Re: Access Denied errors

Steve Carter <scarter@xxxxxxxxxxxxx> · Tue, 11 Mar 2014 19:42:24 -0400 (EDT)

Just to be complete, a TCP Dump:

Starting tcpick 0.2.1 at 2014-03-11 21:11 UTC
Timeout for connections is 600
tcpick: reading from test.pcap
1      SYN-SENT       10.255.247.241:39729 > 10.30.77.227:http
1      SYN-RECEIVED   10.255.247.241:39729 > 10.30.77.227:http
1      ESTABLISHED    10.255.247.241:39729 > 10.30.77.227:http
GET /user HTTP/1.1
TE: deflate,gzip;q=0.3
Keep-Alive: 300
Connection: Keep-Alive, TE
Date: Mon, 10 Mar 2014 22:51:06 GMT
Authorization: AWS 08V6K45V9KPVK7MIWWMG:tot0rXT4AeYohcRQ0iyGPnAQ+cg=
Host: admin.XXXX.liquidweb.com
User-Agent: libwww-perl/5.805
display-name: Hello World
uid: atc

HTTP/1.1 403 Forbidden
Date: Mon, 10 Mar 2014 22:50:36 GMT
Server: Apache/2.2.22 (Ubuntu)
Accept-Ranges: bytes
Content-Length: 78
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code></Error>
1      FIN-WAIT-1     10.255.247.241:39729 > 10.30.77.227:http
1      TIME-WAIT      10.255.247.241:39729 > 10.30.77.227:http
1      CLOSED         10.255.247.241:39729 > 10.30.77.227:http
tcpick: done reading from test.pcap

10 packets captured
1 tcp sessions detected

From: "Steve Carter" <scarter@xxxxxxxxxxxxx>
To: "Yehuda Sadeh" <yehuda@xxxxxxxxxxx>
Cc: ceph-users@xxxxxxxxxxxxxx
Sent: Tuesday, March 11, 2014 4:35:12 PM
Subject: Re:  Access Denied errors

On Mar 10, 2014, at 8:30 PM, Yehuda Sadeh <yehuda@xxxxxxxxxxx> wrote:
2014-03-10 22:59:12.551012 7fec017fa700 10 auth_hdr:
GET

Mon, 10 Mar 2014 22:59:42 GMT
/user

This is related to the issue. I assume it was signed as /admin/user,
but here we just use /user because that what's passed in the URI. Are
you accessing the gateway through virtual dns bucket name (e.g.,
admin.your-domain.com)?

Yehuda

2014-03-10 22:59:12.551103 7fec017fa700 15 calculated digest=R+4z9J6PyXugdHAYJDKJiLPKpWo=
2014-03-10 22:59:12.551113 7fec017fa700 15 auth_sign=OHAxWvf8U8t4CVWq0pKKwxZ2Xko=
2014-03-10 22:59:12.551114 7fec017fa700 15 compare=-3
2014-03-10 22:59:12.551118 7fec017fa700 10 failed to authorize request
2014-03-10 22:59:12.551295 7fec017fa700  2 req 1:0.020363:s3:GET /user:list_bucket:http status=403
2014-03-10 22:59:12.551496 7fec017fa700  1 ====== req done req=0x19497c0 http_status=403 ======

This what our request header looks like.  ‘admin’ is the admin bucket.  The request doesn’t appear to be signed as /admin/user.  I wonder if the ordering of our header fields are incorrect insofar as they don’t match the canonical ordering expected by radosgw/S3 resulting in the digests not matching?

Request: GET http://admin.XXXX.liquidweb.com/user
Date: Tue, 11 Mar 2014 22:52:20 GMT
Authorization: AWS 08V6K45V9KPVK7MIWWMG:VPPhzMiF9bFywTxLbr1peLEwZK4=
User-Agent: libwww-perl/5.805
display-name: Hello World
uid: atc
Format: json HTTP/1.1

*** /home/etank/lwlibs/perl/Amazon/S3.pm [298]: Response: HTTP/1.1 403 Forbidden
Connection: Keep-Alive
Date: Tue, 11 Mar 2014 22:51:47 GMT
Accept-Ranges: bytes
Server: Apache/2.2.22 (Ubuntu)
Content-Length: 78
Content-Type: application/xml
Client-Date: Tue, 11 Mar 2014 22:52:20 GMT
Client-Peer: 10.30.77.227:80
Client-Response-Num: 1
Keep-Alive: timeout=5, max=100

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com