Re: Access Denied errors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm a bit slow, but I finally stared at the log output for long enough to see this:

2014-03-10 22:59:12.551103 7fec017fa700 15 calculated digest=R+4z9J6PyXugdHAYJDKJiLPKpWo=
2014-03-10 22:59:12.551113 7fec017fa700 15 auth_sign=OHAxWvf8U8t4CVWq0pKKwxZ2Xko=
2014-03-10 22:59:12.551114 7fec017fa700 15 compare=-3
2014-03-10 22:59:12.551118 7fec017fa700 10 failed to authorize request

Am I safe to assume 'calculated digest' and 'auth_sign' should be the same?  Then, if so, there's some problem in our code and the generation of the HTTP Auth string?

-Steve

On Mar 10, 2014, at 4:26 PM, Steve Carter <scarter@xxxxxxxxxxxxx> wrote:

> Further, here is the logging output (when I set 'debug rgw log = 20/20’ in ceph.conf).  I have removed some information.  The server replies with a 403.  Any insight into why?  When the account submits a non-admin type request it works, but not when trying to create a new user.  Is there a CAP we’re missing from the user account?
> 
> -Steve
> 
> 2014-03-10 22:59:12.530932 7fec017fa700  1 ====== starting new request req=0x19497c0 =====
> 2014-03-10 22:59:12.531020 7fec017fa700  2 req 1:0.000089::GET /user::initializing
> 2014-03-10 22:59:12.531032 7fec017fa700 10 host=admin.XXXX.liquidweb.com rgw_dns_name=XXXX.liquidweb.com
> 2014-03-10 22:59:12.531101 7fec017fa700 10 s->object=<NULL> s->bucket=user
> 2014-03-10 22:59:12.531132 7fec017fa700 20 FCGI_ROLE=RESPONDER
> 2014-03-10 22:59:12.531134 7fec017fa700 20 SCRIPT_URL=/user
> 2014-03-10 22:59:12.531135 7fec017fa700 20 SCRIPT_URI=http://admin.XXXX.liquidweb.com/user
> 2014-03-10 22:59:12.531136 7fec017fa700 20 HTTP_AUTHORIZATION=AWS 08V6K45V9KPVK7MIWWMG:OHAxWvf8U8t4CVWq0pKKwxZ2Xko=
> 2014-03-10 22:59:12.531138 7fec017fa700 20 HTTP_TE=deflate,gzip;q=0.3
> 2014-03-10 22:59:12.531139 7fec017fa700 20 HTTP_KEEP_ALIVE=300
> 2014-03-10 22:59:12.531140 7fec017fa700 20 HTTP_CONNECTION=Keep-Alive, TE
> 2014-03-10 22:59:12.531141 7fec017fa700 20 HTTP_DATE=Mon, 10 Mar 2014 22:59:42 GMT
> 2014-03-10 22:59:12.531142 7fec017fa700 20 HTTP_HOST=admin.XXXX.liquidweb.com
> 2014-03-10 22:59:12.531146 7fec017fa700 20 HTTP_USER_AGENT=libwww-perl/5.805
> 2014-03-10 22:59:12.531147 7fec017fa700 20 HTTP_DISPLAY_NAME=Hello World
> 2014-03-10 22:59:12.531148 7fec017fa700 20 HTTP_UID=atc
> 2014-03-10 22:59:12.531149 7fec017fa700 20 PATH=/usr/local/bin:/usr/bin:/bin
> 2014-03-10 22:59:12.531150 7fec017fa700 20 SERVER_SIGNATURE=
> 2014-03-10 22:59:12.531151 7fec017fa700 20 SERVER_SOFTWARE=Apache/2.2.22 (Ubuntu)
> 2014-03-10 22:59:12.531152 7fec017fa700 20 SERVER_NAME=admin.XXXX.liquidweb.com
> 2014-03-10 22:59:12.531153 7fec017fa700 20 SERVER_ADDR=10.30.77.227
> 2014-03-10 22:59:12.531154 7fec017fa700 20 SERVER_PORT=80
> 2014-03-10 22:59:12.531155 7fec017fa700 20 REMOTE_ADDR=10.255.247.241
> 2014-03-10 22:59:12.531156 7fec017fa700 20 DOCUMENT_ROOT=/var/www
> 2014-03-10 22:59:12.531157 7fec017fa700 20 SERVER_ADMIN=scarter@xxxxxxxxxxxxx
> 2014-03-10 22:59:12.531158 7fec017fa700 20 SCRIPT_FILENAME=/var/www/s3gw.fcgi
> 2014-03-10 22:59:12.531159 7fec017fa700 20 REMOTE_PORT=40506
> 2014-03-10 22:59:12.531160 7fec017fa700 20 GATEWAY_INTERFACE=CGI/1.1
> 2014-03-10 22:59:12.531161 7fec017fa700 20 SERVER_PROTOCOL=HTTP/1.1
> 2014-03-10 22:59:12.531162 7fec017fa700 20 REQUEST_METHOD=GET
> 2014-03-10 22:59:12.531163 7fec017fa700 20 QUERY_STRING=page=user&params=
> 2014-03-10 22:59:12.531164 7fec017fa700 20 REQUEST_URI=/user
> 2014-03-10 22:59:12.531165 7fec017fa700 20 SCRIPT_NAME=/user
> 2014-03-10 22:59:12.531168 7fec017fa700  2 req 1:0.000237:s3:GET /user::getting op
> 2014-03-10 22:59:12.531176 7fec017fa700  2 req 1:0.000245:s3:GET /user:list_bucket:authorizing
> 2014-03-10 22:59:12.531203 7fec017fa700 20 get_obj_state: rctx=0x7febb80055c0 obj=.users:08V6K45V9KPVK7MIWWMG state=0x7febb8005688 s->prefetch_data=0
> 2014-03-10 22:59:12.531213 7fec017fa700 10 cache get: name=.users+08V6K45V9KPVK7MIWWMG : miss
> 2014-03-10 22:59:12.538305 7fec017fa700 10 cache put: name=.users+08V6K45V9KPVK7MIWWMG
> 2014-03-10 22:59:12.538324 7fec017fa700 10 adding .users+08V6K45V9KPVK7MIWWMG to cache LRU end
> 2014-03-10 22:59:12.538333 7fec017fa700 20 get_obj_state: s->obj_tag was set empty
> 2014-03-10 22:59:12.538343 7fec017fa700 10 moving .users+08V6K45V9KPVK7MIWWMG to cache LRU end
> 2014-03-10 22:59:12.538346 7fec017fa700 10 cache get: name=.users+08V6K45V9KPVK7MIWWMG : type miss (requested=1, cached=6)
> 2014-03-10 22:59:12.538353 7fec017fa700 20 get_obj_state: rctx=0x7febb80055c0 obj=.users:08V6K45V9KPVK7MIWWMG state=0x7febb8006378 s->prefetch_data=0
> 2014-03-10 22:59:12.538360 7fec017fa700 10 moving .users+08V6K45V9KPVK7MIWWMG to cache LRU end
> 2014-03-10 22:59:12.538362 7fec017fa700 10 cache get: name=.users+08V6K45V9KPVK7MIWWMG : hit
> 2014-03-10 22:59:12.538366 7fec017fa700 20 get_obj_state: s->obj_tag was set empty
> 2014-03-10 22:59:12.538369 7fec017fa700 20 get_obj_state: rctx=0x7febb80055c0 obj=.users:08V6K45V9KPVK7MIWWMG state=0x7febb8006378 s->prefetch_data=0
> 2014-03-10 22:59:12.538372 7fec017fa700 20 state for obj=.users:08V6K45V9KPVK7MIWWMG is not atomic, not appending atomic test
> 2014-03-10 22:59:12.538374 7fec017fa700 20 rados->read obj-ofs=0 read_ofs=0 read_len=524288
> 2014-03-10 22:59:12.547545 7fec017fa700 20 rados->read r=0 bl.length=9
> 2014-03-10 22:59:12.547583 7fec017fa700 10 cache put: name=.users+08V6K45V9KPVK7MIWWMG
> 2014-03-10 22:59:12.547588 7fec017fa700 10 moving .users+08V6K45V9KPVK7MIWWMG to cache LRU end
> 2014-03-10 22:59:12.547609 7fec017fa700 20 get_obj_state: rctx=0x7febb8005350 obj=.users.uid:etank state=0x7febb8006ef8 s->prefetch_data=0
> 2014-03-10 22:59:12.547619 7fec017fa700 10 cache get: name=.users.uid+etank : miss
> 2014-03-10 22:59:12.549184 7fec017fa700 10 cache put: name=.users.uid+etank
> 2014-03-10 22:59:12.549202 7fec017fa700 10 adding .users.uid+etank to cache LRU end
> 2014-03-10 22:59:12.549210 7fec017fa700 20 get_obj_state: s->obj_tag was set empty
> 2014-03-10 22:59:12.549220 7fec017fa700 10 moving .users.uid+etank to cache LRU end
> 2014-03-10 22:59:12.549223 7fec017fa700 10 cache get: name=.users.uid+etank : type miss (requested=1, cached=6)
> 2014-03-10 22:59:12.549230 7fec017fa700 20 get_obj_state: rctx=0x7febb8007020 obj=.users.uid:etank state=0x7febb8007d48 s->prefetch_data=0
