Ceph S3 API is broken out of the box

@Denis, thank you for posting this bug. But I am not sure that this is a bug at all - can you describe the actual sequence of actions you performed and what should have happened if everything was configured correctly according to your expectations?

I see that you are using some custom script to authenticate through s3 api of radosgw, but I am not sure that you are providing correct credentials.

First of all, I cannot understand what test.sh script is actually doing. As far as I see it returned error code 200. What does this mean?

Secondly, there is no code of ./s3curl.pl, so we cannot be sure that s3curl actually passes credentials as S3 API is expecting.

Next, I see that you are using curl to access S3 API without providing any access information. Why do you think it should give you anything than 403/401 error code?

We would really appreciate if you provided more info on this as it would make bugfixing process much easier.

Thank you.

>I see that you are using curl to access S3 API without providing any access information. Why do you think it should give you anything than 403/401 error code?
I post the output - it shows an objects inside bucket. 403 i got when try to use access_key/secret_key

Also I try to connect using boto
http://ceph.com/docs/master/radosgw/s3/python/
but it was unable to get buckets list, create bucket, etc

Also I try to use this documentation to test S3
http://ceph.com/docs/master/radosgw/config/#using-the-gateway
http://ceph.com/docs/master/radosgw/config/#access-verification

Denis, could you please attach this s3curl.pl script to the bug or provide a list of commands that should succeed? We need to eliminate the case when you are using broken script.

Thank you.

Vladimir, I use this s3curl https://github.com/rtdp/s3curl

How to reproduce:

1 Create cluster (fuel 6.0, HA, ceph for all+RBS+RadosGW )
2 Using ceph documentation test S# API
http://ceph.com/docs/master/radosgw/config/#using-the-gateway
http://ceph.com/docs/master/radosgw/config/#access-verification

Denis, if you don't modify the script to add your endpoint [1], you will get 401/403.
I'm working on fix for s3curl right now. Its initial version would be available in next minutes. Another problem might be locale setting - LC_ALL=C would be a workaround in such case.

Anyway, it looks like the Keystone port is wrongly set according to the RGW documentation [2]. Please take a look on the manifest [3].

[1] https://github.com/rtdp/s3curl/blob/master/s3curl.pl#L30.
[2] http://ceph.com/docs/master/radosgw/keystone/
[3] https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/ceph/manifests/init.pp#L42

The fix for S3 landed: https://github.com/rtdp/s3curl/compare/master...rzarzynski:wip-enforce_vanity.

Let me excuse for mistake in the tool name above. It should be 's3curl' of course.

I'm working on fix for the locale problem in s3curl as well.

Created pull request in s3curl project on GitHub: https://github.com/rtdp/s3curl/pull/5.

Workaround:
Change rgw_keystone_url port from 5000 to 35357 and restart radosgw.

ceph.conf
[client.radosgw.gateway]
rgw_keystone_url = <HAPROXY-VIP>:35357
rgw_s3_auth_use_keystone = true
nss db path = /var/lib/ceph/nss

Fix for the locale problem in s3curl is ready: https://github.com/rzarzynski/s3curl/tree/wip-locale_dependency_fix.
Both patches have been merged into master branch of https://github.com/rzarzynski/s3curl.

Folks, is it the client utility issue? If so, why do we keep it as High in Fuel project - can we now close this bug?

No, we can not.
Our puppet for ceph contains wrong port.
https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/ceph/manifests/init.pp#L42
It should be 35357

Fix proposed to branch: master
Review: https://review.openstack.org/178200

Reviewed: https://review.openstack.org/178200
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=651032fa3d24422d77066ad0136dfc24597801ea
Submitter: Jenkins
Branch: master

commit 651032fa3d24422d77066ad0136dfc24597801ea
Author: Bartłomiej Piotrowski <email address hidden>
Date: Tue Apr 28 15:33:53 2015 +0200

    Ceph: use the admin port for communication with Keystone

    Current port, 5000, is meant to be used for public requests. 35357
    should be used instead.

