[ceph-users] lack of RGW_API_HOST in ceph dashboard, 17.2.6, causes ceph mgr dashboard problems

Tue, 29 Aug 2023 15:56:00 -0700 

Hi,
I am using 17.2.6 on Rocky Linux 8
The ceph mgr dashboard, in my situation, (bare metal install, upgraded from 
15->16-> 17.2.6), can no longer hit the ObjectStore->(Daemons,Users,Buckets) 
pages.

When I try to hit those pages, it gives an error:
RGW REST API failed request with status code 403 {"Code": "AccessDenied", 
RequestId: "xxxxxxx", HostId: "yyyy-<my zone>"}

The log of the rgw server it hit has:

"GET /admin/metadata/user?myself HTTP/1.1" 403 125

It appears that the mgr dashboard setting RGW_API_HOST is no longer an option 
that can be set, nor does that name exist anywhere under 
/usr/share/ceph/mgr/dashboard, and:

# ceph dashboard set-rgw-api-host <host>

is no longer in existence in 17.2.6

However, since my situation is an upgrade, the config value still exists in my 
config, and I can retrieve it with:

# ceph dashboard get-rgw-api-host

To get theĀ  to work in my situation, I have modified 
/usr/share/ceph/mgr/dashboard/settings.py and re-added RGW_API_HOST to the 
Options class using 

RGW_API_HOST = Settings('', [dict,str])

I then modified /usr/share/ceph/mgr/dashboard/services/rgw_request.py such that 
each rgw daemon retrieved has its 'host' member set to Settings.RGW_API_HOST.

Then after restarting the mgr, I was able to access the 
Objectstore->(Daemons,Users,Buckets) pages in the dashboard.

HOWEVER, I know this is NOT the right way to fix this, it is a hack. It seems 
like the dashboard is trying to contact an rgw server individually. For us, the 
RGW_API_HOST is
a name in DNS: s3.my.dom, that has multiple A records, one for each of our rgw 
servers, each of which have the *same* SSL cert with CN and SubjectAltNames 
that allow
the cert to present itself as both s3.my.dom as well as the individual host 
name (SubjectAltName has ALL the rgw servers in it). This works well for us and 
has
done so since 15.x.y, The endpoint for the zone is set to s3.my.dom. Thus my 
users only have a single endpoint to care about, unless there is a failure 
situation onan rgw server. (We have other ways of handling that).
Any thoughts on the CORRECT way to handle this so I can have the ceph dashboard 
work with the ObjectStore->(Daemons,Users,Buckets) pages? Thanks.
-Chris

_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to