[Ceph Rados Gateway] 403 when using S3 client
Taltavull Jean-François
jean-francois.taltavull at elca.ch
Mon Jun 27 06:55:07 UTC 2022
Hi Dmitriy,
In other words, is S3 auth V4 signature handled by default when Rados GW is deployed with OSA or is there a role variable that needs to be set?
Kind regards,
Jean-Francois
From: Taltavull Jean-François
Sent: jeudi, 16 juin 2022 17:46
To: 'Jonathan Rosser' <jonathan.rosser at rd.bbc.co.uk>; 'Dmitriy Rabotyagov' <noonedeadpunk at ya.ru>; 'openstack-discuss at lists.openstack.org' <openstack-discuss at lists.openstack.org>
Subject: RE: [Ceph Rados Gateway] 403 when using S3 client
Hi Dmitriy, hi Jonathan,
I finally managed to interact with RGW S3 API with “s3cmd” client, but only if I add the option “--signature-v2” to the command line.
If I don’t, I get the message “ERROR: S3 error: 403 (AccessDenied)”.
The RGW is configured to use keystone as the users authority and it looks like the S3 auth requests including a version 4 signature were not supported.
Is there a RGW or a Keystone configuration variable to enable S3 V4 signature ?
Deployment characteristics:
- OSA 23.2.0
- OpenStack Wallaby
- Ceph and RGW Octopus
Kind regards,
Jean-Francois
From: Taltavull Jean-François
Sent: mercredi, 30 mars 2022 11:01
To: 'Jonathan Rosser' <jonathan.rosser at rd.bbc.co.uk<mailto:jonathan.rosser at rd.bbc.co.uk>>; openstack-discuss at lists.openstack.org<mailto:openstack-discuss at lists.openstack.org>
Subject: RE: [Ceph Rados Gateway] 403 when using S3 client
Hi Jonathan,
The keystone URL is correct. HAProxy has been configured to handle this kind or URL.
And everything works fine with the openstack client.
From: Jonathan Rosser <jonathan.rosser at rd.bbc.co.uk<mailto:jonathan.rosser at rd.bbc.co.uk>>
Sent: mercredi, 30 mars 2022 10:44
To: openstack-discuss at lists.openstack.org<mailto:openstack-discuss at lists.openstack.org>
Subject: Re: [Ceph Rados Gateway] 403 when using S3 client
EXTERNAL MESSAGE - This email comes from outside ELCA companies.
Hi Jean-Francois.
I have the following difference to your config:
rgw keystone url = http://xx.xx.xx.xx:5000
The normal OSA loadbalancer setup would have the keystone service on port 5000.
Jonathan.
On 30/03/2022 09:24, Taltavull Jean-François wrote:
Hi Dmitriy,
I just tried with s3cmd but I still get a 403.
Here is the rgw section of ceph.conf:
rgw_keystone_url = http://xxxxx.xxxx.xxx/identity
rgw_keystone_api_version = 3
rgw_keystone_admin_user = radosgw
rgw_keystone_admin_password = xxxxxxxxxxxxxxxxxxxxxxxxx
rgw_keystone_admin_project = service
rgw_keystone_admin_domain = default
rgw_keystone_accepted_roles = member, _member_, admin, swiftoperator
rgw_keystone_accepted_admin_roles = ResellerAdmin
rgw_keystone_implicit_tenants = true
rgw_swift_account_in_url = true
rgw_swift_versioning_enabled = true
rgw_enable_apis = swift,s3
rgw_s3_auth_use_keystone = true
From: Dmitriy Rabotyagov <noonedeadpunk at ya.ru><mailto:noonedeadpunk at ya.ru>
Sent: mardi, 29 mars 2022 18:49
To: openstack-discuss <openstack-discuss at lists.openstack.org><mailto:openstack-discuss at lists.openstack.org>
Subject: Re: [Ceph Rados Gateway] 403 when using S3 client
EXTERNAL MESSAGE - This email comes from outside ELCA companies.
- все
Hi Jean-Francois.
It's quite hard to understand what exactly could went wrong based on the information you've provided.
Highly likely it's related to the RGW configuration itself and it's integration with keystone to be specific.
Would be helpful if you could provide your ceph.conf regarding rgw configuration.
I'm also not 100% sure if awscli does work with RGW... At least I always used s3cmd or rclone to interact with RGW S3 API.
29.03.2022, 16:36, "Taltavull Jean-François" <jean-francois.taltavull at elca.ch<mailto:jean-francois.taltavull at elca.ch>>:
Hi All,
I get an http 403 error code when I try to get the bucket list with Ubuntu (Focal) S3 client (awscli).
S3 api has been activated in radosgw config file and EC2 credentials have been created and put in S3 client config file.
Otherwise, everything is working fine with OpenStack client.
My deployment:
- OSA 23.2.0
- OpenStack Wallaby
- Ceph and Rados GW Octopus
Has any of you already experienced this kind of behaviour ?
Many thanks,
Jean-Francois
--
Kind Regards,
Dmitriy Rabotyagov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220627/9fae9933/attachment-0001.htm>
More information about the openstack-discuss
mailing list