radosgw-cannot-find-keystone-domain-users

the original error report submitted by me is invalid, my user was not in an ldap group - so Unable to find user 'username' is a perfectly valid error.
The error is in fact

2015-09-28 12:59:38 WARNING Authorization failed. Non-default domain is not supported (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 172.25.60.2
2015-09-28 12:59:38 WARNING : Bypassing authorization
2015-09-28 12:59:37 WARNING Authorization failed. Non-default domain is not supported (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 172.25.60.2

ceph radosgw is hardcoded to use /v2.0 in keystone url

Won't Fix for 6.1-updates because of Medium importance

I've have logged this with Red Hat, they are now fast tracking a fix for radosgw.

https://access.redhat.com/solutions/1977983#

I'm surprised this is medium considering how limiting keystone version 2 is, 3 was introduced in Havana. It supports SSO with SAML, openid connect multiple domain and it doesn't impose itself on an ldap schema - such as creating OU's and service account etc. etc.

Rob.

This is radosgw-related bug. Radosgw needs to be fixed. I don't know who is our radosgw team, Vitaly, please assign the bug to them.

I have logged this with Red Hat who are fast tracking a solution, assuming this will be a patch or new version. perhaps Mirantis don't need to take any action except updating the puppet manifest when it become available?

Resolution

Currently Red Hat Ceph Storage does not support integration with Keystone v3 and only supports v2.
A Red Hat feature enhancement and upstream feature enhancement have been open to address this.
https://bugzilla.redhat.com/show_bug.cgi?id=1268056
http://tracker.ceph.com/issues/13303
http://tracker.ceph.com/issues/8052

OK, I forgot that Vitaly doesn't do 8.0. Will ping someone else now...

OpenStack Identity API v3 isn't supported by radosgw yet. As a new feature this should go through product management.

On Wednesday someone from community sent a pull request bringing
support for v3 [1]. It's very fresh thing that undergoes review process
at the moment.

[1] https://github.com/ceph/ceph/pull/6337

Won't fix in 8.0 due to medium importance.

This means keystone 3 and radosgw are broken with no workaround until Mitaka. this should be noted as a known issue in documentation, swift works with domain scoped tokens, ceph does not.

Customer found on MOS 7.0 - please back-port. Thanks !

Red Hat to release support for keystone v3 in RHCS 2.0 at the end of February. apparently it won't be back ported.

Hi Radoslaw - I see you merged this as a new feature.
https://github.com/ceph/ceph/pull/7719/commits

It won't make Liberty?

thanks,
Rob.

Hello Robert,

Ceph release cycle isn't coupled with OpenStack. The Keystone v3
support in RadosGW will be available with upcoming Jewel LTS.
As it's essentially a new feature and the changes aren't so small,
I doubt they will backported to Hammer.

Regards,
Radoslaw

Radoslaw,
  Are you sure that Robert Duncan <email address hidden> got your response? I
can see only myself in recipients.

HHN.

On Wed, Feb 24, 2016 at 10:48 PM, Radoslaw Zarzynski <
<email address hidden>> wrote:

> Hello Robert,
>
> Ceph release cycle isn't coupled with OpenStack. The Keystone v3
> support in RadosGW will be available with upcoming Jewel LTS.
> As it's essentially a new feature and the changes aren't so small,
> I doubt they will backported to Hammer.
>
> Regards,
> Radoslaw
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1498552
>
> Title:
> radosgw-cannot-find-keystone-domain-users
>
> Status in Mirantis OpenStack:
> Confirmed
> Status in Mirantis OpenStack 6.1.x series:
> Won't Fix
> Status in Mirantis OpenStack 7.0.x series:
> Confirmed
> Status in Mirantis OpenStack 8.0.x series:
> Won't Fix
>
> Bug description:
> build_id: 2015-06-19_13-02-31
> build_number: '525'
> feature_groups:
> - mirantis
> fuel-library_sha: 2e7a08ad9792c700ebf08ce87f4867df36aa9fab
> fuel-ostf_sha: 8fefcf7c4649370f00847cc309c24f0b62de718d
> fuelmain_sha: a3998372183468f56019c8ce21aa8bb81fee0c2f
> nailgun_sha: dbd54158812033dd8cfd7e60c3f6650f18013a37
> openstack_version: 2014.2.2-6.1
> production: docker
> python-fuelclient_sha: 4fc55db0265bbf39c369df398b9dc7d6469ba13b
> release: '6.1'
> release_versions:
> 2014.2.2-6.1:
> VERSION:
> api: '1.0'
> astute_sha: 1ea8017fe8889413706d543a5b9f557f5414beae
> build_id: 2015-06-19_13-02-31
> build_number: '525'
> feature_groups:
> - mirantis
> fuel-library_sha: 2e7a08ad9792c700ebf08ce87f4867df36aa9fab
> fuel-ostf_sha: 8fefcf7c4649370f00847cc309c24f0b62de718d
> fuelmain_sha: a3998372183468f56019c8ce21aa8bb81fee0c2f
> nailgun_sha: dbd54158812033dd8cfd7e60c3f6650f18013a37
> openstack_version: 2014.2.2-6.1
> production: docker
> python-fuelclient_sha: 4fc55db0265bbf39c369df398b9dc7d6469ba13b
>
> Radosgw can only find users on the keystone default sql backed domain, -
> steps to reproduce:
> Deploy MOS 6.1 with Ceph for object storage
> verify the users in the default domain can use the swift API and create
> objects in horizon
> Configure Keystone for Domain users with: domain_specific_drivers = true
> add an ldap domain in /etc/keystone/domains
> configure horizon to use identity api version 3
> observe domain users can log in and use all services, glance, cinder,
> nova, neutron
> observe domain users cannot list containers in horizon with error
> message 'ERROR unable to retrieve container list'
> error message from swift cli: "unable to find user "username""
>
> radosgw needs to support searching for users in a domain and project.
> domain user are not returned with keystone user-list, presumably ceph
> will need to release support for keystone v3 domain scoped tokens
>
> https://wiki.openstack.org/wiki/Swift/DevstackSetupForKeystoneV3
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/mos/+bug/1498552/+subscriptions
>

--
Herman...

thanks Radoslaw, I have single sign on with SAML working with Kilo on MOS 7.0 - but it breaks object storage authentication due to domain scoped tokens :(

Setting to Won’t Fix for 7.0-updates as Ceph 0.94.6 doesn’t support keystone v3 per [1] (keystone v3 is supported by Red Hat’s Ceph fork only). Appropriate Ceph feature is tracked at [2], it could be consumed in MOS only after it lands to some Ceph release and that release is later consumed by MOS. All previous releases of MOS DO NOT support keystone v3 in Ceph, please communicate this to customers if this issue is reported.

[1] https://github.com/ceph/ceph/pull/7719
[2] http://tracker.ceph.com/issues/13303

Setting to "Won't Fix" for MOS 9 as Ceph v0.94.6 doesn't support
Keystone v3. Support for OpenStack Identity API v3 in RadosGW
will be available with next Ceph LTS release - Jewel.

For more details, please also refer to comment #17.

..........nnnnNooooooooo :-{

Hi Radoslaw - this no longer effects MOS 9.0 :-)

using the ldap fuel plugin with multi domain - users can create containers etc. in Horizon and swift client.
with Ceph rados

 ceph --version
ceph version 0.94.6 (e832001feaf8c176593e0325c8298e3f16dfb403)