403-Forbidden error using radosgw

piiv@xxxxxxx (Vincenzo Pii) · Wed, 16 Jul 2014 16:05:58 +0200

You may try to debug your issue by using curl requests.

If you use your Swift credentials, a request of this format should give you
a 20X return code (probably 204):

curl -v -i http://<hostname>/auth -X GET -H "X-Auth-User:
testuser:swiftuser" -H "X-Auth-Key:
ksYDp8dul80Ta1PeDkFFyLem1FlrtvnyzYiaqvh8"

If this works, you at least know that your auth mechanism is working.

2014-07-16 8:33 GMT+02:00 Wido den Hollander <wido at 42on.com>:

> On 07/16/2014 07:58 AM, lakshmi k s wrote:
> > Hello Ceph Users -
> >
> > My Ceph setup consists of 1 admin node, 3 OSDs, I radosgw and 1 client.
> > One of OSD node also hosts monitor node. Ceph Health is OK and I have
> > verified the radosgw runtime. I have created S3 and Swift users using
> > radosgw-admin. But when I try to make any S3 or Swift calls, everything
> > falls apart. For example -
> > Python script -
> > import boto
> > import boto.s3.connection
> > access_key = '123'
> > secret_key = '456'
>
> Are you sure the access and secret key are correct? See my lines a bit
> below.
>
> > conn = boto.connect_s3(
> > aws_access_key_id = access_key,
> > aws_secret_access_key = secret_key,
> > host = 'ceph-gateway.ex.com',
> > is_secure=False,
> > calling_format = boto.s3.connection.OrdinaryCallingFormat(),
> > )
> > for bucket in conn.get_all_buckets():
> > print "{name}\t{created}".format(
> > name = bucket.name,
> > created = bucket.creation_date,
> > )
> > Client error-
> > Traceback (most recent call last):
> >    File "dconnect.py", line 18, in <module>
> >      for bucket in conn.get_all_buckets():
> >    File "/usr/lib/python2.7/dist-packages/boto/s3/connection.py", line
> > 387, in get_all_buckets
> >      response.status, response.reason, body)
> > boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
> > <?xml version="1.0"
> > encoding="UTF-8"?><Error><Code>AccessDenied</Code></Error>
> > Radosgw log
> > 2014-07-15 22:48:15.769125 7fbb85fdb7001 ====== starting new request
> > req=0x7fbbe910b290 =====
> > 2014-07-15 22:48:15.769443 7fbb85fdb7002 req 17:0.000334::GET
> > http://ceph-gateway.ex.com/::initializing
> > 2014-07-15 22:48:15.769998 7fbb85fdb700 10 s->object=<NULL>
> s->bucket=<NULL>
> > 2014-07-15 22:48:15.770199 7fbb85fdb7002 req 17:0.001084:s3:GET
> > http://ceph-gateway.ex.com/::getting op
> > 2014-07-15 22:48:15.770345 7fbb85fdb7002 req 17:0.001231:s3:GET
> > http://ceph-gateway.ex.com/:list_buckets:authorizing
> > 2014-07-15 22:48:15.770846 7fbb85fdb700 20 get_obj_state:
> > rctx=0x7fbbc800f750 obj=.users:I420IKX56ZP09BTN4CML state=0x7fbbc8007c08
> > s->prefetch_data=0
> > 2014-07-15 22:48:15.771314 7fbb85fdb700 10 cache get:
> > name=.users+I420IKX56ZP09BTN4CML : hit
> > 2014-07-15 22:48:15.771442 7fbb85fdb700 20 get_obj_state: s->obj_tag was
> > set empty
> > 2014-07-15 22:48:15.771537 7fbb85fdb700 10 cache get:
> > name=.users+I420IKX56ZP09BTN4CML : hit
> > 2014-07-15 22:48:15.773278 7fbb85fdb700 20 get_obj_state:
> > rctx=0x7fbbc800f750 obj=.users.uid:lakshmi state=0x7fbbc8008208
> > s->prefetch_data=0
> > 2014-07-15 22:48:15.773288 7fbb85fdb700 10 cache get:
> > name=.users.uid+lakshmi : hit
> > 2014-07-15 22:48:15.773293 7fbb85fdb700 20 get_obj_state: s->obj_tag was
> > set empty
> > 2014-07-15 22:48:15.773297 7fbb85fdb700 10 cache get:
> > name=.users.uid+lakshmi : hit
> > 2014-07-15 22:48:15.774247 7fbb85fdb700 10 get_canon_resource():
> > dest=http://ceph-gateway.ex.com/
> > 2014-07-15 22:48:15.774326 7fbb85fdb700 10 auth_hdr:
> > GET
> > Wed, 16 Jul 2014 05:48:48 GMT
> > http://ceph-gateway.ex.com/
> > 2014-07-15 22:48:15.775425 7fbb85fdb700 15 calculated
> > digest=k80Z0p3KlwX4TtrZa0Ws0IWCpVU=
> > 2014-07-15 22:48:15.775498 7fbb85fdb700 15
> > auth_sign=aAd2u8uD1x/FwLAojm+vceWaITY=
> > 2014-07-15 22:48:15.775536 7fbb85fdb700 15 compare=-10
> > 2014-07-15 22:48:15.775603 7fbb85fdb700 10 failed to authorize request
>
> That tells you that the gateway calculated a different signature then
> your client did. So something with the access and secret key is wrong.
>
> Wido
>
> > 2014-07-15 22:48:15.776202 7fbb85fdb7002 req 17:0.007071:s3:GET
> > http://ceph-gateway.ex.com/:list_buckets:http status=403
> > 2014-07-15 22:48:15.776325 7fbb85fdb7001 ====== req done
> > req=0x7fbbe910b290 http_status=403 ======
> > 2014-07-15 22:48:15.776435 7fbb85fdb700 20 process_request() returned -1
> >
> >
> --------------------------------------------------------------------------------------------------------------------------------
> > Using Swift-Client -
> > swift --debug -V 1.0 -A http://ceph-gateway.ex.com/auth/1.0 -U
> > ganapati:swift -K "GIn60fmdvnEh5tSiRziixcO5wVxZjg9eoYmtX3hJ" list
> > INFO:urllib3.connectionpool:Starting new HTTP connection (1):
> > ceph-gateway.ex.com
> > DEBUG:urllib3.connectionpool:Setting read timeout to <object object at
> > 0x7f3e1cf38090>
> > DEBUG:urllib3.connectionpool:"GET /auth/1.0 HTTP/1.1" 403 23
> > ('lks: response %s', <Response [403]>)
> > INFO:swiftclient:REQ: curl -i http://ceph-gateway.ex.com/auth/1.0 -X GET
> > INFO:swiftclient:RESP STATUS: 403 Forbidden
> > INFO:swiftclient:RESP HEADERS: [('date', 'Wed, 16 Jul 2014 05:45:22
> > GMT'), ('accept-ranges', 'bytes'), ('content-type', 'application/json'),
> > ('content-length', '23'), ('server', 'Apache/2.4.7 (Ubuntu)')]
> > INFO:swiftclient:RESP BODY: {"Code":"AccessDenied"}
> > ERROR:swiftclient:Auth GET failed: http://ceph-gateway.ex.com/auth/1.0
> > 403 Forbidden
> > Traceback (most recent call last):
> > File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line
> > 1187, in _retry
> > self.url, self.token = self.get_auth()
> > File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line
> > 1161, in get_auth
> > insecure=self.insecure)
> > File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line 324,
> > in get_auth
> > insecure=insecure)
> > File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line 247,
> > in get_auth_1_0
> > http_reason=resp.reason)
> > ClientException: Auth GET failed: http://ceph-gateway.ex.com/auth/1.0
> > 403 Forbidden
> > Radosgw log -
> > 2014-07-15 22:45:22.654754 7fbb697a27001 ====== starting new request
> > req=0x7fbbe910c3d0 =====
> > 2014-07-15 22:45:22.654844 7fbb697a27002 req 16:0.000091::GET
> > /auth/1.0::initializing
> > 2014-07-15 22:45:22.655062 7fbb697a27002 req 16:0.000308:swift-auth:GET
> > /auth/1.0::getting op
> > 2014-07-15 22:45:22.655073 7fbb697a27002 req 16:0.000321:swift-auth:GET
> > /auth/1.0:swift_auth_get:authorizing
> > 2014-07-15 22:45:22.655088 7fbb697a27002 req 16:0.000335:swift-auth:GET
> > /auth/1.0:swift_auth_get:reading permissions
> > 2014-07-15 22:45:22.655095 7fbb697a27002 req 16:0.000342:swift-auth:GET
> > /auth/1.0:swift_auth_get:init op
> > 2014-07-15 22:45:22.655108 7fbb697a27002 req 16:0.000355:swift-auth:GET
> > /auth/1.0:swift_auth_get:verifying op mask
> > 2014-07-15 22:45:22.655119 7fbb697a2700 20 required_mask= 0
> user.op_mask=7
> > 2014-07-15 22:45:22.655125 7fbb697a27002 req 16:0.000372:swift-auth:GET
> > /auth/1.0:swift_auth_get:verifying op permissions
> > 2014-07-15 22:45:22.655132 7fbb697a27002 req 16:0.000379:swift-auth:GET
> > /auth/1.0:swift_auth_get:verifying op params
> > 2014-07-15 22:45:22.655138 7fbb697a27002 req 16:0.000385:swift-auth:GET
> > /auth/1.0:swift_auth_get:executing
> > 2014-07-15 22:45:22.655363 7fbb697a2700 20 get_obj_state:
> > rctx=0x7fbba0048cc0 obj=.users.swift:ganapati:swift state=0x7fbba0010fd8
> > s->prefetch_data=0
> > 2014-07-15 22:45:22.655427 7fbb697a2700 10 cache get:
> > name=.users.swift+ganapati:swift : type miss (requested=6, cached=0)
> > 2014-07-15 22:45:22.662199 7fbb697a2700 10 cache put:
> > name=.users.swift+ganapati:swift
> > 2014-07-15 22:45:22.662239 7fbb697a2700 10 moving
> > .users.swift+ganapati:swift to cache LRU end
> > 2014-07-15 22:45:22.662357 7fbb697a27002 req 16:0.007603:swift-auth:GET
> > /auth/1.0:swift_auth_get:http status=403
> > 2014-07-15 22:45:22.662379 7fbb697a27001 ====== req done
> > req=0x7fbbe910c3d0 http_status=403 ======
> > ceph.conf
> > [global]
> > fsid = ecb2d0d4-cfc9-4fb9-a98d-002fa1b228f1
> > mon_initial_members = node1
> > mon_host = 192.168.122.108
> > auth_cluster_required = cephx
> > auth_service_required = cephx
> > auth_client_required = cephx
> > filestore_xattr_use_omap = true
> >
> > [client.admin]
> > keyring = /etc/ceph/ceph.client.admin.keyring
> >
> > [client.radosgw.gateway]
> > host = ceph-gateway
> > keyring = /etc/ceph/ceph.client.radosgw.keyring
> > rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
> > log file = /var/log/ceph/client.radosgw.gateway.log
> > rgw dns name = ceph-gateway.ex.com
> > rgw print continue = false
> > rgw debug = 20
> > rgw enable usage log = true
> >
> > Appreciate your help.
> > Thanks,
> > Lakshmi.
> >
> >
> >
> > _______________________________________________
> > ceph-users mailing list
> > ceph-users at lists.ceph.com
> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> >
>
>
> --
> Wido den Hollander
> 42on B.V.
> Ceph trainer and consultant
>
> Phone: +31 (0)20 700 9902
> Skype: contact42on
> _______________________________________________
> ceph-users mailing list
> ceph-users at lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>

-- 
Vincenzo Pii
Researcher, InIT Cloud Computing Lab
Zurich University of Applied Sciences (ZHAW)
http://www.cloudcomp.ch/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20140716/4adf0544/attachment.htm>