AW: RadosGW- Admin API

Jäger, Philipp <philipp.jaeger@xxxxxxx> · Fri, 25 Apr 2014 07:10:24 +0000

Can you describe your answer a little bit more, please. 

Just a short explanation what we want to do. We have adapted the Amazon S3 API that it will run with our installation of RadosGW. Everything is running pretty well, e.g. create Buckets and store Objects in those, … . Now we want to create a S3 Admin API to manage the S3 accounts in our Java application. This Admin API based on our running S3 API.

Are there differences between signing a call to create buckets and signing a call to get user info ? 
Can you please give us a hint what we have to consider by signing such an admin call ? 
Are there other things we have to consider by creating our s3 Admin API ?

Thanks a lot.

-----Ursprüngliche Nachricht-----
Von: Yehuda Sadeh [mailto:yehuda@xxxxxxxxxxx] 
Gesendet: Donnerstag, 24. April 2014 18:14
An: Jäger, Philipp
Cc: ceph-devel@xxxxxxxxxxxxxxx
Betreff: Re: RadosGW- Admin API

On Thu, Apr 24, 2014 at 4:17 AM, Jäger, Philipp <philipp.jaeger@xxxxxxx> wrote:
> Hello Yehuda,
>
> sorry for that, new logs:
>
>
> Debug developer:
> [DEBUG] conn.DefaultClientConnection                                 - Receiving response: HTTP/1.1 403 Forbidden
> [DEBUG] org.apache.http.headers                                      - << HTTP/1.1 403 Forbidden
> [DEBUG] org.apache.http.headers                                      - << Date: Mon, 14 Apr 2014 07:04:13 GMT
> [DEBUG] org.apache.http.headers                                      - << Server: Apache/2.2.22 (Ubuntu)
> [DEBUG] org.apache.http.headers                                      - << Accept-Ranges: bytes
> [DEBUG] org.apache.http.headers                                      - << Content-Length: 23
> [DEBUG] org.apache.http.headers                                      - << Keep-Alive: timeout=5, max=100
> [DEBUG] org.apache.http.headers                                      - << Connection: Keep-Alive
> [DEBUG] org.apache.http.headers                                      - << Content-Type: application/json
> [DEBUG] client.DefaultHttpClient                                     - Connection can be kept alive for 5000 MILLISECONDS
> [DEBUG] org.apache.http.wire                                         - << "{"Code":"AccessDenied"}"
>
>
> radosgw.log
>
> 2014-04-24 13:06:04.680210 7fba44665780 20 enqueued request 
> req=0x2531e20
> 2014-04-24 13:06:04.680277 7fba44665780 20 RGWWQ:
> 2014-04-24 13:06:04.680281 7fba44665780 20 req: 0x2531e20
> 2014-04-24 13:06:04.680290 7fba44665780 10 allocated request 
> req=0x25321e0
> 2014-04-24 13:06:04.680337 7fba08ff1700 20 dequeued request 
> req=0x2531e20
> 2014-04-24 13:06:04.680348 7fba08ff1700 20 RGWWQ: empty
> 2014-04-24 13:06:04.680363 7fba08ff1700  1 ====== starting new request 
> req=0x2531e20 =====
> 2014-04-24 13:06:04.680471 7fba08ff1700  2 req 
> 2:0.000109::::initializing
> 2014-04-24 13:06:04.680497 7fba08ff1700 10 host=172.25.3.12 
> rgw_dns_name=<fqdn> 
> 2014-04-24 13:06:04.680622 7fba08ff1700 20 FCGI_ROLE=RESPONDER
> 2014-04-24 13:06:04.680630 7fba08ff1700 20 SCRIPT_URL=/admin/user
> 2014-04-24 13:06:04.680635 7fba08ff1700 20 
> SCRIPT_URI=https://172.25.3.12/admin/user
> 2014-04-24 13:06:04.680639 7fba08ff1700 20 HTTP_AUTHORIZATION=AWS 
> NQY41E90E38HKJXV6DFM:YaHru0FheiTySH1y7Ek+cENSR44=
> 2014-04-24 13:06:04.680643 7fba08ff1700 20 HTTPS=on
> 2014-04-24 13:06:04.680647 7fba08ff1700 20 HTTP_HOST=172.25.3.12
> 2014-04-24 13:06:04.680663 7fba08ff1700 20 
> HTTP_USER_AGENT=aws-sdk-java/1.3.27 Windows_7/6.1 
> Java_HotSpot(TM)_Client_VM/25.5-b02
> 2014-04-24 13:06:04.680671 7fba08ff1700 20 HTTP_DATE=Thu, 24 Apr 2014 
> 11:05:49 GMT
> 2014-04-24 13:06:04.680674 7fba08ff1700 20 
> CONTENT_TYPE=application/x-www-form-urlencoded; charset=utf-8
> 2014-04-24 13:06:04.680677 7fba08ff1700 20 HTTP_CONNECTION=Keep-Alive
> 2014-04-24 13:06:04.680680 7fba08ff1700 20 
> PATH=/usr/local/bin:/usr/bin:/bin
> 2014-04-24 13:06:04.680683 7fba08ff1700 20 SERVER_SIGNATURE=
> 2014-04-24 13:06:04.680686 7fba08ff1700 20 
> SERVER_SOFTWARE=Apache/2.2.22 (Ubuntu)
> 2014-04-24 13:06:04.680689 7fba08ff1700 20 SERVER_NAME=172.25.3.12
> 2014-04-24 13:06:04.680693 7fba08ff1700 20 SERVER_ADDR=172.25.3.12
> 2014-04-24 13:06:04.680697 7fba08ff1700 20 SERVER_PORT=443
> 2014-04-24 13:06:04.680701 7fba08ff1700 20 REMOTE_ADDR=10.0.49.80
> 2014-04-24 13:06:04.680705 7fba08ff1700 20 DOCUMENT_ROOT=/var/www
> 2014-04-24 13:06:04.680708 7fba08ff1700 20 SERVER_ADMIN=-
> 2014-04-24 13:06:04.680711 7fba08ff1700 20 
> SCRIPT_FILENAME=/var/www/s3gw.fcgi
> 2014-04-24 13:06:04.680715 7fba08ff1700 20 REMOTE_PORT=55225
> 2014-04-24 13:06:04.680718 7fba08ff1700 20 GATEWAY_INTERFACE=CGI/1.1
> 2014-04-24 13:06:04.680722 7fba08ff1700 20 SERVER_PROTOCOL=HTTP/1.1
> 2014-04-24 13:06:04.680726 7fba08ff1700 20 REQUEST_METHOD=GET
> 2014-04-24 13:06:04.680730 7fba08ff1700 20 
> QUERY_STRING=page=admin&params=/user&format=json
> 2014-04-24 13:06:04.680733 7fba08ff1700 20 
> REQUEST_URI=/admin/user?format=json
> 2014-04-24 13:06:04.680744 7fba08ff1700 20 SCRIPT_NAME=/admin/user
> 2014-04-24 13:06:04.680755 7fba08ff1700  2 req 2:0.000393::GET 
> /admin/user::getting op
> 2014-04-24 13:06:04.680768 7fba08ff1700  2 req 2:0.000407::GET 
> /admin/user:get_user_info:authorizing
> 2014-04-24 13:06:04.680876 7fba08ff1700 20 get_obj_state: 
> rctx=0x7fba280066b0 obj=.users:NQY41E90E38HKJXV6DFM 
> state=0x7fba28006768 s->prefetch_data=0
> 2014-04-24 13:06:04.680904 7fba08ff1700 10 moving 
> .users+NQY41E90E38HKJXV6DFM to cache LRU end
> 2014-04-24 13:06:04.680909 7fba08ff1700 10 cache get: 
> name=.users+NQY41E90E38HKJXV6DFM : type miss (requested=6, cached=3)
> 2014-04-24 13:06:04.689714 7fba08ff1700 10 cache put: 
> name=.users+NQY41E90E38HKJXV6DFM
> 2014-04-24 13:06:04.689731 7fba08ff1700 10 moving 
> .users+NQY41E90E38HKJXV6DFM to cache LRU end
> 2014-04-24 13:06:04.689748 7fba08ff1700 20 get_obj_state: s->obj_tag 
> was set empty
> 2014-04-24 13:06:04.689763 7fba08ff1700 10 moving 
> .users+NQY41E90E38HKJXV6DFM to cache LRU end
> 2014-04-24 13:06:04.689767 7fba08ff1700 10 cache get: 
> name=.users+NQY41E90E38HKJXV6DFM : hit
> 2014-04-24 13:06:04.689905 7fba08ff1700 20 get_obj_state: 
> rctx=0x7fba280066b0 obj=.users.uid:connect state=0x7fba28007188 
> s->prefetch_data=0
> 2014-04-24 13:06:04.689929 7fba08ff1700 10 moving .users.uid+connect 
> to cache LRU end
> 2014-04-24 13:06:04.689933 7fba08ff1700 10 cache get: 
> name=.users.uid+connect : type miss (requested=6, cached=3)
> 2014-04-24 13:06:04.692132 7fba08ff1700 10 cache put: 
> name=.users.uid+connect
> 2014-04-24 13:06:04.692143 7fba08ff1700 10 moving .users.uid+connect 
> to cache LRU end
> 2014-04-24 13:06:04.692154 7fba08ff1700 20 get_obj_state: s->obj_tag 
> was set empty
> 2014-04-24 13:06:04.692167 7fba08ff1700 10 moving .users.uid+connect 
> to cache LRU end
> 2014-04-24 13:06:04.692171 7fba08ff1700 10 cache get: 
> name=.users.uid+connect : hit
> 2014-04-24 13:06:04.692266 7fba08ff1700 10 get_canon_resource(): 
> dest=/admin/user
> 2014-04-24 13:06:04.692273 7fba08ff1700 10 auth_hdr:
> GET
> application/x-www-form-urlencoded; charset=utf-8 Thu, 24 Apr 2014 
> 11:05:49 GMT /admin/user
> 2014-04-24 13:06:04.692509 7fba08ff1700 15 
> b64=C42JUJ9LOM8fa9WaHSu8ijEwpHI=
> 2014-04-24 13:06:04.692518 7fba08ff1700 15 
> auth_sign=YaHru0FheiTySH1y7Ek+cENSR44=
> 2014-04-24 13:06:04.692521 7fba08ff1700 15 compare=22

