Fwd: Access denied error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Cedric/Yehuda,

I have generated the signature dynamically as like in this documentation
http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html

by using a reference

http://birkoff.net/blog/amazon-s3-query-string-authentication-using-php/

and my code is like



------------------------------------------------------------------------



$aws_access_key_id = 'KGXJJGKDM5G7G4CNKC7R';

   $aws_secret_key = 'LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN';

   $downloadAudioTimeout = '+20 minutes';

  $file_path = "usage";



   $http_verb = "GET";

   $content_md5 = "";

   $content_type = "";

   $expires = strtotime($downloadAudioTimeout);

   $canonicalizedAmzHeaders = "";



     $canonicalizedResource = '/usage';;



   $stringToSign = $http_verb . "\n" . $content_md5 . "\n" .

$content_type . "\n" . $expires . "\n" . $canonicalizedAmzHeaders .

$canonicalizedResource;



   $signature = urlencode(hex2b64(hmacsha1($aws_secret_key,

utf8_encode($stringToSign))));



   echo "url=".$url =

"
http://gateway.3linux.com/$file_path?AWSAccessKeyId=$aws_access_key_id&Signature=$signature&Expires=$expires
";



   return $url;



    function hmacsha1($key,$data)

   {

     $blocksize=64;

     $hashfunc='sha1';

     if (strlen($key)>$blocksize)

         $key=pack('H*', $hashfunc($key));

     $key=str_pad($key,$blocksize,chr(0x00));

     $ipad=str_repeat(chr(0x36),$blocksize);

     $opad=str_repeat(chr(0x5c),$blocksize);

     $hmac = pack(

                 'H*',$hashfunc(

                     ($key^$opad).pack(

                         'H*',$hashfunc(

                             ($key^$ipad).$data



                         )

                     )

                 )

             );

     return bin2hex($hmac);

   }



   /*

    * Used to encode a field for Amazon Auth

    * (taken from the Amazon S3 PHP example library)

    */

    function hex2b64($str)

   {

       $raw = '';

       for ($i=0; $i < strlen($str); $i+=2)

       {

           $raw .= chr(hexdec(substr($str, $i, 2)));

       }

       return base64_encode($raw);

   }



--------------------------------------------------------------





I got the url like

http://gateway.3linux.com//admin/usage?AWSAccessKeyId=KGXJJGKDM5G7G4CNKC7R&Signature=ivLXdG9TltSTYEGc5nf%2B5%2B2lyxs%3D&Expires=1398757716<http://gateway.3linux.com/admin/usage?AWSAccessKeyId=KGXJJGKDM5G7G4CNKC7R&Signature=ivLXdG9TltSTYEGc5nf%2B5%2B2lyxs%3D&Expires=1398757716>

by using the above. When i enter this on the browser, i got the same access
denied error.

Could you please check if there is any issues with this ?


---------- Forwarded message ----------
From: Punit Dambiwal <hypunit@xxxxxxxxx>
Date: Tue, Apr 29, 2014 at 3:59 PM
Subject: Re: Access denied error
To: Cedric Lemarchand <cedric at yipikai.org>, Yehuda Sadeh <yehuda at inktank.com>,
"ceph-users at lists.ceph.com" <ceph-users at lists.ceph.com>


Hi Cedric/Yehuda,

I have generated the signature dynamically as like in this documentation
http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html

by using a reference

http://birkoff.net/blog/amazon-s3-query-string-authentication-using-php/

and my code is like



------------------------------------------------------------------------



$aws_access_key_id = 'KGXJJGKDM5G7G4CNKC7R';

   $aws_secret_key = 'LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN';

   $downloadAudioTimeout = '+20 minutes';

  $file_path = "usage";



   $http_verb = "GET";

   $content_md5 = "";

   $content_type = "";

   $expires = strtotime($downloadAudioTimeout);

   $canonicalizedAmzHeaders = "";



     $canonicalizedResource = '/usage';;



   $stringToSign = $http_verb . "\n" . $content_md5 . "\n" .

