Re: [ceph-users] Access denied error

Thu, 24 Apr 2014 09:13:33 -0700 

On Thu, Apr 24, 2014 at 8:04 AM, Punit Dambiwal <hypu...@gmail.com> wrote:
>
>
> Hi Yehuda,
>
> I am getting the following from the radosgw logs :-
>
> -----------------------
> 2014-04-22 09:36:00.024618 7ff16ccf6700  1 ====== starting new request 
> req=0x1ec7270 =====
> 2014-04-22 09:36:00.024719 7ff16ccf6700  2 req 15:0.000100::GET 
> /admin/usage::initializing
> 2014-04-22 09:36:00.024731 7ff16ccf6700 10 host=gateway.3linux.com 
> rgw_dns_name=gateway.3linux.com
> 2014-04-22 09:36:00.024763 7ff16ccf6700 20 FCGI_ROLE=RESPONDER
> 2014-04-22 09:36:00.024764 7ff16ccf6700 20 SCRIPT_URL=/admin/usage
> 2014-04-22 09:36:00.024765 7ff16ccf6700 20 
> SCRIPT_URI=http://gateway.3linux.com/admin/usage
> 2014-04-22 09:36:00.024766 7ff16ccf6700 20 HTTP_AUTHORIZATION=AWS 
> KGXJJGKDM5G7G4CNKC7R:LC{ "user_id": "admin",
> 2014-04-22 09:36:00.024767 7ff16ccf6700 20 HTTP_USER_AGENT=curl/7.22.0 
> (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 
> librtmp/2.3
> 2014-04-22 09:36:00.024769 7ff16ccf6700 20 HTTP_ACCEPT=*/*
> 2014-04-22 09:36:00.024770 7ff16ccf6700 20 HTTP_HOST=gateway.3linux.com
> 2014-04-22 09:36:00.024772 7ff16ccf6700 20 CONTENT_LENGTH=0
> 2014-04-22 09:36:00.024772 7ff16ccf6700 20 PATH=/usr/local/bin:/usr/bin:/bin
> 2014-04-22 09:36:00.024774 7ff16ccf6700 20 SERVER_SIGNATURE=
> 2014-04-22 09:36:00.024775 7ff16ccf6700 20 SERVER_SOFTWARE=Apache/2.2.22 
> (Ubuntu)
> 2014-04-22 09:36:00.024775 7ff16ccf6700 20 SERVER_NAME=gateway.3linux.com
> 2014-04-22 09:36:00.024776 7ff16ccf6700 20 SERVER_ADDR=117.18.79.110
> 2014-04-22 09:36:00.024777 7ff16ccf6700 20 SERVER_PORT=80
> 2014-04-22 09:36:00.024778 7ff16ccf6700 20 REMOTE_ADDR=117.18.79.110
> 2014-04-22 09:36:00.024779 7ff16ccf6700 20 DOCUMENT_ROOT=/var/www
> 2014-04-22 09:36:00.024780 7ff16ccf6700 20 SERVER_ADMIN=c...@3linux.com
> 2014-04-22 09:36:00.024781 7ff16ccf6700 20 SCRIPT_FILENAME=/var/www/s3gw.fcgi
> 2014-04-22 09:36:00.024782 7ff16ccf6700 20 REMOTE_PORT=33320
> 2014-04-22 09:36:00.024783 7ff16ccf6700 20 GATEWAY_INTERFACE=CGI/1.1
> 2014-04-22 09:36:00.024788 7ff16ccf6700 20 SERVER_PROTOCOL=HTTP/1.1
> 2014-04-22 09:36:00.024788 7ff16ccf6700 20 REQUEST_METHOD=GET
> 2014-04-22 09:36:00.024789 7ff16ccf6700 20 
> QUERY_STRING=page=admin&params=/usage&format=json
> 2014-04-22 09:36:00.024790 7ff16ccf6700 20 
> REQUEST_URI=/admin/usage?format=json
> 2014-04-22 09:36:00.024791 7ff16ccf6700 20 SCRIPT_NAME=/admin/usage
> 2014-04-22 09:36:00.024792 7ff16ccf6700  2 req 15:0.000174::GET 
> /admin/usage::getting op
> 2014-04-22 09:36:00.024795 7ff16ccf6700  2 req 15:0.000177::GET 
> /admin/usage:get_usage:authorizing
> 2014-04-22 09:36:00.024810 7ff16ccf6700 20 get_obj_state: rctx=0x7ff0f00271e0 
> obj=.users:KGXJJGKDM5G7G4CNKC7R state=0x7ff0f0025778 s->prefetch_data=0
> 2014-04-22 09:36:00.024817 7ff16ccf6700 10 moving .users+KGXJJGKDM5G7G4CNKC7R 
> to cache LRU end
> 2014-04-22 09:36:00.024819 7ff16ccf6700 10 cache get: 
> name=.users+KGXJJGKDM5G7G4CNKC7R : type miss (requested=6, cached=3)
