Hi Dmitriy,

 

In other words, is S3 auth V4 signature handled by default when Rados GW is deployed with OSA or is there a role variable that needs to be set?

 

Kind regards,

 

Jean-Francois

 

From: Taltavull Jean-François
Sent: jeudi, 16 juin 2022 17:46
To: 'Jonathan Rosser' <jonathan.rosser@rd.bbc.co.uk>; 'Dmitriy Rabotyagov' <noonedeadpunk@ya.ru>; 'openstack-discuss@lists.openstack.org' <openstack-discuss@lists.openstack.org>
Subject: RE: [Ceph Rados Gateway] 403 when using S3 client

 

Hi Dmitriy, hi Jonathan,

 

I finally managed to interact with RGW S3 API with “s3cmd” client, but only if I add the option “--signature-v2” to the command line.

If I don’t, I get the message “ERROR: S3 error: 403 (AccessDenied)”.

 

The RGW is configured to use keystone as the users authority and it looks like the S3 auth requests including a version 4 signature were not supported.

 

Is there a RGW or a Keystone configuration variable to enable S3 V4 signature ?

 

Deployment characteristics:
- OSA 23.2.0
- OpenStack Wallaby
- Ceph and RGW Octopus

Kind regards,

Jean-Francois

 

From: Taltavull Jean-François
Sent: mercredi, 30 mars 2022 11:01
To: 'Jonathan Rosser' <jonathan.rosser@rd.bbc.co.uk>; openstack-discuss@lists.openstack.org
Subject: RE: [Ceph Rados Gateway] 403 when using S3 client

 

Hi Jonathan,

 

The keystone URL is correct. HAProxy has been configured to handle this kind or URL.

 

And everything works fine with the openstack client.

 

From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
Sent: mercredi, 30 mars 2022 10:44
To: openstack-discuss@lists.openstack.org
Subject: Re: [Ceph Rados Gateway] 403 when using S3 client

 

 

EXTERNAL MESSAGE - This email comes from outside ELCA companies.

Hi Jean-Francois.

I have the following difference to your config:

rgw keystone url = http://xx.xx.xx.xx:5000

The normal OSA loadbalancer setup would have the keystone service on port 5000.

Jonathan.

On 30/03/2022 09:24, Taltavull Jean-François wrote:

Hi Dmitriy,

 

I just tried with s3cmd but I still get a 403.

 

Here is the rgw section of ceph.conf:

 

rgw_keystone_url = http://xxxxx.xxxx.xxx/identity

rgw_keystone_api_version = 3

rgw_keystone_admin_user = radosgw

rgw_keystone_admin_password = xxxxxxxxxxxxxxxxxxxxxxxxx

rgw_keystone_admin_project = service

rgw_keystone_admin_domain = default

rgw_keystone_accepted_roles = member, _member_, admin, swiftoperator

rgw_keystone_accepted_admin_roles = ResellerAdmin

rgw_keystone_implicit_tenants = true

rgw_swift_account_in_url = true

rgw_swift_versioning_enabled = true

rgw_enable_apis = swift,s3

rgw_s3_auth_use_keystone = true

 

From: Dmitriy Rabotyagov <noonedeadpunk@ya.ru>
Sent: mardi, 29 mars 2022 18:49
To: openstack-discuss <openstack-discuss@lists.openstack.org>
Subject: Re: [Ceph Rados Gateway] 403 when using S3 client

 

 

EXTERNAL MESSAGE - This email comes from outside ELCA companies.

- все

 

Hi Jean-Francois.

 

It's quite hard to understand what exactly could went wrong based on the information you've provided.

Highly likely it's related to the RGW configuration itself and it's integration with keystone to be specific.

 

Would be helpful if you could provide your ceph.conf regarding rgw configuration.

 

I'm also not 100% sure if awscli does work with RGW... At least I always used s3cmd or rclone to interact with RGW S3 API.

 

29.03.2022, 16:36, "Taltavull Jean-François" <jean-francois.taltavull@elca.ch>:

Hi All,

I get an http 403 error code when I try to get the bucket list with Ubuntu (Focal) S3 client (awscli).

S3 api has been activated in radosgw config file and EC2 credentials have been created and put in S3 client config file.

Otherwise, everything is working fine with OpenStack client.

My deployment:
- OSA 23.2.0
- OpenStack Wallaby
- Ceph and Rados GW Octopus

Has any of you already experienced this kind of behaviour ?

Many thanks,
Jean-Francois

 

 

-- 
Kind Regards,

Dmitriy Rabotyagov