Hi,
Have you added oidc-provider caps to the user that is trying to create the
openid connect provider/ list openid connect providers, in your case the
user which has the access key as 'L70QT3LN71SQXWHS97Y4'. (
https://docs.ceph.com/en/quincy/radosgw/oidc/)
Thanks,
Pritha
On Fri, Feb 17, 2023 at 4:54 AM <mat(a)hazmat.dev> wrote:
Hello,
I'm attempting to setup an OpenIDConnect provider with RGW. I'm doing this
using the boto3 API & Python. However it seems that the APIs are failing in
some unexpected ways because radosgw was not setup correctly. There is
sample code below, and yes, I know there are "secrets" in it - but this is
an offline test lab so I am fine with this.
The first error shows this in the logs.
2023-02-16T00:45:26.860-0500 7fe19fef7700 1 ====== starting new request
req=0x7fe2ccb54680 =====
2023-02-16T00:45:26.904-0500 7fe19def3700 0 req 17562030806519127926
0.044000439s ERROR: listing filtered objects failed: OIDC pool:
default.rgw.meta: oidc_url.: (2) No such file or directory
2023-02-16T00:45:26.904-0500 7fe19aeed700 1 ====== req done
req=0x7fe2ccb54680 op status=-2 http_status=404 latency=0.044000439s ======
2023-02-16T00:45:26.904-0500 7fe19aeed700 1 beast: 0x7fe2ccb54680:
10.20.104.178 - authentik [16/Feb/2023:00:45:26.860 -0500] "POST /
HTTP/1.1" 404 189 - "Boto3/1.26.71 Python/3.11.1
Linux/6.0.6-76060006-generic Botocore/1.29.72" - latency=0.044000439s
So the object "oidc_url" is missing from the "default.rgw.meta"
pool?
rados --pool default.rgw.meta ls --all
users.uid root.buckets
users.uid authentik.buckets
root test4
root .bucket.meta.test2:3866fac0-854b-48b5-b3b7-bf84a166a404.1165645.1
users.keys ZVBTLTYRRPY7JU39WOR9
users.uid authentik
users.uid cephadmin
users.keys NIVIV0JSKD9D2LDC3IH4
users.uid root
users.email tester(a)lab.dev
users.keys L70QT3LN71SQXWHS97Y4
root .bucket.meta.test:3866fac0-854b-48b5-b3b7-bf84a166a404.1204730.1
root .bucket.meta.test4:3866fac0-854b-48b5-b3b7-bf84a166a404.1204730.2
root test
root test2
Well the object is clearly not there and I do not know how to fix this.
The second error produces this error in the log:
2023-02-16T01:11:29.304-0500 7fe1976e6700 1 ====== starting new request
req=0x7fe2ccb54680 =====
2023-02-16T01:11:29.312-0500 7fe18c6d0700 1 ====== req done
req=0x7fe2ccb54680 op status=-22 http_status=400 latency=0.008000083s ======
2023-02-16T01:11:29.312-0500 7fe18c6d0700 1 beast: 0x7fe2ccb54680:
10.20.104.178 - authentik [16/Feb/2023:01:11:29.304 -0500] "POST /
HTTP/1.1" 400 189 - "Boto3/1.26.71 Python/3.11.1
Linux/6.0.6-76060006-generic Botocore/1.29.72" - latency=0.008000083s
Its much less clear what is going on here, it just returns 400. Boto
raises this exception, "botocore.exceptions.ClientError: An error occurred
(Unknown) when calling the CreateOpenIDConnectProvider operation: Unknown".
Has anyone seen this before and know how to setup the correct objects for
OpenidConnect?
Version info
==============================================
ceph version 17.2.5 (e04241aa9b639588fa6c864845287d2824cb6b55) quincy
(stable)
Examples below
==============================================
# creating the client works fine - I can see my user authenticate in the
radosgw logs
access_key_id = 'L70QT3LN71SQXWHS97Y4'
secret_access_key = 'QEXLa5V0Zm38068n3goDtm8V6WlaDwxVmAq9W2XV'
iam = boto3.client('iam',
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name="default",
endpoint_url="https://s3.lab")
# First error
providers_response = iam.list_open_id_connect_providers()
# Second Error
oidc_response = iam.create_open_id_connect_provider(
# Issuer URL
Url="https://login.lab/application/o/d7d64496e26c156ca9ea0802c5d7ed1c/",
ClientIDList=['authentik'],
ThumbprintList=['BDCC44F40254E7E1258DA4698833FFE2E8AECA3D3799044D8A1F97F7DFF20511'])
_______________________________________________
ceph-users mailing list -- ceph-users(a)ceph.io
To unsubscribe send an email to ceph-users-leave(a)ceph.io