> 2014-04-22 09:36:00.026317 7ff16ccf6700 10 cache put: 
> name=.users+KGXJJGKDM5G7G4CNKC7R
> 2014-04-22 09:36:00.026330 7ff16ccf6700 10 moving .users+KGXJJGKDM5G7G4CNKC7R 
> to cache LRU end
> 2014-04-22 09:36:00.026340 7ff16ccf6700 20 get_obj_state: s->obj_tag was set 
> empty
> 2014-04-22 09:36:00.026350 7ff16ccf6700 10 moving .users+KGXJJGKDM5G7G4CNKC7R 
> to cache LRU end
> 2014-04-22 09:36:00.026352 7ff16ccf6700 10 cache get: 
> name=.users+KGXJJGKDM5G7G4CNKC7R : hit
> 2014-04-22 09:36:00.026371 7ff16ccf6700 20 get_obj_state: rctx=0x7ff0f00259d0 
> obj=.users.uid:admin state=0x7ff0f0023b78 s->prefetch_data=0
> 2014-04-22 09:36:00.026380 7ff16ccf6700 10 moving .users.uid+admin to cache 
> LRU end
> 2014-04-22 09:36:00.026382 7ff16ccf6700 10 cache get: name=.users.uid+admin : 
> type miss (requested=6, cached=19)
> 2014-04-22 09:36:00.028214 7ff16ccf6700 10 cache put: name=.users.uid+admin
> 2014-04-22 09:36:00.028227 7ff16ccf6700 10 moving .users.uid+admin to cache 
> LRU end
> 2014-04-22 09:36:00.028235 7ff16ccf6700 20 get_obj_state: s->obj_tag was set 
> empty
> 2014-04-22 09:36:00.028244 7ff16ccf6700 10 moving .users.uid+admin to cache 
> LRU end
> 2014-04-22 09:36:00.028247 7ff16ccf6700 10 cache get: name=.users.uid+admin : 
> hit
> 2014-04-22 09:36:00.028279 7ff16ccf6700  0 NOTICE: missing date for auth 
> header
> 2014-04-22 09:36:00.028282 7ff16ccf6700 10 failed to create auth header
>
> 2014-04-22 09:36:00.028284 7ff16ccf6700 10 failed to authorize request
> 2014-04-22 09:36:00.028306 7ff16ccf6700  2 req 15:0.003688::GET 
> /admin/usage:get_usage:http status=403
> 2014-04-22 09:36:00.028390 7ff16ccf6700  1 ====== req done req=0x1ec7270 
> http_status=403 ======
> 2014-04-22 09:36:09.046933 7ff16effd700  2 
> RGWDataChangesLog::ChangesRenewThread: start
> 2014-04-22 09:36:31.047075 7ff16effd700  2 
> RGWDataChangesLog::ChangesRenewThread: start
> 2014-04-22 09:36:45.526088 7ff1887a1780 20 enqueued request req=0x1ec2b70
> 2014-04-22 09:36:45.526102 7ff1887a1780 20 RGWWQ:
> 2014-04-22 09:36:45.526103 7ff1887a1780 20 req: 0x1ec2b70
> 2014-04-22 09:36:45.526106 7ff1887a1780 10 allocated request req=0x1ec7270
> 2014-04-22 09:36:45.526121 7ff106fb5700 20 dequeued request req=0x1ec2b70
> 2014-04-22 09:36:45.526124 7ff106fb5700 20 RGWWQ: empty
> 2014-04-22 09:36:45.526128 7ff106fb5700  1 ====== starting new request 
> req=0x1ec2b70 =====
> 2014-04-22 09:36:45.526233 7ff106fb5700  2 req 16:0.000106::GET 
> /admin/usage::initializing
> 2014-04-22 09:36:45.526239 7ff106fb5700 10 host=gateway.3linux.com 
> rgw_dns_name=gateway.3linux.com
> 2014-04-22 09:36:45.526273 7ff106fb5700 20 FCGI_ROLE=RESPONDER
> 2014-04-22 09:36:45.526275 7ff106fb5700 20 SCRIPT_URL=/admin/usage
> 2014-04-22 09:36:45.526276 7ff106fb5700 20 
> SCRIPT_URI=http://gateway.3linux.com/admin/usage
> 2014-04-22 09:36:45.526277 7ff106fb5700 20 HTTP_AUTHORIZATION=AWS 
> KGXJJGKDM5G7G4CNKC7R:LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN{ "user_id": 
> "admin",
> 2014-04-22 09:36:45.526278 7ff106fb5700 20 HTTP_USER_AGENT=curl/7.22.0 
> (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 
> librtmp/2.3
> 2014-04-22 09:36:45.526279 7ff106fb5700 20 HTTP_ACCEPT=*/*
> 2014-04-22 09:36:45.526280 7ff106fb5700 20 HTTP_HOST=gateway.3linux.com
> 2014-04-22 09:36:45.526281 7ff106fb5700 20 CONTENT_LENGTH=0
> 2014-04-22 09:36:45.526282 7ff106fb5700 20 PATH=/usr/local/bin:/usr/bin:/bin
> 2014-04-22 09:36:45.526283 7ff106fb5700 20 SERVER_SIGNATURE=
> 2014-04-22 09:36:45.526284 7ff106fb5700 20 SERVER_SOFTWARE=Apache/2.2.22 
> (Ubuntu)
> 2014-04-22 09:36:45.526285 7ff106fb5700 20 SERVER_NAME=gateway.3linux.com
> 2014-04-22 09:36:45.526287 7ff106fb5700 20 SERVER_ADDR=117.18.79.110
> 2014-04-22 09:36:45.526288 7ff106fb5700 20 SERVER_PORT=80
> 2014-04-22 09:36:45.526289 7ff106fb5700 20 REMOTE_ADDR=117.18.79.110
> 2014-04-22 09:36:45.526290 7ff106fb5700 20 DOCUMENT_ROOT=/var/www
> 2014-04-22 09:36:45.526291 7ff106fb5700 20 SERVER_ADMIN=c...@3linux.com
> 2014-04-22 09:36:45.526291 7ff106fb5700 20 SCRIPT_FILENAME=/var/www/s3gw.fcgi
> 2014-04-22 09:36:45.526293 7ff106fb5700 20 REMOTE_PORT=33321
> 2014-04-22 09:36:45.526294 7ff106fb5700 20 GATEWAY_INTERFACE=CGI/1.1
> 2014-04-22 09:36:45.526295 7ff106fb5700 20 SERVER_PROTOCOL=HTTP/1.1
> 2014-04-22 09:36:45.526295 7ff106fb5700 20 REQUEST_METHOD=GET
> 2014-04-22 09:36:45.526297 7ff106fb5700 20 
> QUERY_STRING=page=admin&params=/usage&format=json
> 2014-04-22 09:36:45.526298 7ff106fb5700 20 
> REQUEST_URI=/admin/usage?format=json
> 2014-04-22 09:36:45.526299 7ff106fb5700 20 SCRIPT_NAME=/admin/usage
> 2014-04-22 09:36:45.526300 7ff106fb5700  2 req 16:0.000173::GET 
> /admin/usage::getting op
> 2014-04-22 09:36:45.526304 7ff106fb5700  2 req 16:0.000177::GET 
> /admin/usage:get_usage:authorizing
> 2014-04-22 09:36:45.526326 7ff106fb5700 20 get_obj_state: rctx=0x7ff100049230 
> obj=.users:KGXJJGKDM5G7G4CNKC7R state=0x7ff10000e4d8 s->prefetch_data=0
> 2014-04-22 09:36:45.526335 7ff106fb5700 10 moving .users+KGXJJGKDM5G7G4CNKC7R 
> to cache LRU end
> 2014-04-22 09:36:45.526338 7ff106fb5700 10 cache get: 
> name=.users+KGXJJGKDM5G7G4CNKC7R : hit
> 2014-04-22 09:36:45.526346 7ff106fb5700 20 get_obj_state: s->obj_tag was set 
> empty
> 2014-04-22 09:36:45.526352 7ff106fb5700 10 moving .users+KGXJJGKDM5G7G4CNKC7R 
> to cache LRU end
> 2014-04-22 09:36:45.526354 7ff106fb5700 10 cache get: 
> name=.users+KGXJJGKDM5G7G4CNKC7R : hit
> 2014-04-22 09:36:45.526367 7ff106fb5700 20 get_obj_state: rctx=0x7ff10003f010 
> obj=.users.uid:admin state=0x7ff10000e4d8 s->prefetch_data=0
> 2014-04-22 09:36:45.526373 7ff106fb5700 10 moving .users.uid+admin to cache 
> LRU end
> 2014-04-22 09:36:45.526375 7ff106fb5700 10 cache get: name=.users.uid+admin : 
> hit
> 2014-04-22 09:36:45.526379 7ff106fb5700 20 get_obj_state: s->obj_tag was set 
> empty
> 2014-04-22 09:36:45.526382 7ff106fb5700 10 moving .users.uid+admin to cache 
> LRU end
> 2014-04-22 09:36:45.526384 7ff106fb5700 10 cache get: name=.users.uid+admin : 
> hit
> 2014-04-22 09:36:45.526404 7ff106fb5700  0 NOTICE: missing date for auth 
> header


^^^ missing date for auth header

You're not signing it correctly, missing the date header.

