Ceph (version 14.2.7) RGW STS AccessDenied

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi ,I want to use the sts  to get a temporary credentials,but  I got 403 .

The user info :
{
    "user_id": "sr",
    "display_name": "shiran",
    "email": "",
    "suspended": 0,
    "max_buckets": 1000,
    "subusers": [],
    "keys": [
        {
            "user": "sr",
            "access_key": "FBGYU7CUBUACP2OYBE76",
            "secret_key": "RoovZBBNdlOvVS4LzuuuCsZ1QPA6W81mbNXvonYD"
        }
    ],
    "swift_keys": [],
    "caps": [
        {
            "type": "roles",
            "perm": "*"
        },
        {
            "type": "user-policy",
            "perm": "*"
        }
    ],
    "op_mask": "read, write, delete",
    "default_placement": "",
    "default_storage_class": "",
    "placement_tags": [],
    "bucket_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "user_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "temp_url_keys": [],
    "type": "rgw",
    "mfa_ids": []
}


and the role info :

 {
        "id": "c983c0df-a49c-4e36-957d-7d709f65e292",
        "name": "S3Access",
        "path": "/application_abc/component_xyz/",
        "arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access",
        "create_date": "2020-03-04T08:19:41.24Z",
        "max_session_duration": 3600,
        "assume_role_policy_document": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/sr\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
    },

I use AWA java sdk to AssumeRole ,code like:



public static final String ACCESSKEY_STRING = “xxxxxxxxxxxxxx";
public static final String BUCKETNAME_STRING = "osstest";
public static final String SECRETKEY_STRING = “xxxxxxxxxxxxxxxxxxxxx";

public static final String ENDPOINT_STRING = "http://192.168.3.250”;// haproxy


String clientRegion = ENDPOINT_STRING;
String roleARN = "arn:aws:iam:::role/application_abc/component_xyz/S3Access";
String roleSessionName = "bob";
String bucketName = ENDPOINT_STRING;

AWSCredentials credentials = new BasicAWSCredentials(ACCESSKEY_STRING, SECRETKEY_STRING);
ClientConfiguration clientConfig = new ClientConfiguration();

clientConfig.setProtocol(Protocol.HTTP);
clientConfig.setSignerOverride("AWS3SignerType");

AWSSecurityTokenService sts_client = AWSSecurityTokenServiceClientBuilder.standard()
.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(ENDPOINT_STRING, ""))
.withCredentials(new AWSStaticCredentialsProvider(credentials)).withClientConfiguration(clientConfig)
.build();
GetSessionTokenRequest session_token_request = new GetSessionTokenRequest();
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withRoleSessionName(roleSessionName).withTokenCode("sts");
                session_token_request.setDurationSeconds(3600);
AssumeRoleResult roleResponse = sts_client.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();


I got the response:

<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><RequestId>tx000000000000000000016-005e64fa9e-b5b47-default</RequestId><HostId>b5b47-default-default</HostId></Error>"

The debug info in the log file like this :