    Reference: http://ceph.com/docs/master/radosgw/keystone/

    Change-Id: I1ef8030b39256a17ef3b1dc1e1061c756d7392a6
    Closes-Bug: 1446704

Posting helpful information from a customer about the fix:

To enable the S3 gateway I had to make several changes to the ceph.conf from the config that Fuel created. I had to change the rgw_keystone_url port from 5000 to the admin port 35357, enabled keystone auth for S3, configure the SSL certs for keystone and then add them to the “nss db path”.

We’d like to know if this is a supported configuration or the Mirantis recommended way to support S3 APIs with the radosgw.

Commands to create nss DB (run on each node):

mkdir /var/lib/ceph/nss

openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | certutil -d /var/lib/ceph/nss -A -n ca -t "TCu,Cu,Tuw"

openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | certutil -A -d /var/lib/ceph/nss -n signing_cert -t "P,P,P"

chmod -R 755 /var/lib/ceph/nss

Changes to ceph.conf:

[client.radosgw.gateway]

rgw_keystone_url = <HAPROXY-VIP>:35357

rgw_s3_auth_use_keystone = true

nss db path = /var/lib/ceph/nss

It seems that port 5000 is still present:

root@node-5:~# ceph --admin-daemon /var/run/ceph/ceph-client.radosgw.gateway.asok config show | grep keystone_url
  "rgw_keystone_url": "172.16.54.2:5000",
root@node-5:~# hostname
node-5.mol.local

[root@cz-venv-2-1-fuel-61-446 ~]# fuel --fuel-version --json
DEPRECATION WARNING: /etc/fuel/client/config.yaml exists and will be used as the source for settings. This behavior is deprecated. Please specify the path to your custom settings file in the FUELCLIENT_CUSTOM_SETTINGS environment variable.
{
    "build_id": "2015-05-21_04-04-09",
    "build_number": "446",
    "auth_required": true,
    "fuel-ostf_sha": "3dd25a018f2a5c47ec6c885436b3ba69690ef1b9",
    "fuel-library_sha": "a03efb582b06bfe8d9776dce244d4a2f2e2ba886",
    "nailgun_sha": "403c6b7ea3c62bb4fda27eb9cedee37f7144558c",
    "openstack_version": "2014.2.2-6.1",
    "production": "docker",
    "api": "1.0",
    "python-fuelclient_sha": "e19f1b65792f84c4a18b5a9473f85ef3ba172fce",
    "astute_sha": "795f8a045400fe82ccc30ae018e85324b3fa1de5",
    "fuelmain_sha": "5c8ebddf64ea93000af2de3ccdb4aa8bb766ce93",
    "feature_groups": [
        "mirantis"
    ],
    "release": "6.1",
    "release_versions": {
        "2014.2.2-6.1": {
            "VERSION": {
                "build_id": "2015-05-21_04-04-09",
                "build_number": "446",
                "fuel-library_sha": "a03efb582b06bfe8d9776dce244d4a2f2e2ba886",
                "nailgun_sha": "403c6b7ea3c62bb4fda27eb9cedee37f7144558c",
                "fuel-ostf_sha": "3dd25a018f2a5c47ec6c885436b3ba69690ef1b9",
                "production": "docker",
                "api": "1.0",
                "python-fuelclient_sha": "e19f1b65792f84c4a18b5a9473f85ef3ba172fce",
                "astute_sha": "795f8a045400fe82ccc30ae018e85324b3fa1de5",
                "fuelmain_sha": "5c8ebddf64ea93000af2de3ccdb4aa8bb766ce93",
                "feature_groups": [
                    "mirantis"
                ],
                "release": "6.1",
                "openstack_version": "2014.2.2-6.1"
            }
        }
    }
}

Fix proposed to branch: master
Review: https://review.openstack.org/185360

Reviewed: https://review.openstack.org/185360
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=3f6a2510a1d0932eaf699931b484abe446164f4e
Submitter: Jenkins
Branch: master

commit 3f6a2510a1d0932eaf699931b484abe446164f4e
Author: Bartłomiej Piotrowski <email address hidden>
Date: Mon May 25 13:27:48 2015 +0200

    Change RadosGW port to 35357 in granular deployment

    Commit I1ef8030b39256a17ef3b1dc1e1061c756d7392a6 changed the default port only
    in ceph module. It gets overwritten in ceph-radosgw task used in
    granular deployment.