Yehuda




> 2014-04-22 09:36:45.526407 7ff106fb5700 10 failed to create auth header
>
> 2014-04-22 09:36:45.526408 7ff106fb5700 10 failed to authorize request
> 2014-04-22 09:36:45.526431 7ff106fb5700  2 req 16:0.000304::GET 
> /admin/usage:get_usage:http status=403
> 2014-04-22 09:36:45.526571 7ff106fb5700  1 ====== req done req=0x1ec2b70 
> http_status=403 ======
> 2014-04-22 09:36:53.047233 7ff16effd700  2 
> RGWDataChangesLog::ChangesRenewThread: start
> 2014-04-22 09:37:15.047365 7ff16effd700  2 
> RGWDataChangesLog::ChangesRenewThread: start
> 2014-04-22 09:37:37.047488 7ff16effd700  2 
> RGWDataChangesLog::ChangesRenewThread: start
> 2014-04-22 09:37:59.047561 7ff16effd700  2 
> RGWDataChangesLog::ChangesRenewThread: start
> ------------------------
>
> Thanks,
>
>
> On Tue, Apr 22, 2014 at 12:42 AM, Yehuda Sadeh <yeh...@inktank.com> wrote:
>>
>>
>>
>>
>> On Fri, Apr 18, 2014 at 10:07 PM, Punit Dambiwal <hypu...@gmail.com> wrote:
>>>
>>> Hi Yehuda,
>>>
>>> I have used the method in this blog to pass the header information 
>>> http://blog.defunct.ca/2013/10/10/using-the-radosgw-admin-api/ and gave like
>>>
>>> Authorization: AWS {access-key}:{hash-of-header-
>>> and-secret}
>>>
>>> and the complete command like
>>>
>>> curl -i 'http://gateway.3linux.com/admin/usage?format=json' -X GET -H 
>>> 'Authorization: AWS KGXJJGKDM5G7G4CNKC7R:
>>> LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN' -H 'Host: gateway.3linux.com' -H 
>>> 'Content-Length: 0'
>>>
>>> After running the above command execution getting an access denied error 
>>> message. Is there any issues in the above header information ? or could you 
>>> please explain how we can authenticate using access keys and access tokens 
>>> ? or how we can pass the header information ?
>>>
>>
>> If done correctly it should work. What does the rgw log say? (add 'debug rgw 
>> = 20' to your ceph.conf).
>>
>> Yehuda
>>
>>>
>>>
>>> On Sat, Apr 19, 2014 at 1:05 PM, Punit Dambiwal <hypu...@gmail.com> wrote:
>>>>
>>>> Hi Yehuda,
>>>>
>>>> I have used the method in this blog to pass the header information 
>>>> http://blog.defunct.ca/2013/10/10/using-the-radosgw-admin-api/ and gave 
>>>> like
>>>>
>>>> Authorization: AWS {access-key}:{hash-of-header-
>>>> and-secret}
>>>>
>>>> and the complete command like
>>>>
>>>> curl -i 'http://s3.linux.com/admin/usage?format=json' -X GET -H 
>>>> 'Authorization: AWS 
>>>> KGXJJGKDM5G7G4CNKC7R:LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN' -H 'Host: 
>>>> gateway.3linux.com' -H 'Content-Length: 0'
>>>>
>>>> After running the above command execution getting an access denied error 
>>>> message. Is there any issues in the above header information ? or could 
>>>> you please explain how we can authenticate using access keys and access 
>>>> tokens ? or how we can pass the header information ?