1 ====== starting new request req=0x5592abefc910 =====
2020-03-08 22:01:02.984 7f2548f95700  2 req 22 0.000s initializing for trans_id = tx000000000000000000016-005e64fa9e-b5b47-default
2020-03-08 22:01:02.984 7f2548f95700 10 rgw api priority: s3=7 s3website=6
2020-03-08 22:01:02.984 7f2548f95700 10 host=rgw1
2020-03-08 22:01:02.984 7f2548f95700 20 subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0
2020-03-08 22:01:02.984 7f2548f95700 20 final domain/bucket subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0 s->info.domain= s->info.request_uri=/
2020-03-08 22:01:02.984 7f2548f95700 10 meta>> HTTP_X_AMZ_DATE
2020-03-08 22:01:02.984 7f2548f95700 10 meta>> HTTP_X_AMZN_AUTHORIZATION
2020-03-08 22:01:02.984 7f2548f95700 10 x>> x-amz-date:Sun, 08 Mar 2020 14:01:02 GMT
2020-03-08 22:01:02.984 7f2548f95700 10 x>> x-amzn-authorization:AWS3 AWSAccessKeyId=FBGYU7CUBUACP2OYBE76,Algorithm=HmacSHA256,SignedHeaders=Host;X-Amz-Date,Signature=D7p74AFsJn4J823e6Up4Zo2eRV/n5PFmyQ2/w+kOaqY=
2020-03-08 22:01:02.984 7f2548f95700 20 get_handler handler=26RGWHandler_REST_Service_S3
2020-03-08 22:01:02.984 7f2548f95700 10 handler=26RGWHandler_REST_Service_S3
2020-03-08 22:01:02.984 7f2548f95700  2 req 22 0.000s getting op 4
2020-03-08 22:01:02.984 7f2548f95700 10 Content of POST: Action=AssumeRole&Version=2011-06-15&RoleArn=arn%3Aaws%3Aiam%3A%3A%3Arole%2Fapplication_abc%2Fcomponent_xyz%2FS3Access&RoleSessionName=bob&SerialNumber=sdfsdf&TokenCode=sts
2020-03-08 22:01:02.984 7f2548f95700 10 Key: ActionValue: AssumeRole
2020-03-08 22:01:02.984 7f2548f95700 10 Key: VersionValue: 2011-06-15
2020-03-08 22:01:02.984 7f2548f95700 10 Key: RoleArnValue: arn:aws:iam:::role/application_abc/component_xyz/S3Access
2020-03-08 22:01:02.984 7f2548f95700 10 Key: RoleSessionNameValue: bob
2020-03-08 22:01:02.984 7f2548f95700 10 Key: SerialNumberValue: sdfsdf
2020-03-08 22:01:02.984 7f2548f95700 10 Key: TokenCodeValue: sts
2020-03-08 22:01:02.984 7f2548f95700 10 req 22 0.000s sts:assume_role scheduling with dmclock client=0 cost=1
2020-03-08 22:01:02.984 7f2548f95700 10 op=16RGWSTSAssumeRole
2020-03-08 22:01:02.984 7f2548f95700  2 req 22 0.000s sts:assume_role verifying requester
2020-03-08 22:01:02.984 7f2548f95700 20 req 22 0.000s sts:assume_role rgw::auth::StrategyRegistry::s3_main_strategy_t: trying rgw::auth::s3::AWSAuthStrategy
2020-03-08 22:01:02.984 7f2548f95700 20 req 22 0.000s sts:assume_role rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::S3AnonymousEngine
2020-03-08 22:01:02.984 7f2548f95700 20 req 22 0.000s sts:assume_role rgw::auth::s3::S3AnonymousEngine granted access
2020-03-08 22:01:02.984 7f2548f95700 20 req 22 0.000s sts:assume_role rgw::auth::s3::AWSAuthStrategy granted access
2020-03-08 22:01:02.984 7f2548f95700  2 req 22 0.000s sts:assume_role normalizing buckets and tenants
2020-03-08 22:01:02.984 7f2548f95700 10 s->object=<NULL> s->bucket=
2020-03-08 22:01:02.984 7f2548f95700  2 req 22 0.000s sts:assume_role init permissions
2020-03-08 22:01:02.985 7f2548f95700 20 get_system_obj_state: rctx=0x5592abefb400 obj=default.rgw.meta:users.uid:anonymous state=0x5592aa8d99c0 s->prefetch_data=0
2020-03-08 22:01:02.985 7f2548f95700 10 cache get: name=default.rgw.meta+users.uid+anonymous : type miss (requested=0x6, cached=0x0)
2020-03-08 22:01:02.985 7f2548f95700 20 WARNING: blocking librados call
2020-03-08 22:01:02.985 7f2548f95700  1 -- 192.168.3.247:0/1491423941 --> [v2:192.168.3.244:6800/2853,v1:192.168.3.244:6801/2853] -- osd_op(unknown.0.0:159377 3.0 3:0ab27964:users.uid::anonymous:head [getxattrs,stat] snapc 0=[] ondisk+read+known_if_redirected e282) v8 -- 0x5592abea3b80 con 0x5592ab6acc00
2020-03-08 22:01:02.985 7f2593ab4700  1 -- 192.168.3.247:0/1491423941 <== osd.5 v2:192.168.3.244:6800/2853 4 ==== osd_op_reply(159377 anonymous [getxattrs,stat] v0'0 uv0 ondisk = -2 ((2) No such file or directory)) v8 ==== 195+0+0 (crc 0 0 0) 0x5592abda1400 con 0x5592ab6acc00
2020-03-08 22:01:02.985 7f2548f95700 10 cache put: name=default.rgw.meta+users.uid+anonymous info.flags=0x0
2020-03-08 22:01:02.985 7f2548f95700 10 moving default.rgw.meta+users.uid+anonymous to cache LRU end
2020-03-08 22:01:02.985 7f2548f95700  2 req 22 0.001s sts:assume_role recalculating target
2020-03-08 22:01:02.985 7f2548f95700  2 req 22 0.001s sts:assume_role reading permissions
2020-03-08 22:01:02.985 7f2548f95700  2 req 22 0.001s sts:assume_role init op
2020-03-08 22:01:02.985 7f2548f95700  2 req 22 0.001s sts:assume_role verifying op mask
2020-03-08 22:01:02.985 7f2548f95700 20 req 22 0.001s sts:assume_role required_mask= 0 user.op_mask=7
2020-03-08 22:01:02.985 7f2548f95700  2 req 22 0.001s sts:assume_role verifying op permissions
2020-03-08 22:01:02.985 7f2548f95700 20 get_system_obj_state: rctx=0x5592abefb7f0 obj=default.rgw.meta:roles:role_names.S3Access state=0x5592aa8d99c0 s->prefetch_data=0
2020-03-08 22:01:02.985 7f2548f95700 10 cache get: name=default.rgw.meta+roles+role_names.S3Access : type miss (requested=0x6, cached=0x3)
2020-03-08 22:01:02.985 7f2548f95700 20 WARNING: blocking librados call
2020-03-08 22:01:02.985 7f2548f95700  1 -- 192.168.3.247:0/1491423941 --> [v2:192.168.3.245:6808/2863,v1:192.168.3.245:6809/2863] -- osd_op(unknown.0.0:159378 3.3 3:c86e03bb:roles::role_names.S3Access:head [getxattrs,stat] snapc 0=[] ondisk+read+known_if_redirected e282) v8 -- 0x5592abf18000 con 0x5592ab6ad400
2020-03-08 22:01:02.986 7f2593ab4700  1 -- 192.168.3.247:0/1491423941 <== osd.8 v2:192.168.3.245:6808/2863 3 ==== osd_op_reply(159378 role_names.S3Access [getxattrs,stat] v0'0 uv4 ondisk = 0) v8 ==== 205+0+20 (crc 0 0 0) 0x5592abda1400 con 0x5592ab6ad400
2020-03-08 22:01:02.986 7f2548f95700 10 cache put: name=default.rgw.meta+roles+role_names.S3Access info.flags=0x6
2020-03-08 22:01:02.986 7f2548f95700 10 moving default.rgw.meta+roles+role_names.S3Access to cache LRU end
2020-03-08 22:01:02.986 7f2548f95700 20 get_system_obj_state: s->obj_tag was set empty
2020-03-08 22:01:02.986 7f2548f95700 10 cache get: name=default.rgw.meta+roles+role_names.S3Access : hit (requested=0x1, cached=0x7)
2020-03-08 22:01:02.986 7f2548f95700 20 get_system_obj_state: rctx=0x5592abefb7f0 obj=default.rgw.meta:roles:roles.c983c0df-a49c-4e36-957d-7d709f65e292 state=0x5592aa8d99c0 s->prefetch_data=0
2020-03-08 22:01:02.986 7f2548f95700 10 cache get: name=default.rgw.meta+roles+roles.c983c0df-a49c-4e36-957d-7d709f65e292 : type miss (requested=0x6, cached=0x3)
2020-03-08 22:01:02.986 7f2548f95700 20 WARNING: blocking librados call
2020-03-08 22:01:02.986 7f2548f95700  1 -- 192.168.3.247:0/1491423941 --> [v2:192.168.3.244:6800/2853,v1:192.168.3.244:6801/2853] -- osd_op(unknown.0.0:159379 3.0 3:0e42bcf0:roles::roles.c983c0df-a49c-4e36-957d-7d709f65e292:head [getxattrs,stat] snapc 0=[] ondisk+read+known_if_redirected e282) v8 -- 0x5592abf182c0 con 0x5592ab6acc00
2020-03-08 22:01:02.986 7f2593ab4700  1 -- 192.168.3.247:0/1491423941 <== osd.5 v2:192.168.3.244:6800/2853 5 ==== osd_op_reply(159379 roles.c983c0df-a49c-4e36-957d-7d709f65e292 [getxattrs,stat] v0'0 uv4 ondisk = 0) v8 ==== 228+0+20 (crc 0 0 0) 0x5592abda1400 con 0x5592ab6acc00
2020-03-08 22:01:02.986 7f2548f95700 10 cache put: name=default.rgw.meta+roles+roles.c983c0df-a49c-4e36-957d-7d709f65e292 info.flags=0x6
2020-03-08 22:01:02.986 7f2548f95700 10 moving default.rgw.meta+roles+roles.c983c0df-a49c-4e36-957d-7d709f65e292 to cache LRU end
2020-03-08 22:01:02.986 7f2548f95700 20 get_system_obj_state: s->obj_tag was set empty
2020-03-08 22:01:02.986 7f2548f95700 10 cache get: name=default.rgw.meta+roles+roles.c983c0df-a49c-4e36-957d-7d709f65e292 : hit (requested=0x1, cached=0x7)
2020-03-08 22:01:02.986 7f2548f95700 20 op->ERRORHANDLER: err_no=-1 new_err_no=-1
2020-03-08 22:01:02.986 7f2548f95700  2 req 22 0.002s sts:assume_role op status=0
2020-03-08 22:01:02.986 7f2548f95700  2 req 22 0.002s sts:assume_role http status=403
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux