Hi Cedric/Yehuda, I have generated the signature dynamically as like in this documentation http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html by using a reference http://birkoff.net/blog/amazon-s3-query-string-authentication-using-php/ and my code is like ------------------------------------------------------------------------ $aws_access_key_id = 'KGXJJGKDM5G7G4CNKC7R'; $aws_secret_key = 'LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN'; $downloadAudioTimeout = '+20 minutes'; $file_path = "usage"; $http_verb = "GET"; $content_md5 = ""; $content_type = ""; $expires = strtotime($downloadAudioTimeout); $canonicalizedAmzHeaders = ""; $canonicalizedResource = '/usage';; $stringToSign = $http_verb . "\n" . $content_md5 . "\n" . $content_type . "\n" . $expires . "\n" . $canonicalizedAmzHeaders . $canonicalizedResource; $signature = urlencode(hex2b64(hmacsha1($aws_secret_key, utf8_encode($stringToSign)))); echo "url=".$url = " http://gateway.3linux.com/$file_path?AWSAccessKeyId=$aws_access_key_id&Signature=$signature&Expires=$expires "; return $url; function hmacsha1($key,$data) { $blocksize=64; $hashfunc='sha1'; if (strlen($key)>$blocksize) $key=pack('H*', $hashfunc($key)); $key=str_pad($key,$blocksize,chr(0x00)); $ipad=str_repeat(chr(0x36),$blocksize); $opad=str_repeat(chr(0x5c),$blocksize); $hmac = pack( 'H*',$hashfunc( ($key^$opad).pack( 'H*',$hashfunc( ($key^$ipad).$data ) ) ) ); return bin2hex($hmac); } /* * Used to encode a field for Amazon Auth * (taken from the Amazon S3 PHP example library) */ function hex2b64($str) { $raw = ''; for ($i=0; $i < strlen($str); $i+=2) { $raw .= chr(hexdec(substr($str, $i, 2))); } return base64_encode($raw); } -------------------------------------------------------------- I got the url like http://gateway.3linux.com//admin/usage?AWSAccessKeyId=KGXJJGKDM5G7G4CNKC7R&Signature=ivLXdG9TltSTYEGc5nf%2B5%2B2lyxs%3D&Expires=1398757716<http://gateway.3linux.com/admin/usage?AWSAccessKeyId=KGXJJGKDM5G7G4CNKC7R&Signature=ivLXdG9TltSTYEGc5nf%2B5%2B2lyxs%3D&Expires=1398757716> by using the above. When i enter this on the browser, i got the same access denied error. Could you please check if there is any issues with this ? ---------- Forwarded message ---------- From: Punit Dambiwal <hypunit@xxxxxxxxx> Date: Tue, Apr 29, 2014 at 3:59 PM Subject: Re: Access denied error To: Cedric Lemarchand <cedric at yipikai.org>, Yehuda Sadeh <yehuda at inktank.com>, "ceph-users at lists.ceph.com" <ceph-users at lists.ceph.com> Hi Cedric/Yehuda, I have generated the signature dynamically as like in this documentation http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html by using a reference http://birkoff.net/blog/amazon-s3-query-string-authentication-using-php/ and my code is like ------------------------------------------------------------------------ $aws_access_key_id = 'KGXJJGKDM5G7G4CNKC7R'; $aws_secret_key = 'LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN'; $downloadAudioTimeout = '+20 minutes'; $file_path = "usage"; $http_verb = "GET"; $content_md5 = ""; $content_type = ""; $expires = strtotime($downloadAudioTimeout); $canonicalizedAmzHeaders = ""; $canonicalizedResource = '/usage';; $stringToSign = $http_verb . "\n" . $content_md5 . "\n" . $content_type . "\n" . $expires . "\n" . $canonicalizedAmzHeaders . $canonicalizedResource; $signature = urlencode(hex2b64(hmacsha1($aws_secret_key, utf8_encode($stringToSign)))); echo "url=".$url = " http://gateway.3linux.com/$file_path?AWSAccessKeyId=$aws_access_key_id&Signature=$signature&Expires=$expires "; return $url; function hmacsha1($key,$data) { $blocksize=64; $hashfunc='sha1'; if (strlen($key)>$blocksize) $key=pack('H*', $hashfunc($key)); $key=str_pad($key,$blocksize,chr(0x00)); $ipad=str_repeat(chr(0x36),$blocksize); $opad=str_repeat(chr(0x5c),$blocksize); $hmac = pack( 'H*',$hashfunc( ($key^$opad).pack( 'H*',$hashfunc( ($key^$ipad).