Bug 1709968

Summary: Overcloud deployed with rgw has incomplete swift endpoints
Product: Red Hat OpenStack Reporter: nalmond
Component: openstack-tripleo-heat-templatesAssignee: Giulio Fidente <gfidente>
Status: CLOSED ERRATA QA Contact: Yogev Rabl <yrabl>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: aschultz, asimonel, dbecker, djuran, dsundqvi, gcharot, gfidente, gkadam, johfulto, kejones, mburns, moddi, morazi, ndeevy, nweinber, tbarron, tenobreg
Target Milestone: z11Keywords: Reopened, Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-8.4.1-41.el7ost Doc Type: Bug Fix
Doc Text:
Before this update, when deploying Ceph RGW, the object-store endpoint that is created in the Identity service (keystone) was missing the `AUTH_%(tenant_id)s` suffix. This meant that public containers that were created in Ceph RGW could not be accessed without authentication. With this update, the `account_in_url` configuration option for Ceph RGW is appended with `AUTH_%(tenant_id)s` for the object-store endpoints. Public containers can now be hosted in Ceph RGW and accessed without authentication.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-10 11:18:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description nalmond 2019-05-14 16:54:26 UTC 
Description of problem:
When deploying the overcloud using /usr/share/openstack-tripleo-heat-templates/environments/ceph-ansible/ceph-rgw.yaml to configure rgw as a drop-in replacement for swift, the swift endpoints are missing AUTH_%(tenant_id)s causing the issue described in https://access.redhat.com/solutions/3228661 to appear.

The issue appears to lie within /usr/share/openstack-tripleo-heat-templates/network/endpoints/endpoint_data.yaml which has this set for swift, but not rgw:
~~~
Swift:
    Internal:
        net_param: SwiftProxy
        uri_suffixes:
            '': /v1/AUTH_%(tenant_id)s
            S3:
    Public:
        net_param: Public
        uri_suffixes:
            '': /v1/AUTH_%(tenant_id)s
            S3:
    Admin:
        net_param: SwiftProxy
        uri_suffixes:
            '':
            S3:
    port: 8080

CephRgw:
    Internal:
        net_param: CephRgw
        uri_suffixes:
            '': /swift/v1
    Public:
        net_param: Public
        uri_suffixes:
            '': /swift/v1
    Admin:
        net_param: CephRgw
        uri_suffixes:
            '': /swift/v1
    port: 8080
~~~

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-8.2.0-6.2.el7ost.noarch
ceph-ansible-3.2.8-1.el7cp.noarch

How reproducible:
Each deployment

Steps to Reproduce:
1. Deploy RHOSP 13 with rgw per https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/deploying_an_overcloud_with_containerized_red_hat_ceph/index#ceph-rgw
2. Attempt to utilize public containers

Actual results:
Receive NoSuchBucket with public containers, swift endpoints are missing AUTH_%(tenant_id)s

Expected results:
Public containers work normally, swift endpoints are complete

Additional info:
Workaround is:
- append "AUTH_%(tenant_id)s" to each of the uri_suffixes in CephRGW in endpoint_data.yaml
- run the builder script build_endpoint_map.py
- re-run the overcloud deployment
Comment 2 Giulio Fidente 2019-05-22 13:29:18 UTC 
We'll be working on a code change to support this in OSP15, tracked by BZ #1670217 but not backport it to OSP13 given it will be changing the existing default behavior of RGW. For new deployments based on OSP13 a valid workaround exists, as described in comment #0.
Comment 9 Giulio Fidente 2019-12-02 14:28:03 UTC 
*** Bug 1778511 has been marked as a duplicate of this bug. ***
Comment 27 errata-xmlrpc 2020-03-10 11:18:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0760