403-Forbidden error using radosgw

wido@xxxxxxxx (Wido den Hollander) · Wed, 16 Jul 2014 08:33:34 +0200

On 07/16/2014 07:58 AM, lakshmi k s wrote:
> Hello Ceph Users -
>
> My Ceph setup consists of 1 admin node, 3 OSDs, I radosgw and 1 client.
> One of OSD node also hosts monitor node. Ceph Health is OK and I have
> verified the radosgw runtime. I have created S3 and Swift users using
> radosgw-admin. But when I try to make any S3 or Swift calls, everything
> falls apart. For example -
> Python script -
> import boto
> import boto.s3.connection
> access_key = '123'
> secret_key = '456'

Are you sure the access and secret key are correct? See my lines a bit 
below.

> conn = boto.connect_s3(
> aws_access_key_id = access_key,
> aws_secret_access_key = secret_key,
> host = 'ceph-gateway.ex.com',
> is_secure=False,
> calling_format = boto.s3.connection.OrdinaryCallingFormat(),
> )
> for bucket in conn.get_all_buckets():
> print "{name}\t{created}".format(
> name = bucket.name,
> created = bucket.creation_date,
> )
> Client error-
> Traceback (most recent call last):
>    File "dconnect.py", line 18, in <module>
>      for bucket in conn.get_all_buckets():
>    File "/usr/lib/python2.7/dist-packages/boto/s3/connection.py", line
> 387, in get_all_buckets
>      response.status, response.reason, body)
> boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
> <?xml version="1.0"
> encoding="UTF-8"?><Error><Code>AccessDenied</Code></Error>
> Radosgw log
> 2014-07-15 22:48:15.769125 7fbb85fdb7001 ====== starting new request
> req=0x7fbbe910b290 =====
> 2014-07-15 22:48:15.769443 7fbb85fdb7002 req 17:0.000334::GET
> http://ceph-gateway.ex.com/::initializing
> 2014-07-15 22:48:15.769998 7fbb85fdb700 10 s->object=<NULL> s->bucket=<NULL>
> 2014-07-15 22:48:15.770199 7fbb85fdb7002 req 17:0.001084:s3:GET
> http://ceph-gateway.ex.com/::getting op
> 2014-07-15 22:48:15.770345 7fbb85fdb7002 req 17:0.001231:s3:GET
> http://ceph-gateway.ex.com/:list_buckets:authorizing
> 2014-07-15 22:48:15.770846 7fbb85fdb700 20 get_obj_state:
> rctx=0x7fbbc800f750 obj=.users:I420IKX56ZP09BTN4CML state=0x7fbbc8007c08
> s->prefetch_data=0
> 2014-07-15 22:48:15.771314 7fbb85fdb700 10 cache get:
> name=.users+I420IKX56ZP09BTN4CML : hit
> 2014-07-15 22:48:15.771442 7fbb85fdb700 20 get_obj_state: s->obj_tag was
> set empty
> 2014-07-15 22:48:15.771537 7fbb85fdb700 10 cache get:
> name=.users+I420IKX56ZP09BTN4CML : hit
> 2014-07-15 22:48:15.773278 7fbb85fdb700 20 get_obj_state:
> rctx=0x7fbbc800f750 obj=.users.uid:lakshmi state=0x7fbbc8008208
> s->prefetch_data=0
> 2014-07-15 22:48:15.773288 7fbb85fdb700 10 cache get:
> name=.users.uid+lakshmi : hit
> 2014-07-15 22:48:15.773293 7fbb85fdb700 20 get_obj_state: s->obj_tag was
> set empty
> 2014-07-15 22:48:15.773297 7fbb85fdb700 10 cache get:
> name=.users.uid+lakshmi : hit
> 2014-07-15 22:48:15.774247 7fbb85fdb700 10 get_canon_resource():
> dest=http://ceph-gateway.ex.com/
> 2014-07-15 22:48:15.774326 7fbb85fdb700 10 auth_hdr:
> GET
> Wed, 16 Jul 2014 05:48:48 GMT
> http://ceph-gateway.ex.com/
> 2014-07-15 22:48:15.775425 7fbb85fdb700 15 calculated
> digest=k80Z0p3KlwX4TtrZa0Ws0IWCpVU=
> 2014-07-15 22:48:15.775498 7fbb85fdb700 15
> auth_sign=aAd2u8uD1x/FwLAojm+vceWaITY=
> 2014-07-15 22:48:15.775536 7fbb85fdb700 15 compare=-10
> 2014-07-15 22:48:15.775603 7fbb85fdb700 10 failed to authorize request

That tells you that the gateway calculated a different signature then 
your client did. So something with the access and secret key is wrong.

Wido

> 2014-07-15 22:48:15.776202 7fbb85fdb7002 req 17:0.007071:s3:GET
> http://ceph-gateway.ex.com/:list_buckets:http status=403
> 2014-07-15 22:48:15.776325 7fbb85fdb7001 ====== req done
> req=0x7fbbe910b290 http_status=403 ======
> 2014-07-15 22:48:15.776435 7fbb85fdb700 20 process_request() returned -1
>
> --------------------------------------------------------------------------------------------------------------------------------
> Using Swift-Client -
> swift --debug -V 1.0 -A http://ceph-gateway.ex.com/auth/1.0 -U
> ganapati:swift -K "GIn60fmdvnEh5tSiRziixcO5wVxZjg9eoYmtX3hJ" list
> INFO:urllib3.connectionpool:Starting new HTTP connection (1):
> ceph-gateway.ex.com
> DEBUG:urllib3.connectionpool:Setting read timeout to <object object at
> 0x7f3e1cf38090>
> DEBUG:urllib3.connectionpool:"GET /auth/1.0 HTTP/1.1" 403 23
> ('lks: response %s', <Response [403]>)
> INFO:swiftclient:REQ: curl -i http://ceph-gateway.ex.com/auth/1.0 -X GET
> INFO:swiftclient:RESP STATUS: 403 Forbidden
> INFO:swiftclient:RESP HEADERS: [('date', 'Wed, 16 Jul 2014 05:45:22
> GMT'), ('accept-ranges', 'bytes'), ('content-type', 'application/json'),
> ('content-length', '23'), ('server', 'Apache/2.4.7 (Ubuntu)')]
> INFO:swiftclient:RESP BODY: {"Code":"AccessDenied"}
> ERROR:swiftclient:Auth GET failed: http://ceph-gateway.ex.com/auth/1.0
> 403 Forbidden
> Traceback (most recent call last):
> File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line
> 1187, in _retry
> self.url, self.token = self.get_auth()
> File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line
> 1161, in get_auth
> insecure=self.insecure)
> File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line 324,
> in get_auth
> insecure=insecure)
> File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line 247,
> in get_auth_1_0
> http_reason=resp.reason)
> ClientException: Auth GET failed: http://ceph-gateway.ex.com/auth/1.0
> 403 Forbidden
> Radosgw log -
> 2014-07-15 22:45:22.654754 7fbb697a27001 ====== starting new request
> req=0x7fbbe910c3d0 =====
> 2014-07-15 22:45:22.654844 7fbb697a27002 req 16:0.000091::GET
> /auth/1.0::initializing
> 2014-07-15 22:45:22.655062 7fbb697a27002 req 16:0.000308:swift-auth:GET
> /auth/1.0::getting op
> 2014-07-15 22:45:22.655073 7fbb697a27002 req 16:0.000321:swift-auth:GET
> /auth/1.0:swift_auth_get:authorizing
> 2014-07-15 22:45:22.655088 7fbb697a27002 req 16:0.000335:swift-auth:GET
> /auth/1.0:swift_auth_get:reading permissions
> 2014-07-15 22:45:22.655095 7fbb697a27002 req 16:0.000342:swift-auth:GET
> /auth/1.0:swift_auth_get:init op
> 2014-07-15 22:45:22.655108 7fbb697a27002 req 16:0.000355:swift-auth:GET
> /auth/1.0:swift_auth_get:verifying op mask
> 2014-07-15 22:45:22.655119 7fbb697a2700 20 required_mask= 0 user.op_mask=7
> 2014-07-15 22:45:22.655125 7fbb697a27002 req 16:0.000372:swift-auth:GET
> /auth/1.0:swift_auth_get:verifying op permissions
> 2014-07-15 22:45:22.655132 7fbb697a27002 req 16:0.000379:swift-auth:GET
> /auth/1.0:swift_auth_get:verifying op params
> 2014-07-15 22:45:22.655138 7fbb697a27002 req 16:0.000385:swift-auth:GET
> /auth/1.0:swift_auth_get:executing
> 2014-07-15 22:45:22.655363 7fbb697a2700 20 get_obj_state:
> rctx=0x7fbba0048cc0 obj=.users.swift:ganapati:swift state=0x7fbba0010fd8
> s->prefetch_data=0
> 2014-07-15 22:45:22.655427 7fbb697a2700 10 cache get:
> name=.users.swift+ganapati:swift : type miss (requested=6, cached=0)
> 2014-07-15 22:45:22.662199 7fbb697a2700 10 cache put:
> name=.users.swift+ganapati:swift
> 2014-07-15 22:45:22.662239 7fbb697a2700 10 moving
> .users.swift+ganapati:swift to cache LRU end
> 2014-07-15 22:45:22.662357 7fbb697a27002 req 16:0.007603:swift-auth:GET
> /auth/1.0:swift_auth_get:http status=403
> 2014-07-15 22:45:22.662379 7fbb697a27001 ====== req done
> req=0x7fbbe910c3d0 http_status=403 ======
> ceph.conf
> [global]
> fsid = ecb2d0d4-cfc9-4fb9-a98d-002fa1b228f1
> mon_initial_members = node1
> mon_host = 192.168.122.108
> auth_cluster_required = cephx
> auth_service_required = cephx
> auth_client_required = cephx
> filestore_xattr_use_omap = true
>
> [client.admin]
> keyring = /etc/ceph/ceph.client.admin.keyring
>
> [client.radosgw.gateway]
> host = ceph-gateway
> keyring = /etc/ceph/ceph.client.radosgw.keyring
> rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
> log file = /var/log/ceph/client.radosgw.gateway.log
> rgw dns name = ceph-gateway.ex.com
> rgw print continue = false
> rgw debug = 20
> rgw enable usage log = true
>
> Appreciate your help.
> Thanks,
> Lakshmi.
>
>
>
> _______________________________________________
> ceph-users mailing list
> ceph-users at lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>

-- 
Wido den Hollander
42on B.V.
Ceph trainer and consultant

Phone: +31 (0)20 700 9902
Skype: contact42on