$data ) ) ) ); return bin2hex($hmac); } /* * Used to encode a field for Amazon Auth * (taken from the Amazon S3 PHP example library) */ function hex2b64($str) { $raw = ''; for ($i=0; $i < strlen($str); $i+=2) { $raw .= chr(hexdec(substr($str, $i, 2))); } return base64_encode($raw); } -------------------------------------------------------------- I got the url like http://gateway.3linux.com//admin/usage?AWSAccessKeyId=KGXJJGKDM5G7G4CNKC7R&Signature=ivLXdG9TltSTYEGc5nf%2B5%2B2lyxs%3D&Expires=1398757716<http://gateway.3linux.com/admin/usage?AWSAccessKeyId=KGXJJGKDM5G7G4CNKC7R&Signature=ivLXdG9TltSTYEGc5nf%2B5%2B2lyxs%3D&Expires=1398757716> by using the above. When i enter this on the browser, i got the same access denied error. Could you please check if there is any issues with this ? On Mon, Apr 28, 2014 at 8:08 PM, Cedric Lemarchand <cedric at yipikai.org>wrote: > Hi Punit, > > Le 28 avr. 2014 ? 11:55, Punit Dambiwal <hypunit at gmail.com> a ?crit : > > Hi Yehuda, > > I am using the same above method to call the api and used the way which > described in the > http://ceph.com/docs/master/radosgw/s3/authentication/#access-control-lists-aclsfor connection. The method in the > http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html is > for generating the hash of the header string and secret keys, since these > keys are created already and i think we don't need this method, right ? > > No, there are difference between the aws_access_id and aws_secret_key > (static, generated by radogw at the user creation) and the AWS > Authentication header, which is dynamic. As of my understanding, the AWS > signature header need to be regularly generated because of the parts it > embeds, plus the time expiration period. I think you can safely regenerate > the AWS Auth signature for each request. > > Cheers > > I also tried one function to list out the bucket data as like > > curl -i 'http://gateway.3linux.com/test?format=json' -X GET -H > 'Authorization: AWS > KGXJJGKDM5G7G4CNKC7R:LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN' -H 'Host: > gateway.3linux.com' -H 'Date: Mon, 28 April 2014 07:25:00 GMT ' -H > 'Content-Length: 0' > > but its also getting the access denied error. But i can view the bucket > details by directly entering http://gateway.3linux.com/test?format=jsonin the browser. What do you think ? what may be the reason ? I am able to > connect and list buckets etc using cyberduck ftp clients these access keys > but unable to do with the function calls. > > > > > On Sat, Apr 26, 2014 at 12:22 AM, Yehuda Sadeh <yehuda at inktank.com> wrote: > >> On Fri, Apr 25, 2014 at 1:03 AM, Punit Dambiwal <hypunit at gmail.com> >> wrote: >> > Hi Yehuda, >> > >> > Thanks for your help...that missing date error gone but still i am >> getting >> > the access denied error :- >> > >> > ----------------------------- >> > 2014-04-25 15:52:56.988025 7f00d37c6700 1 ====== starting new request >> > req=0x237a090 ===== >> > 2014-04-25 15:52:56.988072 7f00d37c6700 2 req 24:0.000046::GET >> > /admin/usage::initializing >> > 2014-04-25 15:52:56.988077 7f00d37c6700 10 host=gateway.3linux.com >> > rgw_dns_name=gateway.3linux.com >> > 2014-04-25 15:52:56.988102 7f00d37c6700 20 FCGI_ROLE=RESPONDER >> > 2014-04-25 15:52:56.988103 7f00d37c6700 20 SCRIPT_URL=/admin/usage >> > 2014-04-25 15:52:56.988104 7f00d37c6700 20 >> > SCRIPT_URI=http://gateway.3linux.com/admin/usage >> > 2014-04-25 15:52:56.988105 7f00d37c6700 20 HTTP_AUTHORIZATION=AWS >> > KGXJJGKDM5G7G4CNKC7R:LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN >> > 2014-04-25 15:52:56.988107 7f00d37c6700 20 HTTP_USER_AGENT=curl/7.22.0 >> > (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4libidn/1.23 >> > librtmp/2.3 >> > 2014-04-25 15:52:56.988108 7f00d37c6700 20 HTTP_ACCEPT=*/* >> > 2014-04-25 15:52:56.988109 7f00d37c6700 20 HTTP_HOST=gateway.3linux.com >> > 2014-04-25 15:52:56.988110 7f00d37c6700 20 HTTP_DATE=Fri, 25 April 2014 >> > 07:50:00 GMT >> > 2014-04-25 15:52:56.988111 7f00d37c6700 20 CONTENT_LENGTH=0 >> > 2014-04-25 15:52:56.988112 7f00d37c6700 20 >> PATH=/usr/local/bin:/usr/bin:/bin >> > 2014-04-25 15:52:56.988113 7f00d37c6700 20 SERVER_SIGNATURE= >> > 2014-04-25 15:52:56.988114 7f00d37c6700 20 SERVER_SOFTWARE=Apache/2.2.22 >> > (Ubuntu) >> > 2014-04-25 15:52:56.988115 7f00d37c6700 20 SERVER_NAME= >> gateway.3linux.com >> > 2014-04-25 15:52:56.988116 7f00d37c6700 20 SERVER_ADDR=117.18.79.110 >> > 2014-04-25 15:52:56.988117 7f00d37c6700 20 SERVER_PORT=80 >> > 2014-04-25 15:52:56.988117 7f00d37c6700 20 REMOTE_ADDR=122.166.115.191 >> > 2014-04-25 15:52:56.988118 7f00d37c6700 20 DOCUMENT_ROOT=/var/www >> > 2014-04-25 15:52:56.988119 7f00d37c6700 20 SERVER_ADMIN=ceph at 3linux.com >> > 2014-04-25 15:52:56.988120 7f00d37c6700 20 >> > SCRIPT_FILENAME=/var/www/s3gw.fcgi >> > 2014-04-25 15:52:56.988120 7f00d37c6700 20 REMOTE_PORT=28840 >> > 2014-04-25 15:52:56.988121 7f00d37c6700 20 GATEWAY_INTERFACE=CGI/1.1 >> > 2014-04-25 15:52:56.988122 7f00d37c6700 20 SERVER_PROTOCOL=HTTP/1.1 >> > 2014-04-25 15:52:56.988123 7f00d37c6700 20 REQUEST_METHOD=GET >> > 2014-04-25 15:52:56.988123 7f00d37c6700 20 >> > QUERY_STRING=page=admin¶ms=/usage&format=json >> > 2014-04-25 15:52:56.988124 7f00d37c6700 20 >> > REQUEST_URI=/admin/usage?format=json >> > 2014-04-25 15:52:56.988125 7f00d37c6700 20 SCRIPT_NAME=/admin/usage >> > 2014-04-25 15:52:56.988126 7f00d37c6700 2 req 24:0.000101::GET >> > /admin/usage::getting op >> > 2014-04-25 15:52:56.988129 7f00d37c6700 2 req 24:0.000104::GET >> > /admin/usage:get_usage:authorizing >> > 2014-04-25 15:52:56.988141 7f00d37c6700 20 get_obj_state: >> > rctx=0x7effbc004aa0 obj=.users:KGXJJGKDM5G7G4CNKC7R state=0x7effbc00e718 >> > s->prefetch_data=0 >> > 2014-04-25 15:52:56.988148 7f00d37c6700 10 moving >> > .users+KGXJJGKDM5G7G4CNKC7R to cache LRU end >> > 2014-04-25 15:52:56.988150 7f00d37c6700 10 cache get: >> > name=.users+KGXJJGKDM5G7G4CNKC7R : hit >> > 2014-04-25 15:52:56.988155 7f00d37c6700 20 get_obj_state: s->obj_tag >> was set >> > empty >> > 2014-04-25 15:52:56.988160 7f00d37c6700 10 moving >> > .users+KGXJJGKDM5G7G4CNKC7R to cache LRU end >> > 2014-04-25 15:52:56.988161 7f00d37c6700 10 cache get: >> > name=.users+KGXJJGKDM5G7G4CNKC7R : hit >> > 2014-04-25 15:52:56.988179 7f00d37c6700 20 get_obj_state: >> > rctx=0x7effbc001ce0 obj=.users.uid:admin state=0x7effbc00ec58 >> > s->prefetch_data=0 >> > 2014-04-25 15:52:56.988185 7f00d37c6700 10 moving .users.uid+admin to >> cache >> > LRU end >> > 2014-04-25 15:52:56.988186 7f00d37c6700 10 cache get: >> name=.users.uid+admin >> > : hit >> > 2014-04-25 15:52:56.988190 7f00d37c6700 20 get_obj_state: s->obj_tag >> was set >> > empty >> > 2014-04-25 15:52:56.988193 7f00d37c6700 10 moving .users.uid+admin to >> cache >> > LRU end >> > 2014-04-25 15:52:56.988195 7f00d37c6700 10 cache get: >> name=.users.uid+admin >> > : hit >> > 2014-04-25 15:52:56.988236 7f00d37c6700 10 get_canon_resource(): >> > dest=/admin/usage >> > 2014-04-25 15:52:56.988239 7f00d37c6700 10 auth_hdr: >> > GET >> > >> > >> > Fri, 25 April 2014 07:50:00 GMT >> > /admin/usage >> > 2014-04-25 15:52:56.988325 7f00d37c6700 15 calculated >> > digest=nLKirQEEPeSS0Lzvr52NAB2phpA= >> > 2014-04-25 15:52:56.988329 7f00d37c6700 15 >> > auth_sign=LC7S0twZdhtXA1XxthfMDsj5TgJpeKhZrloWa9WN >> > 2014-04-25 15:52:56.988330 7f00d37c6700 15 compare=-34 >> >> >> Still signing issues. If you're manually constructing the auth header >> you need to make it look like the above (copy pasted here): >> >> > 2014-04-25 15:52:56.988239 7f00d37c6700 10 auth_hdr: >> > GET >> > >> > >> > Fri, 25 April 2014 07:50:00 GMT >> > /admin/usage >> >> Then you need to run hmac-sha1 on it, as described here: >> >> http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html >> >> If you have any backslash in the key then you need to remove it, it's >> just an escape character for representing slashes in json. >> >> Yehuda >> > > _______________________________________________ > ceph-users mailing list > ceph-users at lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20140502/b1174f6f/attachment.htm>