Hi,
I am trying to configure server side encryption using Key Management
Service as per documentation
http://docs.ceph.com/docs/master/radosgw/encryption/
Configured Keystone/Barbican integration and its working, tested using
curl commands. After I configure RadosGW and use boto.s3.connection from
python or s3cmd client an error is thrown.
*
*/boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden//
//<?xml version="1.0"
encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Failed to
retrieve the actual key, kms-keyid:
616b2ce2-053a-41e3-b51e-0ff53e33cf81</Message><BucketName>newbucket</BucketName><RequestId>tx000000000000000077750-005aa1274b-ac51-uk-west</RequestId><HostId>ac51-uk-west-uk</HostId></Error>//
/
In server side logs its getting the token and barbican is authenticating
the request then providing secret url, but unable to serve key.
/
////22:10:03.940091 7f056f7eb700 15 ceph_armor ret=16
22:10:03.940111 7f056f7eb700 15
supplied_md5=eb1a3227cdc3fedbaec2fe38bf6c044a
22:10:03.940129 7f056f7eb700 20 reading from
uk-west.rgw.meta:root:.bucket.meta.newbucket:ee560b67-c330-4fd0-af50-aefff93735d2.4163.1
22:10:03.940138 7f056f7eb700 20 get_system_obj_state:
rctx=0x7f056f7e39f0
obj=uk-west.rgw.meta:root:.bucket.meta.newbucket:ee560b67-c330-4fd0-af50-aefff93735d2.4163.1
state=0x56540487a5a0 s->prefetch_data=0
22:10:03.940145 7f056f7eb700 10 cache get:
name=uk-west.rgw.meta+root+.bucket.meta.newbucket:ee560b67-c330-4fd0-af50-aefff93735d2.4163.1
: hit (requested=0x16, cached=0x17)
22:10:03.940152 7f056f7eb700 20 get_system_obj_state: s->obj_tag was
set empty
22:10:03.940155 7f056f7eb700 10 cache get:
name=uk-west.rgw.meta+root+.bucket.meta.newbucket:ee560b67-c330-4fd0-af50-aefff93735d2.4163.1
: hit (requested=0x11, cached=0x17)
22:10:03.944015 7f056f7eb700 20 bucket quota: max_objects=1638400
max_size=-1
22:10:03.944030 7f056f7eb700 20 bucket quota OK: stats.num_objects=7
stats.size=50
22:10:03.944176 7f056f7eb700 20 Getting KMS encryption key for
key=616b2ce2-053a-41e3-b51e-0ff53e33cf81
22:10:03.944225 7f056f7eb700 20 Requesting secret from barbican
url=http://keyserver.rados:5000/v3/auth/tokens
22:10:03.944281 7f056f7eb700 20 sending request to
http://keyserver.rados:5000/v3/auth/tokens
* 22:10:04.405974 7f056f7eb700 20 sending request to
http://keyserver.rados:9311/v1/secrets/616b2ce2-053a-41e3-b51e-0ff53e33cf81*
* 22:10:05.519874 7f056f7eb700 5 Failed to retrieve secret from
barbican:616b2ce2-053a-41e3-b51e-0ff53e33cf81**
** 22:10:05.519901 7f056f7eb700 5 ERROR: failed to retrieve actual key
from key_id: 616b2ce2-053a-41e3-b51e-0ff53e33cf81*
22:10:05.519980 7f056f7eb700 2 req 387:1.581432:s3:PUT
/encrypted.txt:put_obj:completing
22:10:05.520187 7f056f7eb700 2 req 387:1.581640:s3:PUT
/encrypted.txt:put_obj:op status=-13
22:10:05.520193 7f056f7eb700 2 req 387:1.581645:s3:PUT
/encrypted.txt:put_obj:http status=403
22:10:05.520206 7f056f7eb700 1 ====== req done req=0x7f056f7e5190 op
status=-13 http_status=403 ======
22:10:05.520225 7f056f7eb700 20 process_request() returned -13
22:10:05.520280 7f056f7eb700 1 civetweb: 0x5654042a1000:
192.168.100.200 - - [02/Mar/2018:22:10:03 +0530] "PUT /encrypted.txt
HTTP/1.1" 1 0 - Boto/2.38.0 Python/2.7.12 Linux/4.12.1-041201-generic
22:10:06.116527 7f056e7e9700 20 HTTP_ACCEPT=*/*/
The error thrown in from this line
https://github.com/ceph/ceph/blob/master/src/rgw/rgw_crypt.cc#L1063
I am unable to understand why its throwing the error.
In ceph.conf following settings are done.
[global]
rgw barbican url = http://keyserver.rados:9311
rgw keystone barbican user = rgwcrypt
rgw keystone barbican password = rgwpass
rgw keystone barbican project = service
rgw keystone barbican domain = default
rgw keystone url = http://keyserver.rados:5000
rgw keystone api version = 3
rgw crypt require ssl = false
Can someone help in figuring out what is missing.
Thanks,
Amar
_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