$content_type . "\n" . $expires . "\n" . $canonicalizedAmzHeaders .

$canonicalizedResource;



   $signature = urlencode(hex2b64(hmacsha1($aws_secret_key,

utf8_encode($stringToSign))));



   echo "url=".$url =

"
http://gateway.3linux.com/$file_path?AWSAccessKeyId=$aws_access_key_id&Signature=$signature&Expires=$expires
";



   return $url;



    function hmacsha1($key,$data)

   {

     $blocksize=64;

     $hashfunc='sha1';

     if (strlen($key)>$blocksize)

         $key=pack('H*', $hashfunc($key));

     $key=str_pad($key,$blocksize,chr(0x00));

     $ipad=str_repeat(chr(0x36),$blocksize);

     $opad=str_repeat(chr(0x5c),$blocksize);

     $hmac = pack(

                 'H*',$hashfunc(

                     ($key^$opad).pack(

                         'H*',$hashfunc(

                             ($key^$ipad).$data



                         )

                     )

                 )

             );

     return bin2hex($hmac);

   }



   /*

    * Used to encode a field for Amazon Auth

    * (taken from the Amazon S3 PHP example library)

    */

    function hex2b64($str)

   {

       $raw = '';

       for ($i=0; $i < strlen($str); $i+=2)

       {

           $raw .= chr(hexdec(substr($str, $i, 2)));

       }

       return base64_encode($raw);

   }



--------------------------------------------------------------





I got the url like

http://gateway.3linux.com//admin/usage?AWSAccessKeyId=KGXJJGKDM5G7G4CNKC7R&Signature=ivLXdG9TltSTYEGc5nf%2B5%2B2lyxs%3D&Expires=1398757716<http://gateway.3linux.com/admin/usage?AWSAccessKeyId=KGXJJGKDM5G7G4CNKC7R&Signature=ivLXdG9TltSTYEGc5nf%2B5%2B2lyxs%3D&Expires=1398757716>

by using the above. When i enter this on the browser, i got the same access
denied error.

Could you please check if there is any issues with this ?





On Mon, Apr 28, 2014 at 8:08 PM, Cedric Lemarchand <cedric at yipikai.org>wrote:

>  Hi Punit,
>
> Le 28 avr. 2014 ? 11:55, Punit Dambiwal <hypunit at gmail.com> a ?crit :
>
>   Hi Yehuda,
>
> I am using the same above method to call the api and used the way which
> described in the
> http://ceph.com/docs/master/radosgw/s3/authentication/#access-control-lists-aclsfor connection. The method in the
> http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html is
> for generating the hash of the header string and secret keys, since these
> keys are created already and i think we don't need this method, right ?
>
> No, there are difference between the aws_access_id and aws_secret_key
> (static, generated by radogw at the user creation) and the AWS
> Authentication header, which is dynamic. As of my understanding, the AWS
> signature header need to be regularly generated because of the parts it
> embeds, plus the time expiration period. I think you can safely regenerate
> the AWS Auth signature for each request.
>
> Cheers
>
>   I also tried one function to list out the bucket data as like
>
> curl -i 'http://gateway.3linux.com/test?format=json' -X GET -H
> 'Authorization: AWS
> KGXJJGKDM5G7G4CNKC7R:LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN' -H 'Host:
> gateway.3linux.com' -H 'Date: Mon, 28 April 2014 07:25:00 GMT ' -H
> 'Content-Length: 0'
>
> but its also getting the access denied error. But i can view the bucket
> details by directly entering http://gateway.3linux.com/test?format=jsonin the browser. What do you think ? what may be the reason ? I am able to
> connect and list buckets etc using cyberduck ftp clients these access keys
> but unable to do with the function calls.
>
>
>
>
> On Sat, Apr 26, 2014 at 12:22 AM, Yehuda Sadeh <yehuda at inktank.com> wrote:
>
>> On Fri, Apr 25, 2014 at 1:03 AM, Punit Dambiwal <hypunit at gmail.com>
>> wrote:
>> > Hi Yehuda,
>> >
>>  > Thanks for your help...that missing date error gone but still i am
>> getting
>> > the access denied error :-
>> >
>> > -----------------------------
>> > 2014-04-25 15:52:56.988025 7f00d37c6700  1 ====== starting new request
>> > req=0x237a090 =====
>> > 2014-04-25 15:52:56.988072 7f00d37c6700  2 req 24:0.000046::GET
>> > /admin/usage::initializing
>> > 2014-04-25 15:52:56.988077 7f00d37c6700 10 host=gateway.3linux.com
>> > rgw_dns_name=gateway.3linux.com
>> > 2014-04-25 15:52:56.988102 7f00d37c6700 20 FCGI_ROLE=RESPONDER
>> > 2014-04-25 15:52:56.988103 7f00d37c6700 20 SCRIPT_URL=/admin/usage
>> > 2014-04-25 15:52:56.988104 7f00d37c6700 20
>> > SCRIPT_URI=http://gateway.3linux.com/admin/usage
>> > 2014-04-25 15:52:56.988105 7f00d37c6700 20 HTTP_AUTHORIZATION=AWS
>> > KGXJJGKDM5G7G4CNKC7R:LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN
>> > 2014-04-25 15:52:56.988107 7f00d37c6700 20 HTTP_USER_AGENT=curl/7.22.0
>> > (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4libidn/1.23
>> > librtmp/2.3
>> > 2014-04-25 15:52:56.988108 7f00d37c6700 20 HTTP_ACCEPT=*/*
>> > 2014-04-25 15:52:56.988109 7f00d37c6700 20 HTTP_HOST=gateway.3linux.com
>> > 2014-04-25 15:52:56.988110 7f00d37c6700 20 HTTP_DATE=Fri, 25 April 2014
>> > 07:50:00 GMT
>> > 2014-04-25 15:52:56.988111 7f00d37c6700 20 CONTENT_LENGTH=0
>> > 2014-04-25 15:52:56.988112 7f00d37c6700 20
>> PATH=/usr/local/bin:/usr/bin:/bin
>> > 2014-04-25 15:52:56.988113 7f00d37c6700 20 SERVER_SIGNATURE=
>> > 2014-04-25 15:52:56.988114 7f00d37c6700 20 SERVER_SOFTWARE=Apache/2.2.22
>> > (Ubuntu)
>> > 2014-04-25 15:52:56.988115 7f00d37c6700 20 SERVER_NAME=
>> gateway.3linux.com
>> > 2014-04-25 15:52:56.988116 7f00d37c6700 20 SERVER_ADDR=117.18.79.110
>> > 2014-04-25 15:52:56.988117 7f00d37c6700 20 SERVER_PORT=80
