For your item number 3 , can you try : Removing the keys for sub user ( testuser:swf0001 )
Once Key is removed for sub user , try recreating the key [ # radosgw-admin key create --subuser=testuser:swf0001 --key-type=swift --gen-secret ] - Karan - On 12 Aug 2014, at 11:26, debian Only <[email protected]> wrote: > Dear all > > i have meet some issue when access radosgw. > Fobidden 403 and fail to create subuser key when use radosgw > > ceph version 0.80.5(ceph osd, radosgw), OS Wheezy > > (1) Reference of installation > http://ceph.com/docs/master/radosgw/config/#configuring-print-continue > > (2) Config File > root@ceph-radosgw:~# more /etc/ceph/ceph.conf > [global] > fsid = ae3da4d2-eef0-47cf-a872-24df8f2c8df4 > mon_initial_members = ceph01-vm > mon_host = 192.168.123.251 > auth_cluster_required = cephx > auth_service_required = cephx > auth_client_required = cephx > filestore_xattr_use_omap = true > > rgw print continue = false > rgw dns name = ceph-radosgw > debug rgw = 20 > > > [client.radosgw.gateway] > host = ceph-radosgw > keyring = /etc/ceph/ceph.client.radosgw.keyring > rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock > log file = /var/log/ceph/client.radosgw.gateway.log > > root@ceph-admin:~# rados lspools > data > metadata > rbd > testpool > iscsi > pool-A > pool-B > iscsi_pool > .rgw.root > .rgw.control > .rgw > .rgw.gc > .users.uid > .users > .users.swift > .users.email > .rgw.buckets > .rgw.buckets.index > .log > .intent-log > .usage > > when access radosgw http://192.168.123.191, seam ok > <ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/";> > <Owner> > <ID>anonymous</ID> > <DisplayName/> > </Owner> > <Buckets/> > </ListAllMyBucketsResult> > > > (3) error meet when create radosgw user(swift) and gen-key > > root@ceph-radosgw:~# radosgw-admin user create --uid="testuser" > --display-nameFirst User" > { "user_id": "testuser", > "display_name": "First User", > "email": "", > "suspended": 0, > "max_buckets": 1000, > "auid": 0, > "subusers": [], > "keys": [ > { "user": "testuser", > "access_key": "SU3L3KCDXQ31KJ6BZ04B", > "secret_key": "nhA2XNsqwJN8bZlkOEd2UyexMADC9THOhc7UmW4l"}], > "swift_keys": [], > "caps": [], > "op_mask": "read, write, delete", > "default_placement": "", > "placement_tags": [], > "bucket_quota": { "enabled": false, > "max_size_kb": -1, > "max_objects": -1}, > "user_quota": { "enabled": false, > "max_size_kb": -1, > "max_objects": -1}, > "temp_url_keys": []} > root@ceph-radosgw:~# radosgw-admin usage show --show-log-entries=false > { "summary": []}root@ceph-radosgw:~# radosgw-admin user create > --uid="testuser" First User"^Ce="F > root@ceph-radosgw:~# radosgw-admin subuser create --uid=testuser > --subuser=testuser:swf0001 --access=full > { "user_id": "testuser", > "display_name": "First User", > "email": "", > "suspended": 0, > "max_buckets": 1000, > "auid": 0, > "subusers": [ > { "id": "testuser:swf0001", > "permissions": "full-control"}], > "keys": [ > { "user": "testuser:swf0001", > "access_key": "9IN7P6HA6K4JCDO61N67", > "secret_key": ""}, > { "user": "testuser", > "access_key": "SU3L3KCDXQ31KJ6BZ04B", > "secret_key": "nhA2XNsqwJN8bZlkOEd2UyexMADC9THOhc7UmW4l"}], > "swift_keys": [], > "caps": [], > "op_mask": "read, write, delete", > "default_placement": "", > "placement_tags": [], > "bucket_quota": { "enabled": false, > "max_size_kb": -1, > "max_objects": -1}, > "user_quota": { "enabled": false, > "max_size_kb": -1, > "max_objects": -1}, > "temp_url_keys": []} > root@ceph-radosgw:~# radosgw-admin key create --subuser=testuser:swf0001 > --key-type=swift --gen-secret > could not create key: unable to add access key, unable to store user info > 2014-08-11 19:56:35.834507 7f4c4f1af780 0 WARNING: can't store user > info, swift id () already mapped to another user (testuser) > > (find it maybe bug , http://tracker.ceph.com/issues/9002) > > > root@ceph-radosgw:~# radosgw-admin user create --subuser=testuser:swf0001 > --display-name="Test User One" --key-type=swift --access=full > could not create user: unable to create user, user: testuser exists > root@ceph-radosgw:~# radosgw-admin user create --subuser=testuser:swf0001 > --display-name="Test User One" --key-type=swift --access=full > could not create user: unable to create user, user: testuser exists > root@ceph-radosgw:~# radosgw-admin user rm --uid=testuser > > root@ceph-radosgw:~# radosgw-admin user create --subuser=testuser:swf0001 > --display-name="Test User One" --key-type=swift --access=full > { "user_id": "testuser", > "display_name": "Test User One", > "email": "", > "suspended": 0, > "max_buckets": 1000, > "auid": 0, > "subusers": [], > "keys": [], > "swift_keys": [ > { "user": "testuser:swf0001", > "secret_key": "W\/zZ8T09VPFoPKxnVAJocsmNALoPxEYPmjOwytCj"}], > "caps": [], > "op_mask": "read, write, delete", > "default_placement": "", > "placement_tags": [], > "bucket_quota": { "enabled": false, > "max_size_kb": -1, > "max_objects": -1}, > "user_quota": { "enabled": false, > "max_size_kb": -1, > "max_objects": -1}, > "temp_url_keys": []} > > (4) Fobidden when access radosgw api > > root@ceph-radosgw:~# curl -v -i > http://192.168.123.191/auer:testuser:swf0001"; -H > "X-Auth-Key:W\/zZ8T09VPFoPKxnVAJocsmNALoPxEYPmjOwytCj" > * About to connect() to 192.168.123.191 port 80 (#0) > * Trying 192.168.123.191... > * Connected to 192.168.123.191 (192.168.123.191) port 80 (#0) > > GET /auth HTTP/1.1 > > User-Agent: curl/7.29.0 > > Host: 192.168.123.191 > > Accept: */* > > X-Auth-User:testuser:swf0001 > > X-Auth-Key:W\/zZ8T09VPFoPKxnVAJocsmNALoPxEYPmjOwytCj > > > < HTTP/1.1 403 Forbidden > HTTP/1.1 403 Forbidden > < Date: Tue, 12 Aug 2014 05:00:11 GMT > Date: Tue, 12 Aug 2014 05:00:11 GMT > < Server: Apache/2.2.22 (Debian) > Server: Apache/2.2.22 (Debian) > < Accept-Ranges: bytes > Accept-Ranges: bytes > < Content-Length: 23 > Content-Length: 23 > < Content-Type: application/json > Content-Type: application/json > > < > * Connection #0 to host 192.168.123.191 left intact > {"Code":"AccessDenied"} > > (5) rados gw Log and my troubleshooting > > 2014-08-11 22:00:11.741947 7f84c1ffb700 20 enqueued request req=0x1e73040 > 2014-08-11 22:00:11.741977 7f84c1ffb700 20 RGWWQ: > 2014-08-11 22:00:11.741990 7f84c1ffb700 20 req: 0x1e73040 > 2014-08-11 22:00:11.742003 7f84c1ffb700 10 allocated request req=0x1eaaa80 > 2014-08-11 22:00:11.742035 7f84ad7d2700 20 dequeued request req=0x1e73040 > 2014-08-11 22:00:11.742038 7f84ad7d2700 20 RGWWQ: empty > 2014-08-11 22:00:11.742142 7f84ad7d2700 20 DOCUMENT_ROOT=/var/www > 2014-08-11 22:00:11.742149 7f84ad7d2700 20 FCGI_ROLE=RESPONDER > 2014-08-11 22:00:11.742150 7f84ad7d2700 20 GATEWAY_INTERFACE=CGI/1.1 > 2014-08-11 22:00:11.742151 7f84ad7d2700 20 HTTP_ACCEPT=*/* > 2014-08-11 22:00:11.742152 7f84ad7d2700 20 HTTP_AUTHORIZATION= > 2014-08-11 22:00:11.742153 7f84ad7d2700 20 HTTP_HOST=192.168.123.191 > 2014-08-11 22:00:11.742154 7f84ad7d2700 20 HTTP_USER_AGENT=curl/7.29.0 > 2014-08-11 22:00:11.742155 7f84ad7d2700 20 > HTTP_X_AUTH_KEY=W\/zZ8T09VPFoPKxnVAJocsmNALoPxEYPmjOwytCj > 2014-08-11 22:00:11.742156 7f84ad7d2700 20 > HTTP_X_AUTH_USER=testuser:swf0001 > 2014-08-11 22:00:11.742157 7f84ad7d2700 20 > PATH=/usr/local/bin:/usr/bin:/bin > 2014-08-11 22:00:11.742158 7f84ad7d2700 20 QUERY_STRING= > 2014-08-11 22:00:11.742159 7f84ad7d2700 20 REMOTE_ADDR=192.168.123.191 > 2014-08-11 22:00:11.742160 7f84ad7d2700 20 REMOTE_PORT=54965 > 2014-08-11 22:00:11.742161 7f84ad7d2700 20 REQUEST_METHOD=GET > 2014-08-11 22:00:11.742162 7f84ad7d2700 20 REQUEST_URI=/auth > 2014-08-11 22:00:11.742162 7f84ad7d2700 20 > SCRIPT_FILENAME=/var/www/s3gw.fcgi > 2014-08-11 22:00:11.742163 7f84ad7d2700 20 SCRIPT_NAME=/auth > 2014-08-11 22:00:11.742164 7f84ad7d2700 20 > SCRIPT_URI=http://192.168.123.191/auth > 2014-08-11 22:00:11.742165 7f84ad7d2700 20 SCRIPT_URL=/auth > 2014-08-11 22:00:11.742166 7f84ad7d2700 20 SERVER_ADDR=192.168.123.191 > 2014-08-11 22:00:11.742166 7f84ad7d2700 20 > [email protected] > 2014-08-11 22:00:11.742167 7f84ad7d2700 20 SERVER_NAME=192.168.123.191 > 2014-08-11 22:00:11.742168 7f84ad7d2700 20 SERVER_PORT=80 > 2014-08-11 22:00:11.742169 7f84ad7d2700 20 SERVER_PROTOCOL=HTTP/1.1 > 2014-08-11 22:00:11.742170 7f84ad7d2700 20 SERVER_SIGNATURE= > 2014-08-11 22:00:11.742170 7f84ad7d2700 20 SERVER_SOFTWARE=Apache/2.2.22 > (Debian) > 2014-08-11 22:00:11.742172 7f84ad7d2700 1 ====== starting new request > req=0x1e73040 ===== > 2014-08-11 22:00:11.742222 7f84ad7d2700 2 req 1:0.000051::GET > /auth::initializing > 2014-08-11 22:00:11.742236 7f84ad7d2700 10 host=192.168.123.191 > rgw_dns_name=ceph-radosgw > 2014-08-11 22:00:11.742356 7f84ad7d2700 2 req 1:0.000184:swift-auth:GET > /auth::getting op > 2014-08-11 22:00:11.742364 7f84ad7d2700 2 req 1:0.000193:swift-auth:GET > /auth:swift_auth_get:authorizing > 2014-08-11 22:00:11.742371 7f84ad7d2700 2 req 1:0.000200:swift-auth:GET > /auth:swift_auth_get:reading permissions > 2014-08-11 22:00:11.742374 7f84ad7d2700 2 req 1:0.000203:swift-auth:GET > /auth:swift_auth_get:init op > 2014-08-11 22:00:11.742382 7f84ad7d2700 2 req 1:0.000211:swift-auth:GET > /auth:swift_auth_get:verifying op mask > 2014-08-11 22:00:11.742390 7f84ad7d2700 20 required_mask= 0 user.op_mask=7 > 2014-08-11 22:00:11.742392 7f84ad7d2700 2 req 1:0.000221:swift-auth:GET > /auth:swift_auth_get:verifying op permissions > 2014-08-11 22:00:11.742395 7f84ad7d2700 2 req 1:0.000224:swift-auth:GET > /auth:swift_auth_get:verifying op params > 2014-08-11 22:00:11.742397 7f84ad7d2700 2 req 1:0.000226:swift-auth:GET > /auth:swift_auth_get:executing > 2014-08-11 22:00:11.742508 7f84ad7d2700 20 get_obj_state: > rctx=0x7f84c402ff40 obj=.users.swift:testuser:swf0001 state=0x7f84c4030118 > s->prefetch_data=0 > 2014-08-11 22:00:11.742527 7f84ad7d2700 10 cache get: > name=.users.swift+testuser:swf0001 : miss > 2014-08-11 22:00:11.744140 7f84ad7d2700 10 cache put: > name=.users.swift+testuser:swf0001 > 2014-08-11 22:00:11.744168 7f84ad7d2700 10 adding > .users.swift+testuser:swf0001 to cache LRU end > 2014-08-11 22:00:11.744180 7f84ad7d2700 20 get_obj_state: s->obj_tag was > set empty > 2014-08-11 22:00:11.744192 7f84ad7d2700 10 cache get: > name=.users.swift+testuser:swf0001 : type miss (requested=1, cached=6) > 2014-08-11 22:00:11.744223 7f84ad7d2700 20 get_obj_state: > rctx=0x7f84c402ff40 obj=.users.swift:testuser:swf0001 state=0x7f84c4030118 > s->prefetch_data=0 > 2014-08-11 22:00:11.744230 7f84ad7d2700 10 cache get: > name=.users.swift+testuser:swf0001 : hit > 2014-08-11 22:00:11.744234 7f84ad7d2700 20 get_obj_state: s->obj_tag was > set empty > 2014-08-11 22:00:11.744241 7f84ad7d2700 20 get_obj_state: > rctx=0x7f84c402ff40 obj=.users.swift:testuser:swf0001 state=0x7f84c4030118 > s->prefetch_data=0 > 2014-08-11 22:00:11.744244 7f84ad7d2700 20 state for > obj=.users.swift:testuser:swf0001 is not atomic, not appending atomic test > 2014-08-11 22:00:11.744246 7f84ad7d2700 20 rados->read obj-ofs=0 > read_ofs=0 read_len=524288 > 2014-08-11 22:00:11.745424 7f84ad7d2700 20 rados->read r=0 bl.length=12 > 2014-08-11 22:00:11.745450 7f84ad7d2700 10 cache put: > name=.users.swift+testuser:swf0001 > 2014-08-11 22:00:11.745453 7f84ad7d2700 10 moving > .users.swift+testuser:swf0001 to cache LRU end > 2014-08-11 22:00:11.745487 7f84ad7d2700 20 get_obj_state: > rctx=0x7f84c4023660 obj=.users.uid:testuser state=0x7f84c4030118 > s->prefetch_data=0 > 2014-08-11 22:00:11.745494 7f84ad7d2700 10 cache get: > name=.users.uid+testuser : miss > 2014-08-11 22:00:11.746811 7f84ad7d2700 10 cache put: > name=.users.uid+testuser > 2014-08-11 22:00:11.746829 7f84ad7d2700 10 adding .users.uid+testuser to > cache LRU end > 2014-08-11 22:00:11.746835 7f84ad7d2700 20 get_obj_state: s->obj_tag was > set empty > 2014-08-11 22:00:11.746843 7f84ad7d2700 10 cache get: > name=.users.uid+testuser : type miss (requested=1, cached=6) > 2014-08-11 22:00:11.746866 7f84ad7d2700 20 get_obj_state: > rctx=0x7f84c4023660 obj=.users.uid:testuser state=0x7f84c4030118 > s->prefetch_data=0 > 2014-08-11 22:00:11.746872 7f84ad7d2700 10 cache get: > name=.users.uid+testuser : hit > 2014-08-11 22:00:11.746876 7f84ad7d2700 20 get_obj_state: s->obj_tag was > set empty > 2014-08-11 22:00:11.746878 7f84ad7d2700 20 get_obj_state: > rctx=0x7f84c4023660 obj=.users.uid:testuser state=0x7f84c4030118 > s->prefetch_data=0 > 2014-08-11 22:00:11.746880 7f84ad7d2700 20 state for > obj=.users.uid:testuser is not atomic, not appending atomic test > 2014-08-11 22:00:11.746882 7f84ad7d2700 20 rados->read obj-ofs=0 > read_ofs=0 read_len=524288 > 2014-08-11 22:00:11.748030 7f84ad7d2700 20 rados->read r=0 bl.length=322 > 2014-08-11 22:00:11.748074 7f84ad7d2700 10 cache put: > name=.users.uid+testuser > 2014-08-11 22:00:11.748078 7f84ad7d2700 10 moving .users.uid+testuser to > cache LRU end > 2014-08-11 22:00:11.748116 7f84ad7d2700 0 NOTICE: > RGW_SWIFT_Auth_Get::execute(): bad swift key > 2014-08-11 22:00:11.748216 7f84ad7d2700 2 req 1:0.006044:swift-auth:GET > /auth:swift_auth_get:http status=403 > 2014-08-11 22:00:11.748230 7f84ad7d2700 1 ====== req done req=0x1e73040 > http_status=403 ====== > 2014-08-11 22:00:11.748239 7f84ad7d2700 20 process_request() returned -1 > > > root@ceph-radosgw:~# radosgw-admin --name client.radosgw.gateway metadata > list user > [ > "johndoe", > "testuser"] > > root@ceph-radosgw:~# radosgw-admin zone list > 2014-08-12 01:22:24.881714 7f216777c700 2 > RGWDataChangesLog::ChangesRenewThread: start > 2014-08-12 01:22:24.899503 7f21723cf780 20 RGWRados::pool_iterate: got > default.region > 2014-08-12 01:22:24.899529 7f21723cf780 20 RGWRados::pool_iterate: got > region_info.default > 2014-08-12 01:22:24.947162 7f21723cf780 20 RGWRados::pool_iterate: got > zone_info.default > { "zones": [ > "default"]} > > > root@ceph-radosgw:~# radosgw-admin zone get default > { "domain_root": ".rgw", > "control_pool": ".rgw.control", > "gc_pool": ".rgw.gc", > "log_pool": ".log", > "intent_log_pool": ".intent-log", > "usage_log_pool": ".usage", > "user_keys_pool": ".users", > "user_email_pool": ".users.email", > "user_swift_pool": ".users.swift", > "user_uid_pool": ".users.uid", > "system_key": { "access_key": "", > "secret_key": ""}, > "placement_pools": [ > { "key": "default-placement", > "val": { "index_pool": ".rgw.buckets.index", > "data_pool": ".rgw.buckets", > "data_extra_pool": ".rgw.buckets.extra"}}]} > _______________________________________________ > ceph-users mailing list > [email protected] > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
