On 03/10/2018 12:58 AM, Amardeep Singh wrote:
On Saturday 10 March 2018 02:01 AM, Casey Bodley wrote:

On 03/08/2018 07:16 AM, Amardeep Singh wrote:
Hi,

I am trying to configure server side encryption using Key Management Service as per documentation http://docs.ceph.com/docs/master/radosgw/encryption/

Configured Keystone/Barbican integration and its working, tested using curl commands. After I configure RadosGW and use boto.s3.connection from python or s3cmd client an error is thrown.
*
*/boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden//
//<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Failed to retrieve the actual key, kms-keyid: 616b2ce2-053a-41e3-b51e-0ff53e33cf81</Message><BucketName>newbucket</BucketName><RequestId>tx000000000000000077750-005aa1274b-ac51-uk-west</RequestId><HostId>ac51-uk-west-uk</HostId></Error>//
/
In server side logs its getting the token and barbican is authenticating the request then providing secret url, but unable to serve key.
/
////22:10:03.940091 7f056f7eb700 15 ceph_armor ret=16
 22:10:03.940111 7f056f7eb700 15 supplied_md5=eb1a3227cdc3fedbaec2fe38bf6c044a  22:10:03.940129 7f056f7eb700 20 reading from uk-west.rgw.meta:root:.bucket.meta.newbucket:ee560b67-c330-4fd0-af50-aefff93735d2.4163.1  22:10:03.940138 7f056f7eb700 20 get_system_obj_state: rctx=0x7f056f7e39f0 obj=uk-west.rgw.meta:root:.bucket.meta.newbucket:ee560b67-c330-4fd0-af50-aefff93735d2.4163.1 state=0x56540487a5a0 s->prefetch_data=0  22:10:03.940145 7f056f7eb700 10 cache get: name=uk-west.rgw.meta+root+.bucket.meta.newbucket:ee560b67-c330-4fd0-af50-aefff93735d2.4163.1 : hit (requested=0x16, cached=0x17)  22:10:03.940152 7f056f7eb700 20 get_system_obj_state: s->obj_tag was set empty  22:10:03.940155 7f056f7eb700 10 cache get: name=uk-west.rgw.meta+root+.bucket.meta.newbucket:ee560b67-c330-4fd0-af50-aefff93735d2.4163.1 : hit (requested=0x11, cached=0x17)  22:10:03.944015 7f056f7eb700 20 bucket quota: max_objects=1638400 max_size=-1  22:10:03.944030 7f056f7eb700 20 bucket quota OK: stats.num_objects=7 stats.size=50  22:10:03.944176 7f056f7eb700 20 Getting KMS encryption key for key=616b2ce2-053a-41e3-b51e-0ff53e33cf81  22:10:03.944225 7f056f7eb700 20 Requesting secret from barbican url=http://keyserver.rados:5000/v3/auth/tokens  22:10:03.944281 7f056f7eb700 20 sending request to http://keyserver.rados:5000/v3/auth/tokens * 22:10:04.405974 7f056f7eb700 20 sending request to http://keyserver.rados:9311/v1/secrets/616b2ce2-053a-41e3-b51e-0ff53e33cf81* * 22:10:05.519874 7f056f7eb700 5 Failed to retrieve secret from barbican:616b2ce2-053a-41e3-b51e-0ff53e33cf81**
*/

It looks like this request is being rejected by barbican. Do you have any logs on the barbican side that might show why?
Only get 2 lines in barbican logs, one shows warning.

22:10:08.255 807 WARNING barbican.api.controllers.secrets [req-091413d2-9999-46e2-be5f-a3e68a480ac9 716dad1b8044459c99fea284dbfc47cc - - default default] Decrypted secret 616b2ce2-053a-41e3-b51e-0ff53e33cf81 requested using deprecated API call. 22:10:08.261 807 INFO barbican.api.middleware.context [req-091413d2-9999-46e2-be5f-a3e68a480ac9 716dad1b8044459c99fea284dbfc47cc - - default default] Processed request: 200 OK - GET http://keyserver.rados:9311/v1/secrets/616b2ce2-053a-41e3-b51e-0ff53e33cf81


Okay, so barbican is returning 200 OK but radosgw is still converting that to EACCES. I'm guessing that's happening in request_key_from_barbican() here: https://github.com/ceph/ceph/blob/master/src/rgw/rgw_crypt.cc#L779 - is it possible the key in barbican is something other than AES256?



/*** 22:10:05.519901 7f056f7eb700 5 ERROR: failed to retrieve actual key from key_id: 616b2ce2-053a-41e3-b51e-0ff53e33cf81*  22:10:05.519980 7f056f7eb700 2 req 387:1.581432:s3:PUT /encrypted.txt:put_obj:completing  22:10:05.520187 7f056f7eb700 2 req 387:1.581640:s3:PUT /encrypted.txt:put_obj:op status=-13  22:10:05.520193 7f056f7eb700 2 req 387:1.581645:s3:PUT /encrypted.txt:put_obj:http status=403  22:10:05.520206 7f056f7eb700 1 ====== req done req=0x7f056f7e5190 op status=-13 http_status=403 ======
 22:10:05.520225 7f056f7eb700 20 process_request() returned -13
 22:10:05.520280 7f056f7eb700 1 civetweb: 0x5654042a1000: 192.168.100.200 - - [02/Mar/2018:22:10:03 +0530] "PUT /encrypted.txt HTTP/1.1" 1 0 - Boto/2.38.0 Python/2.7.12 Linux/4.12.1-041201-generic
 22:10:06.116527 7f056e7e9700 20 HTTP_ACCEPT=*/*/

The error thrown in from this line https://github.com/ceph/ceph/blob/master/src/rgw/rgw_crypt.cc#L1063

I am unable to understand why its throwing the error.

In ceph.conf following settings are done.

[global]
rgw barbican url = http://keyserver.rados:9311
rgw keystone barbican user = rgwcrypt
rgw keystone barbican password = rgwpass
rgw keystone barbican project = service
rgw keystone barbican domain = default
rgw keystone url = http://keyserver.rados:5000
rgw keystone api version = 3
rgw crypt require ssl = false

Can someone help in figuring out what is missing.

Thanks,
Amar


_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com



_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com


--
        Amardeep Singh

IT Director

        Direct: +91 124 4548389
Tel: +91 124 4548383 Ext- 1001
UK: +44 845 0047 142 Ext- 5003

        TBS Website <http://www.techbluesoftware.co.in>
        Techblue Software Pvt. Ltd
AIHP Tower, 249 G, 2nd Floor,
Udyog Vihar, Phase 4,
Gurugram- 122015 (Hr.)

www.techbluesoftware.co.in <http://www.techbluesoftware.co.in>

        
TBS Facebook <https://www.facebook.com/pages/Techblue-Software-Limited/441777369284888> TBS Twitter <https://twitter.com/TechbluSoftware> TBS Google+ <https://plus.google.com/+TechblueSoftwareCoIn> TBS Linked In <https://www.linkedin.com/company/techblue-softwares-pvt-ltd>

TBS Branding <http://www.techbluesoftware.co.in>



_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to