Tuesday, 2020-12-08

« Monday, 2020-12-07 Index Wednesday, 2020-12-09 »
*** tdasilva has joined #openstack-swift00:26
*** ChanServ sets mode: +v tdasilva00:26
*** m75abrams has quit IRC00:37
*** openstackgerrit has quit IRC00:58
*** m75abrams has joined #openstack-swift01:06
*** openstackgerrit has joined #openstack-swift02:05
openstackgerritMerged openstack/swift master: Pin Bandit on py2  https://review.opendev.org/c/openstack/swift/+/76588302:05
*** paladox has quit IRC02:10
*** paladox has joined #openstack-swift02:15
*** psachin has joined #openstack-swift03:16
*** rcernin has quit IRC03:46
*** rcernin has joined #openstack-swift03:50
*** m75abrams has quit IRC04:06
*** m75abrams has joined #openstack-swift04:08
*** evrardjp has quit IRC05:33
*** evrardjp has joined #openstack-swift05:33
*** rcernin has quit IRC05:39
*** benj_ has quit IRC06:04
*** benj_ has joined #openstack-swift06:05
*** rcernin has joined #openstack-swift06:08
*** rcernin has quit IRC06:45
*** timburke has quit IRC06:55
*** rcernin has joined #openstack-swift07:01
*** lxkong has quit IRC07:09
*** rcernin has quit IRC07:25
*** gyee has quit IRC07:37
*** rpittau|afk is now known as rpittau08:10
openstackgerritMerged openstack/swift master: Give unit tests a second chance to pass  https://review.opendev.org/c/openstack/swift/+/76558908:28
*** baojg has quit IRC08:44
*** lxkong has joined #openstack-swift09:00
*** baojg has joined #openstack-swift09:05
*** baojg has quit IRC09:08
*** baojg has joined #openstack-swift09:09
*** mvalsecc has quit IRC09:13
*** dsariel has quit IRC09:22
*** baojg has quit IRC09:57
*** baojg has joined #openstack-swift09:58
*** dsariel has joined #openstack-swift10:46
*** dsariel has quit IRC10:54
*** dsariel has joined #openstack-swift10:54
*** baojg has quit IRC12:07
*** baojg has joined #openstack-swift12:07
*** dsariel has quit IRC12:40
*** dsariel has joined #openstack-swift12:40
*** dsariel has quit IRC13:27
*** dsariel has joined #openstack-swift13:28
*** tdasilva has quit IRC13:48
*** tdasilva_ has joined #openstack-swift13:48
*** ChanServ sets mode: +v tdasilva_13:48
*** tkajinam has quit IRC14:47
*** tkajinam has joined #openstack-swift14:47
*** tdasilva_ is now known as tdasilva14:56
*** tkajinam has quit IRC15:18
*** gyee has joined #openstack-swift15:58
*** klamath_atx has joined #openstack-swift16:21
klamath_atxI took a break from the tempauth for a few days and picked it back up today.  Wanted to test it out cluster wide and running into issues trying to use tempauth + keystone + swift3.  If someone has the time can you take a look at these errors? https://pastebin.com/iyWHQ2Ha16:23
klamath_atxI can get either keystone working, or tempauth, but not both at the same time, very odd error on the proxy head when authing with keystone via swift cli16:24
klamath_atxDec  8 16:19:21 overcloud-controller-0 proxy-server: ERROR Unhandled exception in request: #012Traceback (most recent call last):#012  File "/usr/lib/python2.7/site-packages/swift/proxy/server.py", line 511, in handle_request#012    resp = req.environ['swift.authorize'](req)#012  File "/usr/lib/python2.7/site-packages/swift/common/middleware/tempauth.py", line 559, in authorize#012    user_groups = (req.16:24
klamath_atxremote_user or '').split(',')#012AttributeError: 'tuple' object has no attribute 'split' (txn: tx89bdc00667704870bccd0-005fcfa789) (client_ip: 172.16.1.7)16:24
klamath_atxDec  8 16:19:21 overcloud-controller-0 proxy-server: 172.16.1.7 172.16.1.7 08/Dec/2020/16/19/21 GET /v1/AUTH_b8556435276141c6a6370b1abace2068%3Fformat%3Djson HTTP/1.0 500 - python-swiftclient-3.6.1 gAAAAABfz6eHnwE9... - 125 - tx89bdc00667704870bccd0-005fcfa789 - 0.0050 - - 1607444361.791141987 1607444361.796123981 -16:24
*** timburke has joined #openstack-swift16:31
*** ChanServ sets mode: +v timburke16:31
*** psachin has quit IRC16:38
*** m75abrams has quit IRC16:57
*** rpittau is now known as rpittau|afk17:43
*** tdasilva_ has joined #openstack-swift18:13
*** ChanServ sets mode: +v tdasilva_18:13
*** tdasilva has quit IRC18:16
*** tdasilva_ has quit IRC18:19
*** tdasilva_ has joined #openstack-swift18:19
*** ChanServ sets mode: +v tdasilva_18:19
timburkeklamath_atx, sorry for the delay -- are both keystone and tempauth using the same reseller_prefix? i think you should be able to get them to work in the same cluster as long as they each have their own account namespace to work under18:32
timburkereminds me that i ought to rebase https://review.opendev.org/c/openstack/swift/+/630415 ...18:34
klamath_atxgotcha, so i should create another auth prefix for tempauth like KEY_ vs AUTH_ for keystone?18:39
openstackgerritTim Burke proposed openstack/swift master: Fix the handling of keystone groups in tempauth.  https://review.opendev.org/c/openstack/swift/+/63041518:50
timburkeklamath_atx, yep! then each authmiddleware will handle requests just within its own prefix (iirc)18:51
klamath_atxperfect, thank you, will try that18:59
*** ianychoi__ has quit IRC19:44
*** renich has joined #openstack-swift19:46
renichGood time_of_day! o/19:47
renichI am trying to configure my minio client to be used with a test openstack swift + keystone deployment. I've configured keystonemiddleware and added s3api and s3token to my configuration. I've, also, configured auth_uri and www_authenticate_uri to my keysotne server. Still, this doesn't seem to work for some reason.19:49
renichI get this in the logs: https://paste.centos.org/view/387cc6e919:50
renichhere're my relevant configs: https://gitlab.com/-/snippets/204791419:56
timburkerenich, i'm surprised you just get the one log line for the request with log_level=DEBUG -- or maybe proxy.log is apache's logging and not swift's? i wonder where swift's logs are going...20:21
timburkedo the backend servers have any requests logged?20:22
openstackgerritAlistair Coles proposed openstack/swift master: swift-manage-shard-ranges: add 'compact' command  https://review.opendev.org/c/openstack/swift/+/76562320:56
renichtimburke: Yeah, the proxy.log is just the access log for the requests. I've renamed it....20:57
renichtimburke: what do you mean backend servers? apache2?20:58
timburkethe account/container servers20:58
renichah, I haven't checked those. Those log to journald20:58
renichlet me check20:58
renichtimburke: I'm getting this: https://paste.centos.org/view/c465baff20:59
renichodd... it's authorizing as anonymous?21:00
renichAnd it's trying to find some file that isn't there...21:00
renich... man, I had forgotten all about journald... :S21:01
timburkeinteresting... the "Not a path query" message seems to be coming from https://opendev.org/openstack/swift/src/tag/2.26.0/swift/common/middleware/s3api/s3token.py#L255 ... which would seem to mean that s3api didn't parse out any auth info (it would look at the Authorization header and query params)21:03
timburke(normally, there'd be an access key identifier that s3api then stuffs into the request path as though it were the swift account, and then s3token would re-write it to be the correct account)21:05
renichI'm using minio's client: mc. I've generated the access and secret keys with openstack ec2 credentials create21:06
renichAnd I'm pretty sure they're correct... double-checking now21:06
timburkeeven if they were wrong, i'd expect a 403, not 40421:07
renichOK21:08
renichThey're correct, though.21:08
timburkeif you can get some verbose client logs, that'd probably be the next thing i check. or find a way to separate the TLS-terminating from the WSGI-serving in apache so i could peek at the on-the-wire request21:09
renichOK21:09
renichtimburke: https://paste.centos.org/view/0848c85621:09
timburkegreat! so there *should be* an `Authorization: AWS4-HMAC-SHA256 Credential=...` header coming across -- why isn't s3api finding it and parsing it? maybe try adding some debug logging around https://github.com/openstack/swift/blob/2.26.0/swift/common/middleware/s3api/s3request.py#L500-L517 to make sure it's getting detected as a v4 sigature?21:16
renichtimburke: OK, any tips on how to add the debug logging? how do I add the logging?21:17
renichMy current mc config is this: https://paste.centos.org/view/81ee48d521:21
timburkein a pinch, print statements should work; a better solution would probably be to add a new arg to the function and pass self.logger across from https://github.com/openstack/swift/blob/master/swift/common/middleware/s3api/s3api.py#L286 -- that's the only caller21:21
renichOK21:24
renichlet me try that21:24
timburkeweird... i can get mc to work in my dev env... looks like i need "path" set to "auto" or "on" though; "off" causes it to hang while trying to list :-/21:30
timburkeyou might try forcing it to "on" rather than "auto"21:31
renichOK, I'll force it21:42
renichwas trying out the print statements but I made a mess, hehe. In some cases, it loops through the print many times and returns a 500 error21:42
renich```21:42
renichdef get_request_class(env, s3_acl):21:42
renich    """21:42
renich    Helper function to find a request class to use from Map21:42
renich    """21:42
renich    if s3_acl:21:42
renich        request_classes = (S3AclRequest, SigV4S3AclRequest)21:42
renich    else:21:42
renich        request_classes = (S3Request, SigV4Request)21:42
renich    print(request_classes)21:42
renich    req = swob.Request(env)21:42
renich    print(req)21:42
renichSame result when setting path to "on"21:42
renichSo, it's working for you timburke, so we know I have an issue somewhere...21:43
renichThe auth isn't taking place, it seems. Also, for some reason, I am not getting any logs from keystone21:44
renichI mean, if I use openstack container list, stuff works21:45
timburkeyeah, it seems to be an issue somewhere in the s3api middleware in particular -- seems like it's failing to parse the authorization header so it passes the request on verbatim; s3token then doesn't find what it needs to make it go contact keystone, and *somewhere* the proxy ends up deciding that "GET /" should be served a 40421:50
*** thiago__ has joined #openstack-swift21:50
*** ChanServ sets mode: +v thiago__21:50
renichtimburke: could it be that the issue is in apache? or the the proxy's wsgi?21:50
*** sorrison has joined #openstack-swift21:51
timburke...potentially? i'd be surprised, but i'm also running out of other ideas. it's part of why i want to see what's making its way into the request env. fwiw, i added something like http://paste.openstack.org/show/800870/ and got some useful info in my logs (and no 500s)21:52
*** dsariel has quit IRC21:52
renichtimburke: right on. Let me try that.21:53
*** tdasilva_ has quit IRC21:53
timburke(basically, http://paste.openstack.org/show/800871/. note that signatures etc will not be redacted)21:54
renichhttp://paste.openstack.org/show/800872/21:55
renichI think tokien is throttling me, hehe.21:58
renichdue to the flooding earlier21:58
*** rcernin has joined #openstack-swift21:59
renichI see the region is part of the credentials... I have a different region setup22:03
timburkehttps://stackoverflow.com/questions/26475885/authorization-header-missing-in-php-post-request makes me think apache may be stripping the Authorization header...22:06
timburkemaybe s3api could also check env['REDIRECT_HTTP_AUTHORIZATION']? idk that there's any sort of standard for that, though. certainly, apache seems to be deviating from WSGI here... :-/22:10
*** thiago__ has quit IRC22:13
*** thiago__ has joined #openstack-swift22:14
*** ChanServ sets mode: +v thiago__22:14
timburkefwiw, i seem to see a bunch of rewrite rules like https://opendev.org/osf/openstackid/src/branch/master/public/.htaccess#L17-L19 about22:16
*** tdasilva_ has joined #openstack-swift22:18
*** ChanServ sets mode: +v tdasilva_22:18
*** thiago__ has quit IRC22:21
renichtimburke: yeah, I'll see if that fixes it.22:26
renichOh, man. I am considering on migrating to Nginx...22:27
renichBut, I'll give it a try anyway22:27
renichtimburke: hah! that worked!22:31
renichman!!!22:31
renichI owe you a box of beers!22:31
timburke🎉22:31
renichoh man... I've been too long looking for the cause...22:33
renichI need to better my knowledge of apache/switch to nginx|caddy|unit...22:34
renichtimburke: man, you have my gratitude and my best wishes for you! Thank you, very much.22:45
timburkehappy to help!22:45
renichBTW, the fix was adding this to both apache configurations (keystone and swift-proxy): SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$122:47
renichIt looks like this: https://paste.centos.org/view/5c8d86dc22:48
renichHere's it again; to prevent eye burning caused by bad indentation (mixed spaces and tabs): https://paste.centos.org/view/d205696f22:49
timburkenice! i should make sure our docs have that in there somewhere...22:59
renichtimburke: Awesome. I can help out if you need.22:59
timburkefwiw, i don't think keystone will need the rewrite rule; we only need it because that's the header S3 uses; the swift <-> keystone protocol we more or less make up as we see fit22:59
renichRight on. I'll test and confirm23:00
timburkesure, that'd be great! i think we'd just want to update https://github.com/openstack/swift/blob/master/examples/apache2/account-server.template ?23:00
timburkeer, *proxy*, not account23:01
*** tkajinam has joined #openstack-swift23:01
renichtimburke: OK, so, can I do this using github or should we go through the review and stuff?23:01
timburkewe only do patches through gerrit (https://review.opendev.org/)23:02
renichRight, I remember. I will submit it through it.23:03
openstackgerritTim Burke proposed openstack/swift master: Give probe tests a second chance to pass  https://review.opendev.org/c/openstack/swift/+/76610423:24
*** mvalsecc has joined #openstack-swift23:27
openstackgerritTim Burke proposed openstack/swift master: Increase gate timeouts from 1hr to 1.5hr  https://review.opendev.org/c/openstack/swift/+/76610523:31
*** hoonetorg has quit IRC23:36
*** hoonetorg has joined #openstack-swift23:40
« Monday, 2020-12-07 Index Wednesday, 2020-12-09 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!