Hi Matt,
Sorry about incomplete last message sent by mistake (unknown hotkey
slip, secrets have been invalidated).
So to continue:
In ganesha.conf Access_Key_Id is set to ldap token, that token encodes
a user 'myuser' secret 'whatever'. User_id and Secret_access_key
settings blank - they cannot be left out or config parser complains
but I would expect they are unused in this context.
In ganesha log it seems to pick up what you'd expect out of the ldap token:
2018-03-09 11:21:27.513315 7fafbfd861c0 12 auth search filter: (uid=myuser)
I have seen that there would be a 'auth simple_bind failed' message
from the rgw instance if this bind failed...
And in ldap logs it appears to bind:
[09/Mar/2018:11:21:27.637588220 -0500] conn=8965 op=0 BIND
dn="uid=myuser,ou=RGWUsers,dc=example,dc=org" method=128 version=3
But still have this in ganesha log:
09/03/2018 11:21:27 : epoch 5aa2b485 : host.example :
ganesha.nfsd-363383[main] create_export :FSAL :CRIT :Authorization
Failed for user
That's not truncated, it's using the User_id setting which is an empty
string. It doesn't work even if I put 'myuser' in User_id though.
The net result is the share doesn't initialize.
09/03/2018 11:21:27 : epoch 5aa2b485 : host.example :
ganesha.nfsd-363383[main] mdcache_fsal_create_export :FSAL :MAJ
:Failed to call create_export on underlying FSAL RGW
09/03/2018 11:21:27 : epoch 5aa2b485 : host.example :
ganesha.nfsd-363383[main] fsal_put :FSAL :INFO :FSAL RGW now unused
09/03/2018 11:21:27 : epoch 5aa2b485 : host.example :
ganesha.nfsd-363383[main] fsal_cfg_commit :CONFIG :CRIT :Could not
create export for (/) to (/)
This same configuration has no issues if I use radosgw-admin to create
a user that does not use LDAP for authentication and configure with
those credentials. Likewise the same ldap token I am using for
Access_Key_Id is working fine with via a rgw http instance.
Let me know if there's any other info that would be useful, and thanks
very much for the help.
regards,
Ben
On Fri, Mar 9, 2018 at 12:16 PM, Matt Benjamin wrote:
> Hi Benjeman,
>
> It is -intended- to work, identically to the standalone radosgw
> server. I can try to verify whether there could be a bug affecting
> this path.
>
> Matt
>
> On Fri, Mar 9, 2018 at 12:01 PM, Benjeman Meekhof wrote:
>> I'm having issues exporting a radosgw bucket if the configured user is
>> authenticated using the rgw ldap connectors. I've verified that this
>> same ldap token works ok for other clients, and as I'll note below it
>> seems like the rgw instance is contacting the LDAP server and
>> successfully authenticating the user. Details:
>>
>> Ganesha export:
>> FSAL {
>> Name = RGW;
>> User_Id = "";
>>
>> Access_Key_Id =
>> "eyJSR1dfVE9LRU4iOnsidmVyc2lvbiI6MSwidHlwZSI6ImxkYXAiLCJpZCI6ImJtZWVraG9mX29zaXJpc2FkbWluIiwia2V$
>>
>> # Secret_Access_Key =
>> "eyJSR1dfVE9LRU4iOnsidmVyc2lvbiI6MSwidHlwZSI6ImxkYXAiLCJpZCI6ImJtZWVraG9mX29zaXJpc2FkbWluI$
>> # Secret_Access_Key = "weW\/XGiHfcVhtH3chUTyoF+uz9Ldz3Hz";
>>
>> }
>> ___
>> ceph-users mailing list
>> ceph-users@lists.ceph.com
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>>
>>
>
>
>
> --
>
> Matt Benjamin
> Red Hat, Inc.
> 315 West Huron Street, Suite 140A
> Ann Arbor, Michigan 48103
>
> http://www.redhat.com/en/technologies/storage
>
> tel. 734-821-5101
> fax. 734-769-8938
> cel. 734-216-5309
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