That's a signing issue.

Yehuda

> 2014-04-24 13:06:04.692527 7fba08ff1700 10 failed to authorize request
> 2014-04-24 13:06:04.693049 7fba08ff1700  2 req 2:0.012687::GET 
> /admin/user:get_user_info:http status=403
> 2014-04-24 13:06:04.694861 7fba08ff1700  1 ====== req done 
> req=0x2531e20 http_status=403 ======
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Yehuda Sadeh [mailto:yehuda@xxxxxxxxxxx]
> Gesendet: Freitag, 11. April 2014 18:12
> An: Jäger, Philipp
> Cc: ceph-devel@xxxxxxxxxxxxxxx
> Betreff: Re: RadosGW- Admin API
>
> You're running Bobtail, this functionality only appeared on Cuttlefish.
>
> Yehuda
>
>
> On Fri, Apr 11, 2014 at 2:28 AM, Jäger, Philipp <philipp.jaeger@xxxxxxx> wrote:
>> Hello yehuda,
>>
>> Please have a look:
>>
>> /etc/ceph/ceph.conf
>>
>> [client.radosgw.gateway]
>> host = <hostname>
>> log file = /var/log/ceph/radosgw.log
>> rgw dns name = <fqdn>
>> rgw print continue= true
>> rgw enable ops log = true
>> rgw enable usage log = true
>> admin socket = /tmp/radosgw.adsock
>> debug rgw=20
>>
>> /var/log/apache2/access.log
>> [11/Apr/2014:09:14:40 +0200] "GET /admin/user?format=json HTTP/1.1" 405 1896 "-" "aws-sdk-java/1.3.27 Windows_7/6.1 Java_HotSpot(TM)_Client_VM/23.21-b01"
>>
>> /var/log/ceph/radosgw.log
>> 2014-04-11 09:07:04.692526 7fe0ca076700  0 -- 172.25.3.12:0/1025431 
>> >> 172.25.3.12:6789/0 pipe(0x7fe0b0015820 sd=12 :0 pgs=0 cs=0 
>> l=1).fault
>> 2014-04-11 09:07:07.414199 7fe0b87f8700  0 -- 172.25.3.12:0/1025431 
>> >> 172.25.3.12:6801/26141 pipe(0x7fe0b00180a0 sd=13 :0 pgs=0 cs=0 
>> l=1).fault
>> 2014-04-11 09:07:15.540562 7f995c46e780  0 ceph version 0.56.1 
>> (e4a541624df62ef353e754391cbbb707f54b16f7), process radosgw, pid 
>> 27051
>> 2014-04-11 09:07:15.561118 7f994ac91700  2 garbage collection: start
>> 2014-04-11 09:07:21.474434 7f995c46e780 10 allocated request 
>> req=0x20d8e30
>> 2014-04-11 09:07:21.873066 7f994ac91700  2 garbage collection: stop
>> 2014-04-11 09:07:50.739178 7f995c46e780 20 enqueued request 
>> req=0x20d8e30
>> 2014-04-11 09:07:50.739222 7f995c46e780 20 RGWWQ:
>> 2014-04-11 09:07:50.739227 7f995c46e780 20 req: 0x20d8e30
>> 2014-04-11 09:07:50.739239 7f995c46e780 10 allocated request 
>> req=0x20df730
>> 2014-04-11 09:07:50.739469 7f9911fcb700 20 dequeued request 
>> req=0x20d8e30
>> 2014-04-11 09:07:50.739489 7f9911fcb700 20 RGWWQ: empty
>> 2014-04-11 09:07:50.739511 7f9911fcb700  1 ====== starting new 
>> request req=0x20d8e30 =====
>> 2014-04-11 09:07:50.739615 7f9911fcb700  2 req 
>> 1:0.000104::::initializing
>> 2014-04-11 09:07:50.739680 7f9911fcb700 10 host=<hostname> 
>> rgw_dns_name=<fqdn>
>> 2014-04-11 09:07:50.759827 7f9911fcb700  5 nothing to log for 
>> operation
>> 2014-04-11 09:07:50.759876 7f9911fcb700  2 req 1:0.020365::GET 
>> /admin/user::http status=405
>> 2014-04-11 09:07:50.761521 7f9911fcb700  1 ====== req done 
>> req=0x20d8e30 http_status=405 ======
>> 2014-04-11 09:07:51.469971 7f994ffff700  0 WARNING: 
>> RGWRados::log_usage(): user name empty (bucket=), skipping
>>
>> Thanks
>>
>> Regards
>>
>> Philipp
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Yehuda Sadeh [mailto:yehuda@xxxxxxxxxxx]
>> Gesendet: Donnerstag, 3. April 2014 17:55
>> An: Jäger, Philipp
>> Cc: ceph-devel@xxxxxxxxxxxxxxx
>> Betreff: Re: RadosGW- Admin API
>>
>> (resending to mailing list)
>>
>> Could be a more basic issue, can you turn on 'debug rgw = 20', and provide the corresponding log?
>>
>> Yehuda
>>
>> On Thu, Apr 3, 2014 at 3:51 AM, Jäger, Philipp <philipp.jaeger@xxxxxxx> wrote:
>>> Hello yehuda,
>>>
>>> we want to administrate the rados users via the admin api.
>>> http://ceph.com/docs/master/radosgw/adminops/#get-user-info
>>>
>>>
>>> We got the following logs from the developer, see line " Receiving response: HTTP/1.1 405 Method Not Allowed":
>>>
>>> [DEBUG] internal.S3Signer                                            - Calculated string to sign:
>>> "GET
>>>
>>> application/x-www-form-urlencoded; charset=utf-8 Mon, 31 Mar 2014
>>> 11:25:58 GMT //"
>>> [DEBUG] com.amazonaws.request                                        - Sending Request: GET https://172.25.3.12 /admin/user?format=json&uid=test Headers: (Authorization: AWS NQY41E90E38HKJXV6DFM:/v1NjvtT/khFuR875Fx+rexmyuo=, Date: Mon, 31 Mar 2014 11:25:58 GMT, User-Agent: aws-sdk-java/1.3.27 Windows_7/6.1 Java_HotSpot(TM)_Client_VM/23.21-b01, Content-Type: application/x-www-form-urlencoded; charset=utf-8, )
>>> [DEBUG] conn.BasicClientConnectionManager                            - Get connection for route {s}->https://172.25.3.12
>>> [DEBUG] conn.DefaultClientConnectionOperator                         - Connecting to 172.25.3.12:443
>>> [DEBUG] protocol.RequestAddCookies                                   - CookieSpec selected: best-match
>>> [DEBUG] protocol.RequestAuthCache                                    - Auth cache not set in the context
>>> [DEBUG] protocol.RequestProxyAuthentication                          - Proxy auth state: UNCHALLENGED
>>> [DEBUG] client.DefaultHttpClient                                     - Attempt 1 to execute request
>>> [DEBUG] conn.DefaultClientConnection                                 - Sending request: GET /admin/user?format=json&uid=test HTTP/1.1
>>> [DEBUG] org.apache.http.wire                                         - >> "GET /admin/user?format=json&uid=test HTTP/1.1[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - >> "Host: 172.25.3.12[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - >> "Authorization: AWS NQY41E90E38HKJXV6DFM:/v1NjvtT/khFuR875Fx+rexmyuo=[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - >> "Date: Mon, 31 Mar 2014 11:25:58 GMT[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - >> "User-Agent: aws-sdk-java/1.3.27 Windows_7/6.1 Java_HotSpot(TM)_Client_VM/23.21-b01[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - >> "Content-Type: application/x-www-form-urlencoded; charset=utf-8[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - >> "Connection: Keep-Alive[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - >> "[\r][\n]"
>>> [DEBUG] org.apache.http.headers                                      - >> GET /admin/user?format=json&uid=test HTTP/1.1