    Change-Id: I2ac378bd8fd5a960d7983904b3395c00d5827d60
    Closes-Bug: 1446704

Fix proposed to branch: master
Review: https://review.openstack.org/185404

Reviewed: https://review.openstack.org/185404
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=5f98037ced877308bc1fa6e1b44d63179f315a96
Submitter: Jenkins
Branch: master

commit 5f98037ced877308bc1fa6e1b44d63179f315a96
Author: Sergii Golovatiuk <email address hidden>
Date: Mon May 25 16:54:52 2015 +0200

    Change IP to management_ip

    * HAproxy doesn't listen to 35357 on public_ip. This change corrects ip
      in keystone_url for Rados Gateway

    Change-Id: Ie443944534c026498880928f22cc14a7ed516716
    Closes-Bug: 1446704

Works on Ubuntu using following Fuel version:

[root@nailgun ~]# fuel --fuel-version --json
DEPRECATION WARNING: /etc/fuel/client/config.yaml exists and will be used as the source for settings. This behavior is deprecated. Please specify the path to your custom settings file in the FUELCLIENT_CUSTOM_SETTINGS environment variable.
{
    "build_id": "2015-06-08_06-13-27",
    "build_number": "521",
    "auth_required": true,
    "fuel-ostf_sha": "7c938648a246e0311d05e2372ff43ef1eb2e2761",
    "fuel-library_sha": "f43c2ae1af3b493ee0e7810eab7bb7b50c986c7d",
    "nailgun_sha": "4340d55c19029394cd5610b0e0f56d6cb8cb661b",
    "openstack_version": "2014.2.2-6.1",
    "production": "docker",
    "api": "1.0",
    "python-fuelclient_sha": "4fc55db0265bbf39c369df398b9dc7d6469ba13b",
    "astute_sha": "7766818f079881e2dbeedb34e1f67e517ed7d479",
    "fuelmain_sha": "bcc909ffc5dd5156ba54cae348b6a07c1b607b24",
    "feature_groups": [
        "mirantis"
    ],
    "release": "6.1",
    "release_versions": {
        "2014.2.2-6.1": {
            "VERSION": {
                "build_id": "2015-06-08_06-13-27",
                "build_number": "521",
                "fuel-library_sha": "f43c2ae1af3b493ee0e7810eab7bb7b50c986c7d",
                "nailgun_sha": "4340d55c19029394cd5610b0e0f56d6cb8cb661b",
                "fuel-ostf_sha": "7c938648a246e0311d05e2372ff43ef1eb2e2761",
                "production": "docker",
                "api": "1.0",
                "python-fuelclient_sha": "4fc55db0265bbf39c369df398b9dc7d6469ba13b",
                "astute_sha": "7766818f079881e2dbeedb34e1f67e517ed7d479",
                "fuelmain_sha": "bcc909ffc5dd5156ba54cae348b6a07c1b607b24",
                "feature_groups": [
                    "mirantis"
                ],
                "release": "6.1",
                "openstack_version": "2014.2.2-6.1"
            }
        }
    }
}

Verified on 6.1 #521.

Won't Fix for 6.0-updates as for 6.0 we have no channel to deliver Fuel updates

We still do not have "rgw_s3_auth_use_keystone = true" line info ceph config

Denis, had the same question to fuel developers. They have recommended to check the bug #1540426

added missed milestones 7.0 and up. Assigned 7.0 and 8.0 to MOS-maintenance. We have 20 customer requests for that last year and 12 this year.

Roman, it is explicitly mentioned in radosgw keystone-based authentication part of Operations Guide for 7.0 and 8.0 releases that you have to set rgw_s3_auth_use_keystone option manually and it is not fuel-configurable. I think, that it is a feature request and we can't put it into MU. Please check the links below:
https://docs.mirantis.com/fuel/fuel-7.0/operations.html#managing-your-ceph-cluster
https://docs.mirantis.com/openstack/fuel/fuel-8.0/operations.html#managing-your-ceph-cluster

I have set bug's status to 'Won't fix' for 7.0 and 8.0 branches based on arguments above ^^^

Fix proposed to branch: master
Review: https://review.openstack.org/291958

Agreement has been made that option "rgw_s3_auth_use_keystone"
will be controlled through Fuel since 10.0. For 9.0 and older releases
a technical bulletin explaining the associated trade-off and manual
procedure for enabling the S3/Keystone integration will be issued.

