I'd like to use curl to access a Ceph cluster. The swift API works and I
thought I could use the debug option to look at the curl commands generated for
access.
Does the --debug option of swift print the entire command for all curl commands
during execution?
Debug output from the 2nd curl command in the example below doesn't seem to
show all the headers -- authentication header(s) specifically.
Entering the command by hand results in a 403 response.
I'd like to understand how the authentiation token is generated from the tenant
(rados) user (swift) and the swift secret_key.
The following token is generated:
"AUTH_rgwtk0b0000007261646f733a7377696674046eff2c9ac6a5041b00545248a7893b900677683adaaca1095128b6edf8fc378d7d49d8"
The first part looks like a header: 'AUTH_rgwtk', (rados gateway token) a
length == 11 and a prefix == rados:swift
AUTH_rgwtk 0b 00000072 61 64 6f 73 3a 73 77 69 66 74
length = 0xb r a d o s : s w i f t
How is the remainder of the token generated? It doesn't appear to be unencoded
or a plain hex/ascii translatation of the ceph keys shown by the radowgw-admin
command.
046eff2c 9ac6a504 1b00545 248a7893 b9006776 83adaaca 1095128 b6edf8fc 378d7d49
d8
Get the ceph user information:
root@controller21:~/ssbench-0.2.16# radosgw-admin user info --uid=rados
2013-10-07 05:55:34.804639 7ff1c3f6c780 0 WARNING: cannot read region
map
{ "user_id": "rados",
"display_name": "rados",
"email": "n...@none.com",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [
{ "id": "rados:swift",
"permissions": "full-control"},
{ "id": "rados:swift1",
"permissions": "full-control"}],
"keys": [
{ "user": "rados",
"access_key": "R5F0D2UCSK3618DJ829A",
"secret_key": "PJR1rvV2+Xrzlwo+AZZKXextsDl45EaLljzopgjD"}],
"swift_keys": [
{ "user": "rados:swift",
"secret_key": "77iJvemrxWvYk47HW7pxsL+eHdA53AtLl2T0OyuG"},
{ "user": "rados:swift1",
"secret_key": "l9Xlg66JvbNvMmZAj91AeQByEiP8R8sBahCJeqAG"}],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"placement_tags": []}
Use the debug option in swift to look at the curl commands generated:
swift --debug -V 1.0 -A
http://ictp-R2C4-Controller21.ict.englab.netapp.com/auth -U rados:swift -K
"77iJvemrxWvYk47HW7pxsL+eHdA53AtLl2T0OyuG" list
This one appears to be incomplete:
DEBUG:swiftclient:REQ: curl -i
http://ictp-R2C4-Controller21.ict.englab.netapp.com/auth -X GET
DEBUG:swiftclient:RESP STATUS: 204
Want to understand how this key was generated:
DEBUG:swiftclient:REQ: curl -i
http://ictp-R2C4-Controller21.ict.englab.netapp.com/swift/v1?format=json -X GET
-H"X-Auth-Token:
AUTH_rgwtk0b0000007261646f733a7377696674046eff2c9ac6a5041b00545248a7893b900677683adaaca1095128b6edf8fc378d7d49d8"
The swift command works:
DEBUG:swiftclient:RESP STATUS: 200
DEBUG:swiftclient:RESP BODY:
[{"name":"ssbench_000000","count":832,"bytes":85196800},...{"name":"xxx","count":1,"bytes":604}]
ssbench_000000
ssbench_000099
xxx
DEBUG:swiftclient:REQ: curl -i
http://ictp-R2C4-Controller21.ict.englab.netapp.com/swift/v1?format=json&marker=xxx
-X GET -H "X-Auth-Token:
AUTH_rgwtk0b0000007261646f733a7377696674046eff2c9ac6a5041b00545248a7893b900677683adaaca1095128b6edf8fc378d7d49d8"
DEBUG:swiftclient:RESP STATUS: 200
DEBUG:swiftclient:RESP BODY: []
Entering the 2nd curl command by hand fails:
root@controller21:~/ssbench-0.2.16# curl -i
http://ictp-R2C4-Controller21.ict.englab.netapp.com/auth -X GET
HTTP/1.1 403 Forbidden
Date: Mon, 07 Oct 2013 14:06:30 GMT
Server: Apache/2.2.22 (Ubuntu)
Accept-Ranges: bytes
Content-Length: 23
Content-Type: application/json
Thanks,
Tim
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