>>> [DEBUG] org.apache.http.headers                                      - >> Host: 172.25.3.12
>>> [DEBUG] org.apache.http.headers                                      - >> Authorization: AWS NQY41E90E38HKJXV6DFM:/v1NjvtT/khFuR875Fx+rexmyuo=
>>> [DEBUG] org.apache.http.headers                                      - >> Date: Mon, 31 Mar 2014 11:25:58 GMT
>>> [DEBUG] org.apache.http.headers                                      - >> User-Agent: aws-sdk-java/1.3.27 Windows_7/6.1 Java_HotSpot(TM)_Client_VM/23.21-b01
>>> [DEBUG] org.apache.http.headers                                      - >> Content-Type: application/x-www-form-urlencoded; charset=utf-8
>>> [DEBUG] org.apache.http.headers                                      - >> Connection: Keep-Alive
>>> [DEBUG] org.apache.http.wire                                         - << "HTTP/1.1 405 Method Not Allowed[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - << "Date: Mon, 31 Mar 2014 11:26:20 GMT[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - << "Server: Apache/2.2.22 (Ubuntu)[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - << "Accept-Ranges: bytes[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - << "Content-Length: 27[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - << "Keep-Alive: timeout=5, max=100[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - << "Connection: Keep-Alive[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - << "Content-Type: application/json[\r][\n]"
>>> [DEBUG] org.apache.http.wire                                         - << "[\r][\n]"
>>> [DEBUG] conn.DefaultClientConnection                                 - Receiving response: HTTP/1.1 405 Method Not Allowed
>>> [DEBUG] org.apache.http.headers                                      - << HTTP/1.1 405 Method Not Allowed
>>> [DEBUG] org.apache.http.headers                                      - << Date: Mon, 31 Mar 2014 11:26:20 GMT
>>> [DEBUG] org.apache.http.headers                                      - << Server: Apache/2.2.22 (Ubuntu)
>>> [DEBUG] org.apache.http.headers                                      - << Accept-Ranges: bytes
>>> [DEBUG] org.apache.http.headers                                      - << Content-Length: 27
>>> [DEBUG] org.apache.http.headers                                      - << Keep-Alive: timeout=5, max=100
>>> [DEBUG] org.apache.http.headers                                      - << Connection: Keep-Alive
>>> [DEBUG] org.apache.http.headers                                      - << Content-Type: application/json
>>> [DEBUG] client.DefaultHttpClient                                     - Connection can be kept alive for 5000 MILLISECONDS
>>>
>>>
>>>
>>> Do you know where the mistake is or how we can identify it?
>>>
>>> The user has the following caps:
>>>   "caps": [
>>>         { "type": "users",
>>>           "perm": "*"}]}
>>>
>>> Is there something else to configure?
>>>
>>>
>>> Thank you very much.
>>>
>>> Regards
>>> Philipp
>>>
>>>
>>>
>>>
��.n��������+%������w��{.n����z��u���ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f