Re: [ceph-users] 403 AccessDenied with presigned url in Jewel AWS4.

[Khang Nguyễn Nhật]

Thank Robin H. Johnson!

I've set "debug rgw = 20" in RGW config file and I have seen "NOTICE: now =
1464998270, now_req = 1464973070, exp = 3600" in RGW log file. I see that
now is the local time on the RGW server (my timezone is UTC + 7) and
now_req is UTC time.  This leads to one error in src/ rgw/rgw_rest_s3.cc:
int RGW_Auth_S3::authorize_v4(..){
//
  if (now >= now_req + exp) {
dout(10) << "NOTICE: now = " << now << ", now_req = " << now_req <<
", exp = " << exp << dendl;
return -EPERM;
  }
//
Then I tried to set the time on RGW server is UTC time and it works fine !
Is this a bug?

2016-06-03 11:44 GMT+07:00 Robin H. Johnson :

> On Fri, Jun 03, 2016 at 11:34:35AM +0700, Khang Nguyễn Nhật wrote:
> > s3 = boto3.client(service_name='s3', region_name='', use_ssl=False,
> > endpoint_url='http://192.168.1.10:', aws_access_key_id=access_key,
> >   aws_secret_access_key= secret_key,
> >   config=Config(signature_version='s3v4',
> region_name=''))
> The region part doesn't seem right. Try setting it to 'ap' or
> 'ap-southeast'.
>
> Failing that, turn up the RGW loglevel to 20, and run a request, then
> look at the logs of how it created the signature, and manually compare
> them to what your client should have built (with boto in verbose
> debugging).
>
> --
> Robin Hugh Johnson
> Gentoo Linux: Dev, Infra Lead, Foundation Trustee & Treasurer
> E-Mail   : robb...@gentoo.org
> GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
> GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] 403 AccessDenied with presigned url in Jewel AWS4.

[Robin H. Johnson]

On Fri, Jun 03, 2016 at 11:34:35AM +0700, Khang Nguyễn Nhật wrote:
> s3 = boto3.client(service_name='s3', region_name='', use_ssl=False,
> endpoint_url='http://192.168.1.10:', aws_access_key_id=access_key,
>   aws_secret_access_key= secret_key,
>   config=Config(signature_version='s3v4', region_name=''))
The region part doesn't seem right. Try setting it to 'ap' or
'ap-southeast'.

Failing that, turn up the RGW loglevel to 20, and run a request, then
look at the logs of how it created the signature, and manually compare
them to what your client should have built (with boto in verbose
debugging).

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Trustee & Treasurer
E-Mail   : robb...@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

[ceph-users] 403 AccessDenied with presigned url in Jewel AWS4.

[Khang Nguyễn Nhật]

Hi,
  I have a problem when using presigned url with AWS4 in RGW Jewel . My
cluster running on CentOS 7 and health is HEALTH_OK.
- This is my *User information*:

"user_id": "1",
"display_name": "KhangNN",
"email": "khan...@ceph.com.vn",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [],
"keys": [
{
"user": "1",
"access_key": "VVEP64910WZEVFSHZ0ER",
"secret_key": "UF8eM2BIlcLsXg5RF0gfK4JtZK7EmA64VGlPUJ0w"
}
],
"swift_keys": [],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"placement_tags": [],
"bucket_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"temp_url_keys": []

- *Python* code:

access_key = "VVEP64910WZEVFSHZ0ER"
secret_key = "UF8eM2BIlcLsXg5RF0gfK4JtZK7EmA64VGlPUJ0w"

s3 = boto3.client(service_name='s3', region_name='', use_ssl=False,
endpoint_url='http://192.168.1.10:', aws_access_key_id=access_key,
  aws_secret_access_key= secret_key,
  config=Config(signature_version='s3v4', region_name=''))

print s3.list_buckets() // It work fine !
//
url = s3.generate_presigned_url(ClientMethod='list_buckets',
HttpMethod='GET', ExpiresIn=1800)
requests.get(url, proxies={'http': '', 'https': ''}) // *403 AccessDenied*

- *Zone* infor:

"id": "ef6eca77-29f6-4d5e-8d04-5c486ea7ad19",
"name": "ap-southeast",
"domain_root": "ap-southeast.rgw.data.root",
"control_pool": "ap-southeast.rgw.control",
"gc_pool": "ap-southeast.rgw.gc",
"log_pool": "ap-southeast.rgw.log",
"intent_log_pool": "ap-southeast.rgw.intent-log",
"usage_log_pool": "ap-southeast.rgw.usage",
"user_keys_pool": "ap-southeast.rgw.users.keys",
"user_email_pool": "ap-southeast.rgw.users.email",
"user_swift_pool": "ap-southeast.rgw.users.swift",
"user_uid_pool": "ap-southeast.rgw.users.uid",
"system_key": {
"access_key": "",
"secret_key": ""
},
"placement_pools": [
{
"key": "default-placement",
"val": {
"index_pool": "ap-southeast.rgw.buckets.index",
"data_pool": "ap-southeast.rgw.buckets.data",
"data_extra_pool": "ap-southeast.rgw.buckets.non-ec",
"index_type": 0
}
}
],
"metadata_heap": "ap-southeast.rgw.meta",
"realm_id": "515b5a90-9d02-489f-b7e4-e67fb838fa1e"

- *Zonegroup* infor:

"id": "3b6cbc8f-470e-4a3d-87ea-7941b6ae7206",
"name": "ap",
"api_name": "ap",
"is_master": "true",
"endpoints": [
"http:\/\/192.168.1.10:"
],
"hostnames": [],
"hostnames_s3website": [],
"master_zone": "ef6eca77-29f6-4d5e-8d04-5c486ea7ad19",
"zones": [
{
"id": "ef6eca77-29f6-4d5e-8d04-5c486ea7ad19",
"name": "ap-southeast",
"endpoints": [
"http:\/\/192.168.1.10:"
],
"log_meta": "true",
"log_data": "false",
"bucket_index_max_shards": 0,
"read_only": "false"
}
],
"placement_targets": [
{
"name": "default-placement",
"tags": []
}
],
"default_placement": "default-placement",
"realm_id": "515b5a90-9d02-489f-b7e4-e67fb838fa1e"

I have configured something wrong ? Can somebody please help me out ?
Thank !
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com