Hi,We have an Jewel radosgw, with the s3 authentication integration with keystone enabled (rgw_s3_auth_use_keystone = true)
The s3 client (s3cmd) uses AWS4 signature, but the authentication to radosgw always fails: "ERROR: S3 error: 403 (InvalidAccessKeyId)"
Here below is the radosgw log file and, unlike validation for AWS2 signature, there is NO callout to keystone to resolve the access_key -> tenant_id for the given user...
Does radosgw really support AWS4 signature and keystone integration? Cheers, Valery2017-02-22 15:50:09.325582 7f0ec67fc700 1 ====== starting new request req=0x7f0ec67f67d0 ===== 2017-02-22 15:50:09.325623 7f0ec67fc700 2 req 65:0.000041::GET /::initializing for trans_id = tx000000000000000000041-0058adb331-145bda7-default 2017-02-22 15:50:09.325643 7f0ec67fc700 10 rgw api priority: s3=5 s3website=4 2017-02-22 15:50:09.325646 7f0ec67fc700 10 host=valery-test.os.s2.scloud.switch.ch 2017-02-22 15:50:09.325655 7f0ec67fc700 20 subdomain=valery-test domain=os.s2.scloud.switch.ch in_hosted_domain=1 in_hosted_domain_s3website=0 2017-02-22 15:50:09.325663 7f0ec67fc700 20 final domain/bucket subdomain=valery-test domain=os.s2.scloud.switch.ch in_hosted_domain=1 in_hosted_domain_s3website=0 s->info.domain=os.s2.scloud.switch.ch s->info.request_uri=/valery-test/
2017-02-22 15:50:09.325685 7f0ec67fc700 10 meta>> HTTP_X_AMZ_CONTENT_SHA256 2017-02-22 15:50:09.325696 7f0ec67fc700 10 meta>> HTTP_X_AMZ_DATE2017-02-22 15:50:09.325702 7f0ec67fc700 10 x>> x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2017-02-22 15:50:09.325704 7f0ec67fc700 10 x>> x-amz-date:20170222T155139Z2017-02-22 15:50:09.325747 7f0ec67fc700 20 get_handler handler=25RGWHandler_REST_Bucket_S3 2017-02-22 15:50:09.325756 7f0ec67fc700 10 handler=25RGWHandler_REST_Bucket_S3 2017-02-22 15:50:09.325759 7f0ec67fc700 2 req 65:0.000178:s3:GET /::getting op 0
2017-02-22 15:50:09.325778 7f0ec67fc700 10 op=25RGWListBucket_ObjStore_S32017-02-22 15:50:09.325782 7f0ec67fc700 2 req 65:0.000200:s3:GET /:list_bucket:authorizing 2017-02-22 15:50:09.325813 7f0ec67fc700 10 v4 signature format = c535db1ceb4ed3c7eb68f2f9a35ad61849631a1bb6391dcf314f5aa7f717b3fd 2017-02-22 15:50:09.325827 7f0ec67fc700 10 v4 credential format = 0213b30621e74120b73d11a5e99240f9/20170222/US/s3/aws4_request 2017-02-22 15:50:09.325831 7f0ec67fc700 10 access key id = 0213b30621e74120b73d11a5e99240f9 2017-02-22 15:50:09.325833 7f0ec67fc700 10 credential scope = 20170222/US/s3/aws4_request 2017-02-22 15:50:09.325874 7f0ec67fc700 20 get_system_obj_state: rctx=0x7f0ec67f54c0 obj=.users:0213b30621e74120b73d11a5e99240f9 state=0x7f0e9401fc48 s->prefetch_data=0 2017-02-22 15:50:09.325896 7f0ec67fc700 10 cache get: name=.users+0213b30621e74120b73d11a5e99240f9 : type miss (requested=6, cached=0) 2017-02-22 15:50:09.327179 7f0ec67fc700 10 cache put: name=.users+0213b30621e74120b73d11a5e99240f9 info.flags=0 2017-02-22 15:50:09.327205 7f0ec67fc700 10 moving .users+0213b30621e74120b73d11a5e99240f9 to cache LRU end 2017-02-22 15:50:09.327222 7f0ec67fc700 10 error reading user info, uid=0213b30621e74120b73d11a5e99240f9 can't authenticate
2017-02-22 15:50:09.327225 7f0ec67fc700 10 failed to authorize request2017-02-22 15:50:09.327228 7f0ec67fc700 20 handler->ERRORHANDLER: err_no=-2028 new_err_no=-2028 2017-02-22 15:50:09.327425 7f0ec67fc700 2 req 65:0.001843:s3:GET /:list_bucket:op status=0 2017-02-22 15:50:09.327440 7f0ec67fc700 2 req 65:0.001859:s3:GET /:list_bucket:http status=403 2017-02-22 15:50:09.327451 7f0ec67fc700 1 ====== req done req=0x7f0ec67f67d0 op status=0 http_status=403 ======
-- SWITCH -------------------------- Valery Tschopp, Software Engineer, Peta Solutions Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland email: valery.tsch...@switch.ch phone: +41 44 268 1544
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
