Object Gateway - Server Side Encryption

Amardeep Singh <amardeep@xxxxxxxxxxxxxx> · Thu, 8 Mar 2018 17:46:32 +0530



    Hi,

      
      I am trying to configure server side encryption using Key
      Management Service as per documentation
      http://docs.ceph.com/docs/master/radosgw/encryption/

      
      Configured Keystone/Barbican integration and its working, tested
      using curl commands. After I configure RadosGW and use
      boto.s3.connection from python or s3cmd client an error is thrown.

      
        boto.exception.S3ResponseError: S3ResponseError: 403
          Forbidden

        <?xml version="1.0"
encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Failed
          to retrieve the actual key, kms-keyid:
616b2ce2-053a-41e3-b51e-0ff53e33cf81</Message><BucketName>newbucket</BucketName><RequestId>tx000000000000000077750-005aa1274b-ac51-uk-west</RequestId><HostId>ac51-uk-west-uk</HostId></Error>

        
      In server side logs its getting the token and barbican is
      authenticating the request then providing secret url, but unable
      to serve key.

      
       22:10:03.940091 7f056f7eb700 15
          ceph_armor ret=16

           22:10:03.940111 7f056f7eb700 15
          supplied_md5=eb1a3227cdc3fedbaec2fe38bf6c044a

           22:10:03.940129 7f056f7eb700 20 reading from
uk-west.rgw.meta:root:.bucket.meta.newbucket:ee560b67-c330-4fd0-af50-aefff93735d2.4163.1

           22:10:03.940138 7f056f7eb700 20 get_system_obj_state:
          rctx=0x7f056f7e39f0
obj=uk-west.rgw.meta:root:.bucket.meta.newbucket:ee560b67-c330-4fd0-af50-aefff93735d2.4163.1
          state=0x56540487a5a0 s->prefetch_data=0

           22:10:03.940145 7f056f7eb700 10 cache get:
name=uk-west.rgw.meta+root+.bucket.meta.newbucket:ee560b67-c330-4fd0-af50-aefff93735d2.4163.1
          : hit (requested=0x16, cached=0x17)

           22:10:03.940152 7f056f7eb700 20 get_system_obj_state:
          s->obj_tag was set empty

           22:10:03.940155 7f056f7eb700 10 cache get:
name=uk-west.rgw.meta+root+.bucket.meta.newbucket:ee560b67-c330-4fd0-af50-aefff93735d2.4163.1
          : hit (requested=0x11, cached=0x17)

           22:10:03.944015 7f056f7eb700 20 bucket quota:
          max_objects=1638400 max_size=-1

           22:10:03.944030 7f056f7eb700 20 bucket quota OK:
          stats.num_objects=7 stats.size=50

           22:10:03.944176 7f056f7eb700 20 Getting KMS encryption key
          for key=616b2ce2-053a-41e3-b51e-0ff53e33cf81

           22:10:03.944225 7f056f7eb700 20 Requesting secret from
          barbican url="" class="moz-txt-link-freetext" href="http://keyserver.rados:5000/v3/auth/tokens">http://keyserver.rados:5000/v3/auth/tokens

           22:10:03.944281 7f056f7eb700 20 sending request to
          http://keyserver.rados:5000/v3/auth/tokens

           22:10:04.405974 7f056f7eb700 20 sending request to
http://keyserver.rados:9311/v1/secrets/616b2ce2-053a-41e3-b51e-0ff53e33cf81

           22:10:05.519874 7f056f7eb700 5 Failed to retrieve secret
            from barbican:616b2ce2-053a-41e3-b51e-0ff53e33cf81

           22:10:05.519901 7f056f7eb700 5 ERROR: failed to
            retrieve actual key from key_id:
            616b2ce2-053a-41e3-b51e-0ff53e33cf81

           22:10:05.519980 7f056f7eb700 2 req 387:1.581432:s3:PUT
          /encrypted.txt:put_obj:completing

           22:10:05.520187 7f056f7eb700 2 req 387:1.581640:s3:PUT
          /encrypted.txt:put_obj:op status=-13

           22:10:05.520193 7f056f7eb700 2 req 387:1.581645:s3:PUT
          /encrypted.txt:put_obj:http status=403

           22:10:05.520206 7f056f7eb700 1 ====== req done
          req=0x7f056f7e5190 op status=-13 http_status=403 ======

           22:10:05.520225 7f056f7eb700 20 process_request() returned
          -13

           22:10:05.520280 7f056f7eb700 1 civetweb: 0x5654042a1000:
          192.168.100.200 - - [02/Mar/2018:22:10:03 +0530] "PUT
          /encrypted.txt HTTP/1.1" 1 0 - Boto/2.38.0 Python/2.7.12
          Linux/4.12.1-041201-generic

           22:10:06.116527 7f056e7e9700 20 HTTP_ACCEPT=*/*

      
      The error thrown in from this line
      https://github.com/ceph/ceph/blob/master/src/rgw/rgw_crypt.cc#L1063
      

      I am unable to understand why its throwing the error.

      
      In ceph.conf following settings are done.

      
      [global]

      rgw barbican url = "" class="moz-txt-link-freetext" href="http://keyserver.rados:9311">http://keyserver.rados:9311

      rgw keystone barbican user = rgwcrypt

      rgw keystone barbican password = rgwpass

      rgw keystone barbican project = service

      rgw keystone barbican domain = default

      rgw keystone url = "" class="moz-txt-link-freetext" href="http://keyserver.rados:5000">http://keyserver.rados:5000

      rgw keystone api version = 3

      rgw crypt require ssl = false

      
      Can someone help in figuring out what is missing.

      
      Thanks,

      Amar

    
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com