> 2014-03-10 22:59:12.549237 7fec017fa700 10 moving .users.uid+etank to cache LRU end
> 2014-03-10 22:59:12.549239 7fec017fa700 10 cache get: name=.users.uid+etank : hit
> 2014-03-10 22:59:12.549243 7fec017fa700 20 get_obj_state: s->obj_tag was set empty
> 2014-03-10 22:59:12.549245 7fec017fa700 20 get_obj_state: rctx=0x7febb8007020 obj=.users.uid:etank state=0x7febb8007d48 s->prefetch_data=0
> 2014-03-10 22:59:12.549248 7fec017fa700 20 state for obj=.users.uid:etank is not atomic, not appending atomic test
> 2014-03-10 22:59:12.549250 7fec017fa700 20 rados->read obj-ofs=0 read_ofs=0 read_len=524288
> 2014-03-10 22:59:12.550885 7fec017fa700 20 rados->read r=0 bl.length=293
> 2014-03-10 22:59:12.550924 7fec017fa700 10 cache put: name=.users.uid+etank
> 2014-03-10 22:59:12.550928 7fec017fa700 10 moving .users.uid+etank to cache LRU end
> 2014-03-10 22:59:12.551008 7fec017fa700 10 get_canon_resource(): dest=
> 2014-03-10 22:59:12.551012 7fec017fa700 10 auth_hdr:
> GET
> 
> 
> Mon, 10 Mar 2014 22:59:42 GMT
> /user
> 2014-03-10 22:59:12.551103 7fec017fa700 15 calculated digest=R+4z9J6PyXugdHAYJDKJiLPKpWo=
> 2014-03-10 22:59:12.551113 7fec017fa700 15 auth_sign=OHAxWvf8U8t4CVWq0pKKwxZ2Xko=
> 2014-03-10 22:59:12.551114 7fec017fa700 15 compare=-3
> 2014-03-10 22:59:12.551118 7fec017fa700 10 failed to authorize request
> 2014-03-10 22:59:12.551295 7fec017fa700  2 req 1:0.020363:s3:GET /user:list_bucket:http status=403
> 2014-03-10 22:59:12.551496 7fec017fa700  1 ====== req done req=0x19497c0 http_status=403 ======
> 
> 
> 
> 
> On Mar 7, 2014, at 1:01 PM, Erik Tank <etank@xxxxxxxxxxxxx> wrote:
> 
>> I'm getting Access Denied errors when attempting to do admin tasks.  I'm attaching info for creating a user below. Any insights/thoughts are appreciated:
>> 
>> User Info:
>> {
>> "user_id": "etank",
>> <...snip...>
>> "keys": [
>>       { "user": "etank",
>>         "access_key": "08V6K45V9KPVK7MIWWMG",
>>         "secret_key": "***************"}],
>> "swift_keys": [],
>> "caps": [
>>       { "type": "usage",
>>         "perm": "read"},
>>       { "type": "users",
>>         "perm": "*"}],
>> "op_mask": "read, write, delete",
>> "default_placement": "",
>> "placement_tags": []
>> }
>> 
>> 
>> Request:
>> GET http://admin.**********.com/user
>> Date: Fri, 07 Mar 2014 19:33:50 GMT
>> Authorization: AWS 08V6K45V9KPVK7MIWWMG:qfE6khLdApjb2s+qQMY4frdWdOk=
>> display-name: Automated Test Create
>> uid: auto_test_create
>> 
>> 
>> Response:
>> HTTP/1.1 403 Forbidden
>> Connection: Keep-Alive
>> Date: Fri, 07 Mar 2014 19:33:29 GMT
>> Accept-Ranges: bytes
>> Server: Apache/2.2.22 (Ubuntu)
>> Content-Length: 78
>> Content-Type: application/xml
>> Client-Date: Fri, 07 Mar 2014 19:33:50 GMT
>> Client-Peer: 10.30.77.227:80
>> Client-Response-Num: 1
>> Keep-Alive: timeout=5, max=100
>> 
>> <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code></Error>
>> 
>> 
>> Erik Tank
>> _______________________________________________
>> ceph-users mailing list
>> ceph-users@xxxxxxxxxxxxxx
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> 
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com





[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux