Project

General

Profile

Bug #36619

radosgw-admin realm pull fails with an error "request failed: (13) Permission denied If the realm has been changed on the master zone, the master zone's gateway may need to be restarted to recognize this user."

Added by Gajanan Mudaliar about 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
High
Assignee:
Target version:
% Done:

0%

Source:
Community (user)
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Hi All,

I am trying to setup a multi-site following the below link

http://docs.ceph.com/docs/master/radosgw/multisite/#migrating-a-single-site-system-to-multi-site

Following are the commands executed on the primary site:

  1. radosgw-admin realm create --rgw-realm=movies --default -c /etc/ceph/wcdcdev.conf
  2. radosgw-admin zonegroup create --rgw-zonegroup=us --endpoints=http://wcdc-osd5.dev.us.local:8080 --rgw-realm=movies --master --default -c /etc/ceph/wcdcdev.conf
  3. radosgw-admin zone create --rgw-zonegroup=us --rgw-zone=us-east --master --default --endpoints={http://wcdc-osd5.dev.us.local:8080} -c /etc/ceph/wcdcdev.conf
  4. radosgw-admin user create --uid="synchronization-user" --display-name="Synchronization User" --system -c /etc/ceph/wcdcdev.conf
  5. radosgw-admin zone modify --rgw-zone=us-east --access-key=0N7VJ37U07VEHSQ3Q940 --secret=OYI052p8geadVHgIeOkhuZJAI6GCs6CdUBph6crC -c /etc/ceph/wcdcdev.conf
  6. radosgw-admin period update --commit
  1. systemctl stop ceph-radosgw@rgw.`hostname -s`
  2. systemctl start ceph-radosgw@rgw.`hostname -s`
  3. systemctl enable ceph-radosgw@rgw.`hostname -s`
  4. systemctl status ceph-radosgw@rgw.`hostname -s`

On the secondary site:

  1. radosgw-admin realm pull --url=http://wcdc-osd5:8080 --access-key=0N7VJ37U07VEHSQ3Q940 --secret=OYI052p8geadVHgIeOkhuZJAI6GCs6CdUBph6crC
    request failed: (13) Permission denied
    If the realm has been changed on the master zone, the master zone's gateway may need to be restarted to recognize this user.

History

#1 Updated by Nathan Cutler about 4 years ago

  • Project changed from Ceph to rgw
  • Category deleted (chef)

#2 Updated by Gajanan Mudaliar about 4 years ago

Can we raise the sev of the issue to 1 as its a blocker to our testing multi-site functionality for ceph.

#3 Updated by Justin Snyder about 4 years ago

I followed link below with newly created clusters and ran into the same issue. My guess is that it's related to the Primary Cluster's Gateway not "recognizing" the authorization keys? I'm unable to access Primary Cluster via S3 API as well.

http://docs.ceph.com/docs/master/radosgw/multisite/#create-a-secondary-zone

#4 Updated by Casey Bodley about 4 years ago

  • Assignee set to Casey Bodley
  • Priority changed from Normal to High

#5 Updated by Casey Bodley almost 4 years ago

The steps as documented are working for me. I would guess that these auth issues are caused by the 'radosgw-admin user create' command operating on wrong zone - ie not taking the new zone --default into account.

#6 Updated by Gajanan Mudaliar almost 4 years ago

Casey Bodley wrote:

The steps as documented are working for me. I would guess that these auth issues are caused by the 'radosgw-admin user create' command operating on wrong zone - ie not taking the new zone --default into account.

- Presently this issue is gone not sure how. But the only difference in the new setup is the way ceph is installed. but the multisite setup is working fine with the same manual.
http://docs.ceph.com/docs/mimic/radosgw/multisite/

#7 Updated by Casey Bodley almost 4 years ago

  • Status changed from New to Resolved

#8 Updated by Achim Ledermüller almost 4 years ago

FYI: We had the same problem. The realm, the zonegroup and the master zone was created years ago with Hammer and yesterday we added the secondary zone with Luminous. Our workaround was to create a new system user and add the credentials with `zone modify` to the master zone (us-east in the example above). With the new credentials it was no problem to pull the realm on the secondary site.

Also available in: Atom PDF