>> > 2014-04-25 15:52:56.988117 7f00d37c6700 20 REMOTE_ADDR=122.166.115.191
>> > 2014-04-25 15:52:56.988118 7f00d37c6700 20 DOCUMENT_ROOT=/var/www
>> > 2014-04-25 15:52:56.988119 7f00d37c6700 20 SERVER_ADMIN=ceph at 3linux.com
>> > 2014-04-25 15:52:56.988120 7f00d37c6700 20
>> > SCRIPT_FILENAME=/var/www/s3gw.fcgi
>> > 2014-04-25 15:52:56.988120 7f00d37c6700 20 REMOTE_PORT=28840
>> > 2014-04-25 15:52:56.988121 7f00d37c6700 20 GATEWAY_INTERFACE=CGI/1.1
>> > 2014-04-25 15:52:56.988122 7f00d37c6700 20 SERVER_PROTOCOL=HTTP/1.1
>> > 2014-04-25 15:52:56.988123 7f00d37c6700 20 REQUEST_METHOD=GET
>> > 2014-04-25 15:52:56.988123 7f00d37c6700 20
>> > QUERY_STRING=page=admin&params=/usage&format=json
>> > 2014-04-25 15:52:56.988124 7f00d37c6700 20
>> > REQUEST_URI=/admin/usage?format=json
>> > 2014-04-25 15:52:56.988125 7f00d37c6700 20 SCRIPT_NAME=/admin/usage
>> > 2014-04-25 15:52:56.988126 7f00d37c6700  2 req 24:0.000101::GET
>> > /admin/usage::getting op
>> > 2014-04-25 15:52:56.988129 7f00d37c6700  2 req 24:0.000104::GET
>> > /admin/usage:get_usage:authorizing
>> > 2014-04-25 15:52:56.988141 7f00d37c6700 20 get_obj_state:
>> > rctx=0x7effbc004aa0 obj=.users:KGXJJGKDM5G7G4CNKC7R state=0x7effbc00e718
>> > s->prefetch_data=0
>> > 2014-04-25 15:52:56.988148 7f00d37c6700 10 moving
>> > .users+KGXJJGKDM5G7G4CNKC7R to cache LRU end
>> > 2014-04-25 15:52:56.988150 7f00d37c6700 10 cache get:
>> > name=.users+KGXJJGKDM5G7G4CNKC7R : hit
>> > 2014-04-25 15:52:56.988155 7f00d37c6700 20 get_obj_state: s->obj_tag
>> was set
>> > empty
>> > 2014-04-25 15:52:56.988160 7f00d37c6700 10 moving
>> > .users+KGXJJGKDM5G7G4CNKC7R to cache LRU end
>> > 2014-04-25 15:52:56.988161 7f00d37c6700 10 cache get:
>> > name=.users+KGXJJGKDM5G7G4CNKC7R : hit
>> > 2014-04-25 15:52:56.988179 7f00d37c6700 20 get_obj_state:
>> > rctx=0x7effbc001ce0 obj=.users.uid:admin state=0x7effbc00ec58
>> > s->prefetch_data=0
>> > 2014-04-25 15:52:56.988185 7f00d37c6700 10 moving .users.uid+admin to
>> cache
>> > LRU end
>> > 2014-04-25 15:52:56.988186 7f00d37c6700 10 cache get:
>> name=.users.uid+admin
>> > : hit
>> > 2014-04-25 15:52:56.988190 7f00d37c6700 20 get_obj_state: s->obj_tag
>> was set
>> > empty
>> > 2014-04-25 15:52:56.988193 7f00d37c6700 10 moving .users.uid+admin to
>> cache
>> > LRU end
>> > 2014-04-25 15:52:56.988195 7f00d37c6700 10 cache get:
>> name=.users.uid+admin
>> > : hit
>> > 2014-04-25 15:52:56.988236 7f00d37c6700 10 get_canon_resource():
>> > dest=/admin/usage
>> > 2014-04-25 15:52:56.988239 7f00d37c6700 10 auth_hdr:
>> > GET
>> >
>> >
>> > Fri, 25 April 2014 07:50:00 GMT
>> > /admin/usage
>> > 2014-04-25 15:52:56.988325 7f00d37c6700 15 calculated
>> > digest=nLKirQEEPeSS0Lzvr52NAB2phpA=
>> > 2014-04-25 15:52:56.988329 7f00d37c6700 15
>> > auth_sign=LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN
>> > 2014-04-25 15:52:56.988330 7f00d37c6700 15 compare=-34
>>
>>
>>  Still signing issues. If you're manually constructing the auth header
>> you need to make it look like the above (copy pasted here):
>>
>> > 2014-04-25 15:52:56.988239 7f00d37c6700 10 auth_hdr:
>> > GET
>> >
>> >
>> > Fri, 25 April 2014 07:50:00 GMT
>> > /admin/usage
>>
>>  Then you need to run hmac-sha1 on it, as described here:
>>
>> http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html
>>
>> If you have any backslash in the key then you need to remove it, it's
>> just an escape character for representing slashes in json.
>>
>> Yehuda
>>
>
>   _______________________________________________
> ceph-users mailing list
> ceph-users at lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20140502/b1174f6f/attachment.htm>


[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux