Dear all
i have meet some issue when access radosgw.
Fobidden 403 and fail to create subuser key when use radosgw
ceph version 0.80.5(ceph osd, radosgw), OS Wheezy
(1) Reference of installation
http://ceph.com/docs/master/radosgw/config/#configuring-print-continue
(2) Config File
root@ceph-radosgw:~# more /etc/ceph/ceph.conf
[global]
fsid = ae3da4d2-eef0-47cf-a872-24df8f2c8df4
mon_initial_members = ceph01-vm
mon_host = 192.168.123.251
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
filestore_xattr_use_omap = true
rgw print continue = false
rgw dns name = ceph-radosgw
debug rgw = 20
[client.radosgw.gateway]
host = ceph-radosgw
keyring = /etc/ceph/ceph.client.radosgw.keyring
rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
log file = /var/log/ceph/client.radosgw.gateway.log
root@ceph-admin:~# rados lspools
data
metadata
rbd
testpool
iscsi
pool-A
pool-B
iscsi_pool
.rgw.root
.rgw.control
.rgw
.rgw.gc
.users.uid
.users
.users.swift
.users.email
.rgw.buckets
.rgw.buckets.index
.log
.intent-log
.usage
when access radosgw http://192.168.123.191, seam ok
<ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/";>
<Owner>
<ID>anonymous</ID>
<DisplayName/>
</Owner>
<Buckets/>
</ListAllMyBucketsResult>
(3) error meet when create radosgw user(swift) and gen-key
root@ceph-radosgw:~# radosgw-admin user create --uid="testuser"
--display-nameFirst User"
{ "user_id": "testuser",
"display_name": "First User",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [],
"keys": [
{ "user": "testuser",
"access_key": "SU3L3KCDXQ31KJ6BZ04B",
"secret_key": "nhA2XNsqwJN8bZlkOEd2UyexMADC9THOhc7UmW4l"}],
"swift_keys": [],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"placement_tags": [],
"bucket_quota": { "enabled": false,
"max_size_kb": -1,
"max_objects": -1},
"user_quota": { "enabled": false,
"max_size_kb": -1,
"max_objects": -1},
"temp_url_keys": []}
root@ceph-radosgw:~# radosgw-admin usage show --show-log-entries=false
{ "summary": []}root@ceph-radosgw:~# radosgw-admin user create
--uid="testuser" First User"^Ce="F
root@ceph-radosgw:~# radosgw-admin subuser create --uid=testuser
--subuser=testuser:swf0001 --access=full
{ "user_id": "testuser",
"display_name": "First User",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [
{ "id": "testuser:swf0001",
"permissions": "full-control"}],
"keys": [
{ "user": "testuser:swf0001",
"access_key": "9IN7P6HA6K4JCDO61N67",
"secret_key": ""},
{ "user": "testuser",
"access_key": "SU3L3KCDXQ31KJ6BZ04B",
"secret_key": "nhA2XNsqwJN8bZlkOEd2UyexMADC9THOhc7UmW4l"}],
"swift_keys": [],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"placement_tags": [],
"bucket_quota": { "enabled": false,
"max_size_kb": -1,
"max_objects": -1},
"user_quota": { "enabled": false,
"max_size_kb": -1,
"max_objects": -1},
"temp_url_keys": []}
root@ceph-radosgw:~# radosgw-admin key create
--subuser=testuser:swf0001 --key-type=swift --gen-secret
could not create key: unable to add access key, unable to store user
info
2014-08-11 19:56:35.834507 7f4c4f1af780 0 WARNING: can't store user
info, swift id () already mapped to another user (testuser)
(find it maybe bug , http://tracker.ceph.com/issues/9002)
root@ceph-radosgw:~# radosgw-admin user create
--subuser=testuser:swf0001 --display-name="Test User One" --key-type=swift
--access=full
could not create user: unable to create user, user: testuser exists
root@ceph-radosgw:~# radosgw-admin user create
--subuser=testuser:swf0001 --display-name="Test User One" --key-type=swift
--access=full
could not create user: unable to create user, user: testuser exists
root@ceph-radosgw:~# radosgw-admin user rm --uid=testuser
root@ceph-radosgw:~# radosgw-admin user create
--subuser=testuser:swf0001 --display-name="Test User One" --key-type=swift
--access=full
{ "user_id": "testuser",
"display_name": "Test User One",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [],
"keys": [],
"swift_keys": [
{ "user": "testuser:swf0001",
"secret_key": "W\/zZ8T09VPFoPKxnVAJocsmNALoPxEYPmjOwytCj"}],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"placement_tags": [],
"bucket_quota": { "enabled": false,
"max_size_kb": -1,
"max_objects": -1},
"user_quota": { "enabled": false,
"max_size_kb": -1,
"max_objects": -1},
"temp_url_keys": []}
(4) Fobidden when access radosgw api
root@ceph-radosgw:~# curl -v -i
http://192.168.123.191/auer:testuser:swf0001"; -H
"X-Auth-Key:W\/zZ8T09VPFoPKxnVAJocsmNALoPxEYPmjOwytCj"
* About to connect() to 192.168.123.191 port 80 (#0)
* Trying 192.168.123.191...
* Connected to 192.168.123.191 (192.168.123.191) port 80 (#0)
> GET /auth HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.123.191
> Accept: */*
> X-Auth-User:testuser:swf0001
> X-Auth-Key:W\/zZ8T09VPFoPKxnVAJocsmNALoPxEYPmjOwytCj
>
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Date: Tue, 12 Aug 2014 05:00:11 GMT
Date: Tue, 12 Aug 2014 05:00:11 GMT
< Server: Apache/2.2.22 (Debian)
Server: Apache/2.2.22 (Debian)
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 23
Content-Length: 23
< Content-Type: application/json
Content-Type: application/json
<
* Connection #0 to host 192.168.123.191 left intact
{"Code":"AccessDenied"}
(5) rados gw Log and my troubleshooting
2014-08-11 22:00:11.741947 7f84c1ffb700 20 enqueued request
req=0x1e73040
2014-08-11 22:00:11.741977 7f84c1ffb700 20 RGWWQ:
2014-08-11 22:00:11.741990 7f84c1ffb700 20 req: 0x1e73040
2014-08-11 22:00:11.742003 7f84c1ffb700 10 allocated request
req=0x1eaaa80
2014-08-11 22:00:11.742035 7f84ad7d2700 20 dequeued request
req=0x1e73040
2014-08-11 22:00:11.742038 7f84ad7d2700 20 RGWWQ: empty
2014-08-11 22:00:11.742142 7f84ad7d2700 20 DOCUMENT_ROOT=/var/www
2014-08-11 22:00:11.742149 7f84ad7d2700 20 FCGI_ROLE=RESPONDER
2014-08-11 22:00:11.742150 7f84ad7d2700 20 GATEWAY_INTERFACE=CGI/1.1
2014-08-11 22:00:11.742151 7f84ad7d2700 20 HTTP_ACCEPT=*/*
2014-08-11 22:00:11.742152 7f84ad7d2700 20 HTTP_AUTHORIZATION=
2014-08-11 22:00:11.742153 7f84ad7d2700 20 HTTP_HOST=192.168.123.191
2014-08-11 22:00:11.742154 7f84ad7d2700 20 HTTP_USER_AGENT=curl/7.29.0
2014-08-11 22:00:11.742155 7f84ad7d2700 20
HTTP_X_AUTH_KEY=W\/zZ8T09VPFoPKxnVAJocsmNALoPxEYPmjOwytCj
2014-08-11 22:00:11.742156 7f84ad7d2700 20
HTTP_X_AUTH_USER=testuser:swf0001
2014-08-11 22:00:11.742157 7f84ad7d2700 20
PATH=/usr/local/bin:/usr/bin:/bin
2014-08-11 22:00:11.742158 7f84ad7d2700 20 QUERY_STRING=
2014-08-11 22:00:11.742159 7f84ad7d2700 20 REMOTE_ADDR=192.168.123.191
2014-08-11 22:00:11.742160 7f84ad7d2700 20 REMOTE_PORT=54965
2014-08-11 22:00:11.742161 7f84ad7d2700 20 REQUEST_METHOD=GET
2014-08-11 22:00:11.742162 7f84ad7d2700 20 REQUEST_URI=/auth
2014-08-11 22:00:11.742162 7f84ad7d2700 20
SCRIPT_FILENAME=/var/www/s3gw.fcgi
2014-08-11 22:00:11.742163 7f84ad7d2700 20 SCRIPT_NAME=/auth
2014-08-11 22:00:11.742164 7f84ad7d2700 20 SCRIPT_URI=
http://192.168.123.191/auth
2014-08-11 22:00:11.742165 7f84ad7d2700 20 SCRIPT_URL=/auth
2014-08-11 22:00:11.742166 7f84ad7d2700 20 SERVER_ADDR=192.168.123.191
2014-08-11 22:00:11.742166 7f84ad7d2700 20 SERVER_ADMIN=
[email protected]
2014-08-11 22:00:11.742167 7f84ad7d2700 20 SERVER_NAME=192.168.123.191
2014-08-11 22:00:11.742168 7f84ad7d2700 20 SERVER_PORT=80
2014-08-11 22:00:11.742169 7f84ad7d2700 20 SERVER_PROTOCOL=HTTP/1.1
2014-08-11 22:00:11.742170 7f84ad7d2700 20 SERVER_SIGNATURE=
2014-08-11 22:00:11.742170 7f84ad7d2700 20
SERVER_SOFTWARE=Apache/2.2.22 (Debian)
2014-08-11 22:00:11.742172 7f84ad7d2700 1 ====== starting new request
req=0x1e73040 =====
2014-08-11 22:00:11.742222 7f84ad7d2700 2 req 1:0.000051::GET
/auth::initializing
2014-08-11 22:00:11.742236 7f84ad7d2700 10 host=192.168.123.191
rgw_dns_name=ceph-radosgw
2014-08-11 22:00:11.742356 7f84ad7d2700 2 req
1:0.000184:swift-auth:GET /auth::getting op
2014-08-11 22:00:11.742364 7f84ad7d2700 2 req
1:0.000193:swift-auth:GET /auth:swift_auth_get:authorizing
2014-08-11 22:00:11.742371 7f84ad7d2700 2 req
1:0.000200:swift-auth:GET /auth:swift_auth_get:reading permissions
2014-08-11 22:00:11.742374 7f84ad7d2700 2 req
1:0.000203:swift-auth:GET /auth:swift_auth_get:init op
2014-08-11 22:00:11.742382 7f84ad7d2700 2 req
1:0.000211:swift-auth:GET /auth:swift_auth_get:verifying op mask
2014-08-11 22:00:11.742390 7f84ad7d2700 20 required_mask= 0
user.op_mask=7
2014-08-11 22:00:11.742392 7f84ad7d2700 2 req
1:0.000221:swift-auth:GET /auth:swift_auth_get:verifying op permissions
2014-08-11 22:00:11.742395 7f84ad7d2700 2 req
1:0.000224:swift-auth:GET /auth:swift_auth_get:verifying op params
2014-08-11 22:00:11.742397 7f84ad7d2700 2 req
1:0.000226:swift-auth:GET /auth:swift_auth_get:executing
2014-08-11 22:00:11.742508 7f84ad7d2700 20 get_obj_state:
rctx=0x7f84c402ff40 obj=.users.swift:testuser:swf0001 state=0x7f84c4030118
s->prefetch_data=0
2014-08-11 22:00:11.742527 7f84ad7d2700 10 cache get:
name=.users.swift+testuser:swf0001 : miss
2014-08-11 22:00:11.744140 7f84ad7d2700 10 cache put:
name=.users.swift+testuser:swf0001
2014-08-11 22:00:11.744168 7f84ad7d2700 10 adding
.users.swift+testuser:swf0001 to cache LRU end
2014-08-11 22:00:11.744180 7f84ad7d2700 20 get_obj_state: s->obj_tag
was set empty
2014-08-11 22:00:11.744192 7f84ad7d2700 10 cache get:
name=.users.swift+testuser:swf0001 : type miss (requested=1, cached=6)
2014-08-11 22:00:11.744223 7f84ad7d2700 20 get_obj_state:
rctx=0x7f84c402ff40 obj=.users.swift:testuser:swf0001 state=0x7f84c4030118
s->prefetch_data=0
2014-08-11 22:00:11.744230 7f84ad7d2700 10 cache get:
name=.users.swift+testuser:swf0001 : hit
2014-08-11 22:00:11.744234 7f84ad7d2700 20 get_obj_state: s->obj_tag
was set empty
2014-08-11 22:00:11.744241 7f84ad7d2700 20 get_obj_state:
rctx=0x7f84c402ff40 obj=.users.swift:testuser:swf0001 state=0x7f84c4030118
s->prefetch_data=0
2014-08-11 22:00:11.744244 7f84ad7d2700 20 state for
obj=.users.swift:testuser:swf0001 is not atomic, not appending atomic test
2014-08-11 22:00:11.744246 7f84ad7d2700 20 rados->read obj-ofs=0
read_ofs=0 read_len=524288
2014-08-11 22:00:11.745424 7f84ad7d2700 20 rados->read r=0 bl.length=12
2014-08-11 22:00:11.745450 7f84ad7d2700 10 cache put:
name=.users.swift+testuser:swf0001
2014-08-11 22:00:11.745453 7f84ad7d2700 10 moving
.users.swift+testuser:swf0001 to cache LRU end
2014-08-11 22:00:11.745487 7f84ad7d2700 20 get_obj_state:
rctx=0x7f84c4023660 obj=.users.uid:testuser state=0x7f84c4030118
s->prefetch_data=0
2014-08-11 22:00:11.745494 7f84ad7d2700 10 cache get:
name=.users.uid+testuser : miss
2014-08-11 22:00:11.746811 7f84ad7d2700 10 cache put:
name=.users.uid+testuser
2014-08-11 22:00:11.746829 7f84ad7d2700 10 adding .users.uid+testuser
to cache LRU end
2014-08-11 22:00:11.746835 7f84ad7d2700 20 get_obj_state: s->obj_tag
was set empty
2014-08-11 22:00:11.746843 7f84ad7d2700 10 cache get:
name=.users.uid+testuser : type miss (requested=1, cached=6)
2014-08-11 22:00:11.746866 7f84ad7d2700 20 get_obj_state:
rctx=0x7f84c4023660 obj=.users.uid:testuser state=0x7f84c4030118
s->prefetch_data=0
2014-08-11 22:00:11.746872 7f84ad7d2700 10 cache get:
name=.users.uid+testuser : hit
2014-08-11 22:00:11.746876 7f84ad7d2700 20 get_obj_state: s->obj_tag
was set empty
2014-08-11 22:00:11.746878 7f84ad7d2700 20 get_obj_state:
rctx=0x7f84c4023660 obj=.users.uid:testuser state=0x7f84c4030118
s->prefetch_data=0
2014-08-11 22:00:11.746880 7f84ad7d2700 20 state for
obj=.users.uid:testuser is not atomic, not appending atomic test
2014-08-11 22:00:11.746882 7f84ad7d2700 20 rados->read obj-ofs=0
read_ofs=0 read_len=524288
2014-08-11 22:00:11.748030 7f84ad7d2700 20 rados->read r=0 bl.length=322
2014-08-11 22:00:11.748074 7f84ad7d2700 10 cache put:
name=.users.uid+testuser
2014-08-11 22:00:11.748078 7f84ad7d2700 10 moving .users.uid+testuser
to cache LRU end
2014-08-11 22:00:11.748116 7f84ad7d2700 0 NOTICE:
RGW_SWIFT_Auth_Get::execute(): bad swift key
2014-08-11 22:00:11.748216 7f84ad7d2700 2 req
1:0.006044:swift-auth:GET /auth:swift_auth_get:http status=403
2014-08-11 22:00:11.748230 7f84ad7d2700 1 ====== req done
req=0x1e73040 http_status=403 ======
2014-08-11 22:00:11.748239 7f84ad7d2700 20 process_request() returned -1
root@ceph-radosgw:~# radosgw-admin --name client.radosgw.gateway
metadata list user
[
"johndoe",
"testuser"]
root@ceph-radosgw:~# radosgw-admin zone list
2014-08-12 01:22:24.881714 7f216777c700 2
RGWDataChangesLog::ChangesRenewThread: start
2014-08-12 01:22:24.899503 7f21723cf780 20 RGWRados::pool_iterate: got
default.region
2014-08-12 01:22:24.899529 7f21723cf780 20 RGWRados::pool_iterate: got
region_info.default
2014-08-12 01:22:24.947162 7f21723cf780 20 RGWRados::pool_iterate: got
zone_info.default
{ "zones": [
"default"]}
root@ceph-radosgw:~# radosgw-admin zone get default
{ "domain_root": ".rgw",
"control_pool": ".rgw.control",
"gc_pool": ".rgw.gc",
"log_pool": ".log",
"intent_log_pool": ".intent-log",
"usage_log_pool": ".usage",
"user_keys_pool": ".users",
"user_email_pool": ".users.email",
"user_swift_pool": ".users.swift",
"user_uid_pool": ".users.uid",
"system_key": { "access_key": "",
"secret_key": ""},
"placement_pools": [
{ "key": "default-placement",
"val": { "index_pool": ".rgw.buckets.index",
"data_pool": ".rgw.buckets",
"data_extra_pool": ".rgw.buckets.extra"}}]}
_______________________________________________
ceph-users mailing list
[email protected]
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
