Re: [ceph-users] Rados Gateway and keystone
Thx Mark I understand the specific parameters are mandatory for the S3 implementation but as they are not for the swift implementation (I tested it...) it should have been better to distinguish which parameter is mandatory according to the implementation. For the S3 implementation, the creation of ec2-credentials is also missing. I hope this discussion will help. Best regards -Message d'origine- De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de Mark Kirkwood Envoyé : jeudi 7 mai 2015 11:24 À : ceph-users@lists.ceph.com Objet : Re: [ceph-users] Rados Gateway and keystone On 07/05/15 20:21, ghislain.cheval...@orange.com wrote: HI all, After adding the nss and the keystone admin url parameters in ceph.conf and creating the openSSL certificates, all is working well. If I had followed the doc and processed by copy/paste, I wouldn't have encountered any problems. As all is working well without this set of parameters using the swift API and keystone, It would be helpful if the page http://ceph.com/docs/master/radosgw/keystone/ was more precise according to this implementation. Best regards -Message d'origine- De : CHEVALIER Ghislain IMT/OLPS Envoyé : lundi 13 avril 2015 16:17 À : ceph-users Objet : RE: [ceph-users] Rados Gateway and keystone Hi all, Coming back to that issue. I successfully used keystone users for the rados gateway and the swift API but I still don't understand how it can work with S3 API and i.e. S3 users (AccessKey/SecretKey) I found a swift3 initiative but I think It's only compliant in a pure OpenStack swift environment by setting up a specific plug-in. https://github.com/stackforge/swift3 A rgw can be, at the same, time under keystone control and standard radosgw-admin if - for swift, you use the right authentication service (keystone or internal) - for S3, you use the internal authentication service So, my questions are still valid. How can a rgw work for S3 users if there are stored in keystone? Which is the accesskey and secretkey? What is the purpose of rgw s3 auth use keystone parameter ? The difference is that (in particular with the v2 protocol) swift clients talk to keystone to a) authenticate and b) find the swift storage endpoint (even if it is actually pointing to rgw). In contrast s3 clients will talk directly to the rgw, and *it* will talk to kesystone to check the client's s3 credentials fir them. That's why rgw need to have rgw s3 auth use keystone and similar parameters. Cheers Mark ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Rados Gateway and keystone
On 07/05/15 20:21, ghislain.cheval...@orange.com wrote: HI all, After adding the nss and the keystone admin url parameters in ceph.conf and creating the openSSL certificates, all is working well. If I had followed the doc and processed by copy/paste, I wouldn't have encountered any problems. As all is working well without this set of parameters using the swift API and keystone, It would be helpful if the page http://ceph.com/docs/master/radosgw/keystone/ was more precise according to this implementation. Best regards -Message d'origine- De : CHEVALIER Ghislain IMT/OLPS Envoyé : lundi 13 avril 2015 16:17 À : ceph-users Objet : RE: [ceph-users] Rados Gateway and keystone Hi all, Coming back to that issue. I successfully used keystone users for the rados gateway and the swift API but I still don't understand how it can work with S3 API and i.e. S3 users (AccessKey/SecretKey) I found a swift3 initiative but I think It's only compliant in a pure OpenStack swift environment by setting up a specific plug-in. https://github.com/stackforge/swift3 A rgw can be, at the same, time under keystone control and standard radosgw-admin if - for swift, you use the right authentication service (keystone or internal) - for S3, you use the internal authentication service So, my questions are still valid. How can a rgw work for S3 users if there are stored in keystone? Which is the accesskey and secretkey? What is the purpose of rgw s3 auth use keystone parameter ? The difference is that (in particular with the v2 protocol) swift clients talk to keystone to a) authenticate and b) find the swift storage endpoint (even if it is actually pointing to rgw). In contrast s3 clients will talk directly to the rgw, and *it* will talk to kesystone to check the client's s3 credentials fir them. That's why rgw need to have rgw s3 auth use keystone and similar parameters. Cheers Mark ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Rados Gateway and keystone
HI all, After adding the nss and the keystone admin url parameters in ceph.conf and creating the openSSL certificates, all is working well. If I had followed the doc and processed by copy/paste, I wouldn't have encountered any problems. As all is working well without this set of parameters using the swift API and keystone, It would be helpful if the page http://ceph.com/docs/master/radosgw/keystone/ was more precise according to this implementation. Best regards -Message d'origine- De : CHEVALIER Ghislain IMT/OLPS Envoyé : lundi 13 avril 2015 16:17 À : ceph-users Objet : RE: [ceph-users] Rados Gateway and keystone Hi all, Coming back to that issue. I successfully used keystone users for the rados gateway and the swift API but I still don't understand how it can work with S3 API and i.e. S3 users (AccessKey/SecretKey) I found a swift3 initiative but I think It's only compliant in a pure OpenStack swift environment by setting up a specific plug-in. https://github.com/stackforge/swift3 A rgw can be, at the same, time under keystone control and standard radosgw-admin if - for swift, you use the right authentication service (keystone or internal) - for S3, you use the internal authentication service So, my questions are still valid. How can a rgw work for S3 users if there are stored in keystone? Which is the accesskey and secretkey? What is the purpose of rgw s3 auth use keystone parameter ? Best regards -- De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.com Envoyé : lundi 23 mars 2015 14:03 À : ceph-users Objet : [ceph-users] Rados Gateway and keystone Hi All, I just would to be sure about keystone configuration for Rados Gateway. I read the documentation http://ceph.com/docs/master/radosgw/keystone/ and http://ceph.com/docs/master/radosgw/config-ref/?highlight=keystone but I didn't catch if after having configured the rados gateway (ceph.conf) in order to use keystone, it becomes mandatory to create all the users in it. In other words, can a rgw be, at the same, time under keystone control and standard radosgw-admin ? How does it work for S3 users ? What is the purpose of rgw s3 auth use keystone parameter ? Best regards - - - - - - - - - - - - - - - - - Ghislain Chevalier +33299124432 +33788624370 ghislain.cheval...@orange.com _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Rados Gateway and keystone
=0 2015-05-05 14:58:24.233135 7fb9f57ea700 10 cache get: name=.users+ffd80839282d4183afedff542de10760 : miss 2015-05-05 14:58:24.235002 7fb9f57ea700 10 cache put: name=.users+ffd80839282d4183afedff542de10760 2015-05-05 14:58:24.235025 7fb9f57ea700 10 adding .users+ffd80839282d4183afedff542de10760 to cache LRU end 2015-05-05 14:58:24.235038 7fb9f57ea700 5 error reading user info, uid=ffd80839282d4183afedff542de10760 can't authenticate 2015-05-05 14:58:24.235041 7fb9f57ea700 10 failed to authorize request 2015-05-05 14:58:24.235098 7fb9f57ea700 5 nothing to log for operation 2015-05-05 14:58:24.235102 7fb9f57ea700 2 req 83:0.007565:s3:GET /:list_buckets:http status=403 2015-05-05 14:58:24.235108 7fb9f57ea700 1 == req done req=0x7fba04013580 http_status=403 == In the keystone request, there is s3tokens. Is it a standard implementation or does the keystone installation require something specific? Best regards De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.com Envoyé : jeudi 16 avril 2015 13:14 À : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone Hi, I finally configure a cloudberry profile by setting what seems to be the right endpoint for object storage according to the openstack environment : myrgw:myport/swift/v1 I got a “204 no content” error even if 2 containers were previously created by a swift operation with object into them. In the log, I saw a dialog between the rgw and keystone but the right service doesn’t seem to be selected and the id became anonymous. Any idea? De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com Envoyé : mercredi 15 avril 2015 18:39 À : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone Hi, Despite the creation of ec2 credentials which provides an accesskey and a secretkey for a user, it’s always impossible to connect using S3 (Forbidden/Access denied). All is right using swift (create container, list container, get object, put object, delete object) I use cloudberry client to do so. Does someone know how I can check if the interoperability between keystone and the rgw is correctly set up? In the rgw pools? in the radosgw metadata? Best regards De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com Envoyé : mercredi 15 avril 2015 13:16 À : Erik McCormick Cc : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone Thanks a lot That helps. De : Erik McCormick [mailto:emccorm...@cirrusseven.com] Envoyé : lundi 13 avril 2015 18:32 À : CHEVALIER Ghislain IMT/OLPS Cc : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone I haven't really used the S3 stuff much, but the credentials should be in keystone already. If you're in horizon, you can download them under Access and Security-API Access. Using the CLI you can use the openstack client like openstack credential list | show | create | delete | set or with the keystone client like keystone ec2-credentials-list, etc. Then you should be able to feed those credentials to the rgw like a normal S3 API call. Cheers, Erik On Mon, Apr 13, 2015 at 10:16 AM, ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com wrote: Hi all, Coming back to that issue. I successfully used keystone users for the rados gateway and the swift API but I still don't understand how it can work with S3 API and i.e. S3 users (AccessKey/SecretKey) I found a swift3 initiative but I think It's only compliant in a pure OpenStack swift environment by setting up a specific plug-in. https://github.com/stackforge/swift3 A rgw can be, at the same, time under keystone control and standard radosgw-admin if - for swift, you use the right authentication service (keystone or internal) - for S3, you use the internal authentication service So, my questions are still valid. How can a rgw work for S3 users if there are stored in keystone? Which is the accesskey and secretkey? What is the purpose of rgw s3 auth use keystone parameter ? Best regards -- De : ceph-users [mailto:ceph-users-boun...@lists.ceph.commailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com Envoyé : lundi 23 mars 2015 14:03 À : ceph-users Objet : [ceph-users] Rados Gateway and keystone Hi All, I just would to be sure about keystone configuration for Rados Gateway. I read the documentation http://ceph.com/docs/master/radosgw/keystone/ and http://ceph.com/docs/master/radosgw/config-ref/?highlight=keystone but I didn't catch if after having configured the rados gateway (ceph.conf) in order to use keystone, it becomes mandatory to create all the users in it. In other words, can a rgw be, at the same, time under keystone control and standard radosgw-admin ? How does it work for S3 users
Re: [ceph-users] Rados Gateway and keystone
Addendum In the keystone log, I got 2015-05-06 11:42:24.594 10435 INFO eventlet.wsgi.server [-] 10.193.108.238 - - [06/May/2015 11:42:24] POST /v2.0/s3tokens HTTP/1.1 404 247 0.003872 Something is missing This is my new quest… De : CHEVALIER Ghislain IMT/OLPS Envoyé : mercredi 6 mai 2015 10:24 À : ceph-users Objet : RE: [ceph-users] Rados Gateway and keystone Hi, Coming back to that issue. My endpoint wasn’t right set up. I changed it to myrgw:myport (rgwow:8080) in the cloudberry profile or in the curl request and I got a 403 error due to a potential bad role returned by keystone. In the radosgw log, I got 2015-05-05 14:58:23.895961 7fb9f4fe9700 1 == starting new request req=0x7fba040177c0 = 2015-05-05 14:58:23.895975 7fb9f4fe9700 2 req 82:0.15::GET /::initializing 2015-05-05 14:58:23.896009 7fb9f4fe9700 10 s-object=NULL s-bucket=NULL 2015-05-05 14:58:23.896014 7fb9f4fe9700 2 req 82:0.54:s3:GET /::getting op 2015-05-05 14:58:23.896018 7fb9f4fe9700 2 req 82:0.58:s3:GET /:list_buckets:authorizing 2015-05-05 14:58:23.896022 7fb9f4fe9700 2 req 82:0.62:s3:GET /:list_buckets:reading permissions 2015-05-05 14:58:23.896027 7fb9f4fe9700 2 req 82:0.67:s3:GET /:list_buckets:init op 2015-05-05 14:58:23.896030 7fb9f4fe9700 2 req 82:0.70:s3:GET /:list_buckets:verifying op mask 2015-05-05 14:58:23.896032 7fb9f4fe9700 20 required_mask= 1 user.op_mask=7 2015-05-05 14:58:23.896033 7fb9f4fe9700 2 req 82:0.73:s3:GET /:list_buckets:verifying op permissions 2015-05-05 14:58:23.896036 7fb9f4fe9700 2 req 82:0.75:s3:GET /:list_buckets:verifying op params 2015-05-05 14:58:23.896037 7fb9f4fe9700 2 req 82:0.77:s3:GET /:list_buckets:executing 2015-05-05 14:58:23.898267 7fb9f4fe9700 5 nothing to log for operation 2015-05-05 14:58:23.898286 7fb9f4fe9700 2 req 82:0.002326:s3:GET /:list_buckets:http status=200 2015-05-05 14:58:23.898293 7fb9f4fe9700 1 == req done req=0x7fba040177c0 http_status=200 == 2015-05-05 14:58:24.227297 7fba215f8700 20 enqueued request req=0x7fba04013580 2015-05-05 14:58:24.227318 7fba215f8700 20 RGWWQ: 2015-05-05 14:58:24.227320 7fba215f8700 20 req: 0x7fba04013580 2015-05-05 14:58:24.227328 7fba215f8700 10 allocated request req=0x7fba04012050 2015-05-05 14:58:24.227454 7fb9f57ea700 20 dequeued request req=0x7fba04013580 2015-05-05 14:58:24.227471 7fb9f57ea700 20 RGWWQ: empty 2015-05-05 14:58:24.227512 7fb9f57ea700 20 DOCUMENT_ROOT=/var/www/radosgw 2015-05-05 14:58:24.227515 7fb9f57ea700 20 FCGI_ROLE=RESPONDER 2015-05-05 14:58:24.227516 7fb9f57ea700 20 GATEWAY_INTERFACE=CGI/1.1 2015-05-05 14:58:24.227517 7fb9f57ea700 20 HTTP_ACCEPT=*/* 2015-05-05 14:58:24.227518 7fb9f57ea700 20 HTTP_AUTHORIZATION=AWS ffd80839282d4183afedff542de10760:9vF6bLQCF4a/bYTgaxPjl1bFro4= 2015-05-05 14:58:24.227520 7fb9f57ea700 20 HTTP_CONNECTION=close 2015-05-05 14:58:24.227521 7fb9f57ea700 20 HTTP_DATE=Tue, 05 May 2015 12:58:24 + 2015-05-05 14:58:24.227522 7fb9f57ea700 20 HTTP_HOST=rgwow:8080 2015-05-05 14:58:24.227523 7fb9f57ea700 20 HTTP_USER_AGENT=curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 2015-05-05 14:58:24.227524 7fb9f57ea700 20 PATH=/usr/local/bin:/usr/bin:/bin 2015-05-05 14:58:24.227525 7fb9f57ea700 20 QUERY_STRING=page=params= 2015-05-05 14:58:24.227526 7fb9f57ea700 20 REMOTE_ADDR=10.193.108.105 2015-05-05 14:58:24.227527 7fb9f57ea700 20 REMOTE_PORT=44436 2015-05-05 14:58:24.227528 7fb9f57ea700 20 REQUEST_METHOD=GET 2015-05-05 14:58:24.227528 7fb9f57ea700 20 REQUEST_URI=/ 2015-05-05 14:58:24.227529 7fb9f57ea700 20 SCRIPT_FILENAME=/var/www/radosgw/s3gw.fcgi 2015-05-05 14:58:24.227530 7fb9f57ea700 20 SCRIPT_NAME=/ 2015-05-05 14:58:24.227530 7fb9f57ea700 20 SCRIPT_URI=http://rgwow:8080/ 2015-05-05 14:58:24.227531 7fb9f57ea700 20 SCRIPT_URL=/ 2015-05-05 14:58:24.227532 7fb9f57ea700 20 SERVER_ADDR=10.193.108.236 2015-05-05 14:58:24.227532 7fb9f57ea700 20 SERVER_ADMIN=[no address given] 2015-05-05 14:58:24.227533 7fb9f57ea700 20 SERVER_NAME=rgwow 2015-05-05 14:58:24.227534 7fb9f57ea700 20 SERVER_PORT=8080 2015-05-05 14:58:24.227534 7fb9f57ea700 20 SERVER_PROTOCOL=HTTP/1.1 2015-05-05 14:58:24.227535 7fb9f57ea700 20 SERVER_SIGNATURE= 2015-05-05 14:58:24.227536 7fb9f57ea700 20 SERVER_SOFTWARE=Apache/2.2.22 (Ubuntu) 2015-05-05 14:58:24.227537 7fb9f57ea700 1 == starting new request req=0x7fba04013580 = 2015-05-05 14:58:24.227551 7fb9f57ea700 2 req 83:0.14::GET /::initializing 2015-05-05 14:58:24.227557 7fb9f57ea700 10 host=rgwow:8080 rgw_dns_name=rgwow 2015-05-05 14:58:24.227588 7fb9f57ea700 10 s-object=NULL s-bucket=NULL 2015-05-05 14:58:24.227593 7fb9f57ea700 2 req 83:0.56:s3:GET /::getting op 2015-05-05 14:58:24.227596 7fb9f57ea700 2 req 83:0.59:s3:GET /:list_buckets:authorizing 2015-05-05 14:58:24.227600 7fb9f57ea700 20 s3 keystone: trying keystone auth 2015-05-05 14:58:24.227693 7fb9f57ea700 10 get_canon_resource(): dest=/ 2015-05-05 14:58:24.227776
Re: [ceph-users] Rados Gateway and keystone
; alias=OS-EC2 links link href=https://github.com/openstack/identity-api; type=text/html rel=describedby/ /links descriptionOpenStack EC2 Credentials backend./description /extension /extensions It seems much better. Nevertheless, when I changed the keystone url in ceph.conf in order to use 35357 port, I got in the keystone log a 401 error (unauthorized) 2015-05-06 13:41:40.502 10431 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 10.193.108.238 2015-05-06 13:41:40.505 10431 INFO eventlet.wsgi.server [-] 10.193.108.238 - - [06/May/2015 13:41:40] POST /v2.0/s3tokens HTTP/1.1 401 333 0.020001 As I don’t manage the keystone configuration, I will have to submit this issue to the administrator. Best regards De : CHEVALIER Ghislain IMT/OLPS Envoyé : mercredi 6 mai 2015 11:48 À : ceph-users Objet : RE: [ceph-users] Rados Gateway and keystone Addendum In the keystone log, I got 2015-05-06 11:42:24.594 10435 INFO eventlet.wsgi.server [-] 10.193.108.238 - - [06/May/2015 11:42:24] POST /v2.0/s3tokens HTTP/1.1 404 247 0.003872 Something is missing This is my new quest… De : CHEVALIER Ghislain IMT/OLPS Envoyé : mercredi 6 mai 2015 10:24 À : ceph-users Objet : RE: [ceph-users] Rados Gateway and keystone Hi, Coming back to that issue. My endpoint wasn’t right set up. I changed it to myrgw:myport (rgwow:8080) in the cloudberry profile or in the curl request and I got a 403 error due to a potential bad role returned by keystone. In the radosgw log, I got 2015-05-05 14:58:23.895961 7fb9f4fe9700 1 == starting new request req=0x7fba040177c0 = 2015-05-05 14:58:23.895975 7fb9f4fe9700 2 req 82:0.15::GET /::initializing 2015-05-05 14:58:23.896009 7fb9f4fe9700 10 s-object=NULL s-bucket=NULL 2015-05-05 14:58:23.896014 7fb9f4fe9700 2 req 82:0.54:s3:GET /::getting op 2015-05-05 14:58:23.896018 7fb9f4fe9700 2 req 82:0.58:s3:GET /:list_buckets:authorizing 2015-05-05 14:58:23.896022 7fb9f4fe9700 2 req 82:0.62:s3:GET /:list_buckets:reading permissions 2015-05-05 14:58:23.896027 7fb9f4fe9700 2 req 82:0.67:s3:GET /:list_buckets:init op 2015-05-05 14:58:23.896030 7fb9f4fe9700 2 req 82:0.70:s3:GET /:list_buckets:verifying op mask 2015-05-05 14:58:23.896032 7fb9f4fe9700 20 required_mask= 1 user.op_mask=7 2015-05-05 14:58:23.896033 7fb9f4fe9700 2 req 82:0.73:s3:GET /:list_buckets:verifying op permissions 2015-05-05 14:58:23.896036 7fb9f4fe9700 2 req 82:0.75:s3:GET /:list_buckets:verifying op params 2015-05-05 14:58:23.896037 7fb9f4fe9700 2 req 82:0.77:s3:GET /:list_buckets:executing 2015-05-05 14:58:23.898267 7fb9f4fe9700 5 nothing to log for operation 2015-05-05 14:58:23.898286 7fb9f4fe9700 2 req 82:0.002326:s3:GET /:list_buckets:http status=200 2015-05-05 14:58:23.898293 7fb9f4fe9700 1 == req done req=0x7fba040177c0 http_status=200 == 2015-05-05 14:58:24.227297 7fba215f8700 20 enqueued request req=0x7fba04013580 2015-05-05 14:58:24.227318 7fba215f8700 20 RGWWQ: 2015-05-05 14:58:24.227320 7fba215f8700 20 req: 0x7fba04013580 2015-05-05 14:58:24.227328 7fba215f8700 10 allocated request req=0x7fba04012050 2015-05-05 14:58:24.227454 7fb9f57ea700 20 dequeued request req=0x7fba04013580 2015-05-05 14:58:24.227471 7fb9f57ea700 20 RGWWQ: empty 2015-05-05 14:58:24.227512 7fb9f57ea700 20 DOCUMENT_ROOT=/var/www/radosgw 2015-05-05 14:58:24.227515 7fb9f57ea700 20 FCGI_ROLE=RESPONDER 2015-05-05 14:58:24.227516 7fb9f57ea700 20 GATEWAY_INTERFACE=CGI/1.1 2015-05-05 14:58:24.227517 7fb9f57ea700 20 HTTP_ACCEPT=*/* 2015-05-05 14:58:24.227518 7fb9f57ea700 20 HTTP_AUTHORIZATION=AWS ffd80839282d4183afedff542de10760:9vF6bLQCF4a/bYTgaxPjl1bFro4= 2015-05-05 14:58:24.227520 7fb9f57ea700 20 HTTP_CONNECTION=close 2015-05-05 14:58:24.227521 7fb9f57ea700 20 HTTP_DATE=Tue, 05 May 2015 12:58:24 + 2015-05-05 14:58:24.227522 7fb9f57ea700 20 HTTP_HOST=rgwow:8080 2015-05-05 14:58:24.227523 7fb9f57ea700 20 HTTP_USER_AGENT=curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 2015-05-05 14:58:24.227524 7fb9f57ea700 20 PATH=/usr/local/bin:/usr/bin:/bin 2015-05-05 14:58:24.227525 7fb9f57ea700 20 QUERY_STRING=page=params= 2015-05-05 14:58:24.227526 7fb9f57ea700 20 REMOTE_ADDR=10.193.108.105 2015-05-05 14:58:24.227527 7fb9f57ea700 20 REMOTE_PORT=44436 2015-05-05 14:58:24.227528 7fb9f57ea700 20 REQUEST_METHOD=GET 2015-05-05 14:58:24.227528 7fb9f57ea700 20 REQUEST_URI=/ 2015-05-05 14:58:24.227529 7fb9f57ea700 20 SCRIPT_FILENAME=/var/www/radosgw/s3gw.fcgi 2015-05-05 14:58:24.227530 7fb9f57ea700 20 SCRIPT_NAME=/ 2015-05-05 14:58:24.227530 7fb9f57ea700 20 SCRIPT_URI=http://rgwow:8080/ 2015-05-05 14:58:24.227531 7fb9f57ea700 20 SCRIPT_URL=/ 2015-05-05 14:58:24.227532 7fb9f57ea700 20 SERVER_ADDR=10.193.108.236 2015-05-05 14:58:24.227532 7fb9f57ea700 20 SERVER_ADMIN=[no address given] 2015-05-05 14:58:24.227533 7fb9f57ea700 20 SERVER_NAME=rgwow 2015-05-05 14:58
Re: [ceph-users] Rados Gateway and keystone
Hi, I finally configure a cloudberry profile by setting what seems to be the right endpoint for object storage according to the openstack environment : myrgw:myport/swift/v1 I got a “204 no content” error even if 2 containers were previously created by a swift operation with object into them. In the log, I saw a dialog between the rgw and keystone but the right service doesn’t seem to be selected and the id became anonymous. Any idea? De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.com Envoyé : mercredi 15 avril 2015 18:39 À : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone Hi, Despite the creation of ec2 credentials which provides an accesskey and a secretkey for a user, it’s always impossible to connect using S3 (Forbidden/Access denied). All is right using swift (create container, list container, get object, put object, delete object) I use cloudberry client to do so. Does someone know how I can check if the interoperability between keystone and the rgw is correctly set up? In the rgw pools? in the radosgw metadata? Best regards De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com Envoyé : mercredi 15 avril 2015 13:16 À : Erik McCormick Cc : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone Thanks a lot That helps. De : Erik McCormick [mailto:emccorm...@cirrusseven.com] Envoyé : lundi 13 avril 2015 18:32 À : CHEVALIER Ghislain IMT/OLPS Cc : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone I haven't really used the S3 stuff much, but the credentials should be in keystone already. If you're in horizon, you can download them under Access and Security-API Access. Using the CLI you can use the openstack client like openstack credential list | show | create | delete | set or with the keystone client like keystone ec2-credentials-list, etc. Then you should be able to feed those credentials to the rgw like a normal S3 API call. Cheers, Erik On Mon, Apr 13, 2015 at 10:16 AM, ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com wrote: Hi all, Coming back to that issue. I successfully used keystone users for the rados gateway and the swift API but I still don't understand how it can work with S3 API and i.e. S3 users (AccessKey/SecretKey) I found a swift3 initiative but I think It's only compliant in a pure OpenStack swift environment by setting up a specific plug-in. https://github.com/stackforge/swift3 A rgw can be, at the same, time under keystone control and standard radosgw-admin if - for swift, you use the right authentication service (keystone or internal) - for S3, you use the internal authentication service So, my questions are still valid. How can a rgw work for S3 users if there are stored in keystone? Which is the accesskey and secretkey? What is the purpose of rgw s3 auth use keystone parameter ? Best regards -- De : ceph-users [mailto:ceph-users-boun...@lists.ceph.commailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com Envoyé : lundi 23 mars 2015 14:03 À : ceph-users Objet : [ceph-users] Rados Gateway and keystone Hi All, I just would to be sure about keystone configuration for Rados Gateway. I read the documentation http://ceph.com/docs/master/radosgw/keystone/ and http://ceph.com/docs/master/radosgw/config-ref/?highlight=keystone but I didn't catch if after having configured the rados gateway (ceph.conf) in order to use keystone, it becomes mandatory to create all the users in it. In other words, can a rgw be, at the same, time under keystone control and standard radosgw-admin ? How does it work for S3 users ? What is the purpose of rgw s3 auth use keystone parameter ? Best regards - - - - - - - - - - - - - - - - - Ghislain Chevalier +33299124432tel:%2B33299124432 +33788624370tel:%2B33788624370 ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable
Re: [ceph-users] Rados Gateway and keystone
Hi, Despite the creation of ec2 credentials which provides an accesskey and a secretkey for a user, it’s always impossible to connect using S3 (Forbidden/Access denied). All is right using swift (create container, list container, get object, put object, delete object) I use cloudberry client to do so. Does someone know how I can check if the interoperability between keystone and the rgw is correctly set up? In the rgw pools? in the radosgw metadata? Best regards De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.com Envoyé : mercredi 15 avril 2015 13:16 À : Erik McCormick Cc : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone Thanks a lot That helps. De : Erik McCormick [mailto:emccorm...@cirrusseven.com] Envoyé : lundi 13 avril 2015 18:32 À : CHEVALIER Ghislain IMT/OLPS Cc : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone I haven't really used the S3 stuff much, but the credentials should be in keystone already. If you're in horizon, you can download them under Access and Security-API Access. Using the CLI you can use the openstack client like openstack credential list | show | create | delete | set or with the keystone client like keystone ec2-credentials-list, etc. Then you should be able to feed those credentials to the rgw like a normal S3 API call. Cheers, Erik On Mon, Apr 13, 2015 at 10:16 AM, ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com wrote: Hi all, Coming back to that issue. I successfully used keystone users for the rados gateway and the swift API but I still don't understand how it can work with S3 API and i.e. S3 users (AccessKey/SecretKey) I found a swift3 initiative but I think It's only compliant in a pure OpenStack swift environment by setting up a specific plug-in. https://github.com/stackforge/swift3 A rgw can be, at the same, time under keystone control and standard radosgw-admin if - for swift, you use the right authentication service (keystone or internal) - for S3, you use the internal authentication service So, my questions are still valid. How can a rgw work for S3 users if there are stored in keystone? Which is the accesskey and secretkey? What is the purpose of rgw s3 auth use keystone parameter ? Best regards -- De : ceph-users [mailto:ceph-users-boun...@lists.ceph.commailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com Envoyé : lundi 23 mars 2015 14:03 À : ceph-users Objet : [ceph-users] Rados Gateway and keystone Hi All, I just would to be sure about keystone configuration for Rados Gateway. I read the documentation http://ceph.com/docs/master/radosgw/keystone/ and http://ceph.com/docs/master/radosgw/config-ref/?highlight=keystone but I didn't catch if after having configured the rados gateway (ceph.conf) in order to use keystone, it becomes mandatory to create all the users in it. In other words, can a rgw be, at the same, time under keystone control and standard radosgw-admin ? How does it work for S3 users ? What is the purpose of rgw s3 auth use keystone parameter ? Best regards - - - - - - - - - - - - - - - - - Ghislain Chevalier +33299124432tel:%2B33299124432 +33788624370tel:%2B33788624370 ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may
Re: [ceph-users] Rados Gateway and keystone
Thanks a lot That helps. De : Erik McCormick [mailto:emccorm...@cirrusseven.com] Envoyé : lundi 13 avril 2015 18:32 À : CHEVALIER Ghislain IMT/OLPS Cc : ceph-users Objet : Re: [ceph-users] Rados Gateway and keystone I haven't really used the S3 stuff much, but the credentials should be in keystone already. If you're in horizon, you can download them under Access and Security-API Access. Using the CLI you can use the openstack client like openstack credential list | show | create | delete | set or with the keystone client like keystone ec2-credentials-list, etc. Then you should be able to feed those credentials to the rgw like a normal S3 API call. Cheers, Erik On Mon, Apr 13, 2015 at 10:16 AM, ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com wrote: Hi all, Coming back to that issue. I successfully used keystone users for the rados gateway and the swift API but I still don't understand how it can work with S3 API and i.e. S3 users (AccessKey/SecretKey) I found a swift3 initiative but I think It's only compliant in a pure OpenStack swift environment by setting up a specific plug-in. https://github.com/stackforge/swift3 A rgw can be, at the same, time under keystone control and standard radosgw-admin if - for swift, you use the right authentication service (keystone or internal) - for S3, you use the internal authentication service So, my questions are still valid. How can a rgw work for S3 users if there are stored in keystone? Which is the accesskey and secretkey? What is the purpose of rgw s3 auth use keystone parameter ? Best regards -- De : ceph-users [mailto:ceph-users-boun...@lists.ceph.commailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com Envoyé : lundi 23 mars 2015 14:03 À : ceph-users Objet : [ceph-users] Rados Gateway and keystone Hi All, I just would to be sure about keystone configuration for Rados Gateway. I read the documentation http://ceph.com/docs/master/radosgw/keystone/ and http://ceph.com/docs/master/radosgw/config-ref/?highlight=keystone but I didn't catch if after having configured the rados gateway (ceph.conf) in order to use keystone, it becomes mandatory to create all the users in it. In other words, can a rgw be, at the same, time under keystone control and standard radosgw-admin ? How does it work for S3 users ? What is the purpose of rgw s3 auth use keystone parameter ? Best regards - - - - - - - - - - - - - - - - - Ghislain Chevalier +33299124432tel:%2B33299124432 +33788624370tel:%2B33788624370 ghislain.cheval...@orange.commailto:ghislain.cheval...@orange.com _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. ___ ceph-users mailing list ceph-users@lists.ceph.commailto:ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _ Ce message et ses
Re: [ceph-users] Rados Gateway and keystone
Hi all, Coming back to that issue. I successfully used keystone users for the rados gateway and the swift API but I still don't understand how it can work with S3 API and i.e. S3 users (AccessKey/SecretKey) I found a swift3 initiative but I think It's only compliant in a pure OpenStack swift environment by setting up a specific plug-in. https://github.com/stackforge/swift3 A rgw can be, at the same, time under keystone control and standard radosgw-admin if - for swift, you use the right authentication service (keystone or internal) - for S3, you use the internal authentication service So, my questions are still valid. How can a rgw work for S3 users if there are stored in keystone? Which is the accesskey and secretkey? What is the purpose of rgw s3 auth use keystone parameter ? Best regards -- De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.com Envoyé : lundi 23 mars 2015 14:03 À : ceph-users Objet : [ceph-users] Rados Gateway and keystone Hi All, I just would to be sure about keystone configuration for Rados Gateway. I read the documentation http://ceph.com/docs/master/radosgw/keystone/ and http://ceph.com/docs/master/radosgw/config-ref/?highlight=keystone but I didn't catch if after having configured the rados gateway (ceph.conf) in order to use keystone, it becomes mandatory to create all the users in it. In other words, can a rgw be, at the same, time under keystone control and standard radosgw-admin ? How does it work for S3 users ? What is the purpose of rgw s3 auth use keystone parameter ? Best regards - - - - - - - - - - - - - - - - - Ghislain Chevalier +33299124432 +33788624370 ghislain.cheval...@orange.com _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Rados Gateway and keystone
I haven't really used the S3 stuff much, but the credentials should be in keystone already. If you're in horizon, you can download them under Access and Security-API Access. Using the CLI you can use the openstack client like openstack credential list | show | create | delete | set or with the keystone client like keystone ec2-credentials-list, etc. Then you should be able to feed those credentials to the rgw like a normal S3 API call. Cheers, Erik On Mon, Apr 13, 2015 at 10:16 AM, ghislain.cheval...@orange.com wrote: Hi all, Coming back to that issue. I successfully used keystone users for the rados gateway and the swift API but I still don't understand how it can work with S3 API and i.e. S3 users (AccessKey/SecretKey) I found a swift3 initiative but I think It's only compliant in a pure OpenStack swift environment by setting up a specific plug-in. https://github.com/stackforge/swift3 A rgw can be, at the same, time under keystone control and standard radosgw-admin if - for swift, you use the right authentication service (keystone or internal) - for S3, you use the internal authentication service So, my questions are still valid. How can a rgw work for S3 users if there are stored in keystone? Which is the accesskey and secretkey? What is the purpose of rgw s3 auth use keystone parameter ? Best regards -- De : ceph-users [mailto:ceph-users-boun...@lists.ceph.com] De la part de ghislain.cheval...@orange.com Envoyé : lundi 23 mars 2015 14:03 À : ceph-users Objet : [ceph-users] Rados Gateway and keystone Hi All, I just would to be sure about keystone configuration for Rados Gateway. I read the documentation http://ceph.com/docs/master/radosgw/keystone/ and http://ceph.com/docs/master/radosgw/config-ref/?highlight=keystone but I didn't catch if after having configured the rados gateway (ceph.conf) in order to use keystone, it becomes mandatory to create all the users in it. In other words, can a rgw be, at the same, time under keystone control and standard radosgw-admin ? How does it work for S3 users ? What is the purpose of rgw s3 auth use keystone parameter ? Best regards - - - - - - - - - - - - - - - - - Ghislain Chevalier +33299124432 +33788624370 ghislain.cheval...@orange.com _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com