>>>>
>>>>
>>>> On Thu, Apr 17, 2014 at 12:10 AM, Yehuda Sadeh <yeh...@inktank.com> wrote:
>>>>>
>>>>> On Tue, Apr 15, 2014 at 11:33 PM, Punit Dambiwal <hypu...@gmail.com> 
>>>>> wrote:
>>>>> > Hi,
>>>>> >
>>>>> > Still i am getting the same error,when i run the following :-
>>>>> >
>>>>> > ----------------------
>>>>> > curl -i 'http://xxx.xlinux.com/admin/usage?format=json' -X GET -H
>>>>> > 'Authorization: AWS
>>>>> > YHFQ4D8BM835BCGERHTN:kXpM0XB9UjOadexDu2ZoP8s4nKjuoL0iIZhE\/+Gv' -H 
>>>>> > 'Host:
>>>>>
>>>>>
>>>>> Where did you come up with this authorization field? You need to sign
>>>>> the message appropriately.
>>>>>
>>>>> Yehuda
>>>>>
>>>>> > xxx.xlinux.com' -H 'Content-Length: 0'
>>>>> > HTTP/1.1 403 Forbidden
>>>>> > Date: Wed, 16 Apr 2014 06:26:45 GMT
>>>>> >
>>>>> > Server: Apache/2.2.22 (Ubuntu)
>>>>> > Accept-Ranges: bytes
>>>>> > Content-Length: 23
>>>>> > Content-Type: application/json
>>>>> >
>>>>> > {"Code":"AccessDenied"}
>>>>> > -------------------
>>>>> >
>>>>> > Can any body help me to resolve this issue..
>>>>> >
>>>>> > Thanks,
>>>>> > punit
>>>>> >
>>>>> >
>>>>> > On Mon, Apr 14, 2014 at 11:55 AM, Punit Dambiwal <hypu...@gmail.com> 
>>>>> > wrote:
>>>>> >>
>>>>> >> Hi,
>>>>> >>
>>>>> >> I am trying to list out all users using the Ceph S3 api and php. These 
>>>>> >> are
>>>>> >> the lines of code which i used for
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> --------------------------------------------------------------------------------------------------
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> $url = "http://XXXX.Xlinux.com/admin/user?format=json";;
>>>>> >>
>>>>> >> $ch = curl_init ($url);
>>>>> >>
>>>>> >> curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET"); curl_setopt($ch,
>>>>> >> CURLOPT_USERPWD,
>>>>> >> "P8K3750Z3PP5MGUKQYBL:CB+Ioydr1XsmQF\/gQmE\/X3YsDjtDbxLZzByaU9t\/");
>>>>> >>
>>>>> >> curl_setopt($ch, CURLOPT_HTTPHEADER, array("Authorization: AWS
>>>>> >> P8K3750Z3PP5MGUKQYBL:CB+Ioydr1XsmQF\/gQmE\/X3YsDjtDbxLZzByaU9t\/"));
>>>>> >>
>>>>> >> curl_setopt($ch, CURLOPT_HEADER, 0);
>>>>> >>
>>>>> >> curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch,
>>>>> >> CURLOPT_BINARYTRANSFER,1); $response = curl_exec($ch); $output =
>>>>> >> json_encode($response);
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>     print_r($output);
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> --------------------------------------------------------------------------------------------------
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> I am getting an error: access denied as output. Could you please check 
>>>>> >> it
>>>>> >> ?
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> I have also tried the same using the curl command like
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> curl -i 'http://XXX.Xlinux.com/admin/usage?format=json' -X GET -H
>>>>> >>
>>>>> >> 'Authorization: AWS
>>>>> >>
>>>>> >> P8K3750Z3PP5MGUKQYBL:CB+Ioydr1XsmQF\/gQmE\/X3YsDjtDbxLZzByaU9t\/' -H
>>>>> >>
>>>>> >> 'Host: XXX.Xlinux.com' -H 'Content-Length: 0'
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> HTTP/1.1 403 Forbidden
>>>>> >>
>>>>> >> Date: Fri, 11 Apr 2014 10:08:20 GMT
>>>>> >>
>>>>> >> Server: Apache/2.2.22 (Ubuntu)
>>>>> >>
>>>>> >> Accept-Ranges: bytes
>>>>> >>
>>>>> >> Content-Length: 23
>>>>> >>
>>>>> >> Content-Type: application/json
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> {"Code":"AccessDenied"}
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> Can any body let me know if anything wrong in the above... ??
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> > ceph-users mailing list
>>>>> > ceph-users@lists.ceph.com
>>>>> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>>>>> >
>>>>
>>>>
>>>
>>
>
_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to