For 9.0 it's enough to add support to fuel-library to manage the parameter.

Reviewed: https://review.openstack.org/291958
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=d20acf596114d335802f489ee53ea1fb70f299bb
Submitter: Jenkins
Branch: master

commit d20acf596114d335802f489ee53ea1fb70f299bb
Author: Maksim Malchuk <email address hidden>
Date: Sat Mar 12 03:19:50 2016 +0300

    Adds support rgw_s3_auth_use_keystone for ceph::radosgw

     * added support rgw_s3_auth_use_keystone for ceph::radosgw
     * by default rgw_s3_auth_use_keystone set to 'false', and
       configuration file should be altered only with 'true' value.
     * fix some stylings

    Change-Id: Ie482e55ac8ba5692ad4678c7599505817375bb63
    Closes-Bug: #1446704

Reviewed: https://review.openstack.org/304612
Committed: https://git.openstack.org/cgit/openstack/fuel-docs/commit/?id=e9d1be7df3a46bfa5d40229dcdf73c64864f1be6
Submitter: Jenkins
Branch: master

commit e9d1be7df3a46bfa5d40229dcdf73c64864f1be6
Author: Evgeny Konstantinov <email address hidden>
Date: Tue Apr 12 16:15:08 2016 +0300

    Add Fuel Mitaka known issues to relnotes
    Related-Bug: #1439776
    Related-Bug: #1450100
    Related-Bug: #1460169
    Related-Bug: #1490597
    Related-Bug: #1526544
    Related-Bug: #1556854
    Related-Bug: #1446704

    Change-Id: I3df16c163d82af7d0db8a64643b915909cabd8f1

fix exist in the mos 9.0 #465 iso.

Related fix proposed to branch: master
Review: https://review.openstack.org/331486

Reviewed: https://review.openstack.org/331486
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=fa37057a3ff8237333ec9986512cb82131fcd309
Submitter: Jenkins
Branch: master

commit fa37057a3ff8237333ec9986512cb82131fcd309
Author: Radoslaw Zarzynski <email address hidden>
Date: Fri Jun 17 18:53:30 2016 +0200

    Fuel controls S3 API/Keystone integration of Ceph RadosGW.

    This change is a part of the broader effort on letting Fuel to control
    the S3 API/Keystone integration of Ceph RadosGW. The overall idea has
    been described in the specs/10.0/s3-keystone-integration.rst document
    that is a part of the fuel-specs repo. It is expected that the UI change
    will be complemented by a corresponding modification of fuel-library.

    Change-Id: I6badbd8bfb73b4c50112b016dc53ee3017de40ec
    Related-Bug: #1446704
    Related-Bug: #1540426
    Closes-Bug: #1595894

Related fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/359128

Reviewed: https://review.openstack.org/359128
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=e43c702a5d29ad6e94e59856cbec29d0664fddda
Submitter: Jenkins
Branch: stable/mitaka

commit e43c702a5d29ad6e94e59856cbec29d0664fddda
Author: Radoslaw Zarzynski <email address hidden>
Date: Fri Jun 17 18:53:30 2016 +0200

    Fuel controls S3 API/Keystone integration of Ceph RadosGW.

    This change is a part of the broader effort on letting Fuel to control
    the S3 API/Keystone integration of Ceph RadosGW. The overall idea has
    been described in the specs/10.0/s3-keystone-integration.rst document
    that is a part of the fuel-specs repo. It is expected that the UI change
    will be complemented by a corresponding modification of fuel-library.

    Change-Id: I6badbd8bfb73b4c50112b016dc53ee3017de40ec
    Related-Bug: #1446704
    Related-Bug: #1540426
    Closes-Bug: #1595894
    (cherry picked from commit fa37057a3ff8237333ec9986512cb82131fcd309)