Hi Dmitriy, In other words, is S3 auth V4 signature handled by default when Rados GW is deployed with OSA or is there a role variable that needs to be set? Kind regards, Jean-Francois From: Taltavull Jean-François Sent: jeudi, 16 juin 2022 17:46 To: 'Jonathan Rosser' <jonathan.rosser@rd.bbc.co.uk>; 'Dmitriy Rabotyagov' <noonedeadpunk@ya.ru>; 'openstack-discuss@lists.openstack.org' <openstack-discuss@lists.openstack.org> Subject: RE: [Ceph Rados Gateway] 403 when using S3 client Hi Dmitriy, hi Jonathan, I finally managed to interact with RGW S3 API with “s3cmd” client, but only if I add the option “--signature-v2” to the command line. If I don’t, I get the message “ERROR: S3 error: 403 (AccessDenied)”. The RGW is configured to use keystone as the users authority and it looks like the S3 auth requests including a version 4 signature were not supported. Is there a RGW or a Keystone configuration variable to enable S3 V4 signature ? Deployment characteristics: - OSA 23.2.0 - OpenStack Wallaby - Ceph and RGW Octopus Kind regards, Jean-Francois From: Taltavull Jean-François Sent: mercredi, 30 mars 2022 11:01 To: 'Jonathan Rosser' <jonathan.rosser@rd.bbc.co.uk<mailto:jonathan.rosser@rd.bbc.co.uk>>; openstack-discuss@lists.openstack.org<mailto:openstack-discuss@lists.openstack.org> Subject: RE: [Ceph Rados Gateway] 403 when using S3 client Hi Jonathan, The keystone URL is correct. HAProxy has been configured to handle this kind or URL. And everything works fine with the openstack client. From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk<mailto:jonathan.rosser@rd.bbc.co.uk>> Sent: mercredi, 30 mars 2022 10:44 To: openstack-discuss@lists.openstack.org<mailto:openstack-discuss@lists.openstack.org> Subject: Re: [Ceph Rados Gateway] 403 when using S3 client EXTERNAL MESSAGE - This email comes from outside ELCA companies. Hi Jean-Francois. I have the following difference to your config: rgw keystone url = http://xx.xx.xx.xx:5000 The normal OSA loadbalancer setup would have the keystone service on port 5000. Jonathan. On 30/03/2022 09:24, Taltavull Jean-François wrote: Hi Dmitriy, I just tried with s3cmd but I still get a 403. Here is the rgw section of ceph.conf: rgw_keystone_url = http://xxxxx.xxxx.xxx/identity rgw_keystone_api_version = 3 rgw_keystone_admin_user = radosgw rgw_keystone_admin_password = xxxxxxxxxxxxxxxxxxxxxxxxx rgw_keystone_admin_project = service rgw_keystone_admin_domain = default rgw_keystone_accepted_roles = member, _member_, admin, swiftoperator rgw_keystone_accepted_admin_roles = ResellerAdmin rgw_keystone_implicit_tenants = true rgw_swift_account_in_url = true rgw_swift_versioning_enabled = true rgw_enable_apis = swift,s3 rgw_s3_auth_use_keystone = true From: Dmitriy Rabotyagov <noonedeadpunk@ya.ru><mailto:noonedeadpunk@ya.ru> Sent: mardi, 29 mars 2022 18:49 To: openstack-discuss <openstack-discuss@lists.openstack.org><mailto:openstack-discuss@lists.openstack.org> Subject: Re: [Ceph Rados Gateway] 403 when using S3 client EXTERNAL MESSAGE - This email comes from outside ELCA companies. - все Hi Jean-Francois. It's quite hard to understand what exactly could went wrong based on the information you've provided. Highly likely it's related to the RGW configuration itself and it's integration with keystone to be specific. Would be helpful if you could provide your ceph.conf regarding rgw configuration. I'm also not 100% sure if awscli does work with RGW... At least I always used s3cmd or rclone to interact with RGW S3 API. 29.03.2022, 16:36, "Taltavull Jean-François" <jean-francois.taltavull@elca.ch<mailto:jean-francois.taltavull@elca.ch>>: Hi All, I get an http 403 error code when I try to get the bucket list with Ubuntu (Focal) S3 client (awscli). S3 api has been activated in radosgw config file and EC2 credentials have been created and put in S3 client config file. Otherwise, everything is working fine with OpenStack client. My deployment: - OSA 23.2.0 - OpenStack Wallaby - Ceph and Rados GW Octopus Has any of you already experienced this kind of behaviour ? Many thanks, Jean-Francois -- Kind Regards, Dmitriy Rabotyagov