://ceph.com/docs/master/radosgw/config-ref/?highlight=keystone but I didn't catch if after having configured the rados gateway (ceph.conf) in order to use keystone, it becomes mandatory to create all the users in it. In other words, can a rgw be, at the same, time under keystone control and standard radosgw-admin ? How does it work for S3 users ? What is the purpose of "rgw s3 auth use keystone" parameter ? Best regards - - - - - - - - - - - - - - - - - Ghislain Chevalier +33299124432<tel:%2B33299124432> +33788624370<tel:%2B33788624370> [email protected]<mailto:[email protected]> _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _______________________________________________ ceph-users mailing list [email protected]<mailto:[email protected]> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
_______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
