Unable to configure Riak-CS-Control to manage users

Christopher Meiklejohn cmeiklejohn at basho.com
Wed Oct 9 19:50:21 EDT 2013


The reason for the hostname having to be equal on both hosts is because the HMAC which is generated as part of the S3 API uses this information.  The following document contains more information. 

http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html

- Chris 

-- 
Christopher Meiklejohn
Software Engineer
Basho Technologies, Inc.



On Wednesday, October 9, 2013 at 2:22 PM, Dmitri Zagidulin wrote:

> Ok, yes, I think the hostname mismatch betwen CS and CS Control is at issue (it's somewhat confusing, I agree).
> 
> So:
> Since you have 
> 
> {cs_root_host, "s3.amazonaws.com (http://s3.amazonaws.com)"}, 
> 
> in CS Config, you want your cs_hostname to match that in CS Control's config. So, my CS Control config looks like:
> %% Instance of Riak CS you wish to talk to.
> {cs_hostname, "s3.amazonaws.com (http://s3.amazonaws.com)" },
> {cs_port, 80 },
> {cs_protocol, "http" },
> 
> %% Proxy information; necessary if you are using s3.amazonaws.com (http://s3.amazonaws.com) as
> %% your hostname.
> {cs_proxy_host, "localhost" },
> {cs_proxy_port, 8080 },
> 
> (Your cs_proxy_host would be 10.0.1.202 or 127.0.0.1, depending on your setup).
> 
> Does that make sense?
> 
> Dmitri
> 
> 
> 
> 
> On Wed, Oct 9, 2013 at 12:22 PM, Siddhu Warrier (siwarrie) <siwarrie at cisco.com (mailto:siwarrie at cisco.com)> wrote:
> > Hi Dmitri, 
> > 
> > Sorry I failed to attach the s3cfg file. 
> > 
> > Cheers, 
> > 
> > Siddhu 
> > 
> > From: Dmitri Zagidulin <dzagidulin at basho.com (mailto:dzagidulin at basho.com)>
> > Date: Wednesday, 9 October 2013 16:51
> > 
> > To: Siddhu Warrier <siwarrie at cisco.com (mailto:siwarrie at cisco.com)>
> > Cc: "riak-users at lists.basho.com (mailto:riak-users at lists.basho.com)" <riak-users at lists.basho.com (mailto:riak-users at lists.basho.com)>
> > Subject: Re: Unable to configure Riak-CS-Control to manage users
> > 
> > Ok, I suspect it has to do with a mismatch between cs_root_host setting in riakcs.app.config and the corresponding setting in riak-cs-control.app.config. Can you attach your .s3cfg, so I can confirm?
> > 
> > Dmitri
> > 
> > 
> > On Wed, Oct 9, 2013 at 11:16 AM, Siddhu Warrier (siwarrie) <siwarrie at cisco.com (mailto:siwarrie at cisco.com)> wrote:
> > > Hi Dmitri, 
> > > 
> > > Thanks again for your rapid reply! 
> > > 
> > > 1, 2) I have attached my riak, stanchion, riak-cs and riak-cs-control app.config files here 
> > > 3) 
> > > Things that work with s3cmd (s3 config attached):
> > > Create a bucket, upload a file, download a file, delete buckets recursively, list contents of buckets
> > > 
> > > [root at cpn-int-store-03 ~]# s3cmd mb s3://cloudcuckooland
> > > Bucket 's3://cloudcuckooland/' created
> > > [root at cpn-int-store-03 ~]# s3cmd put cobbler.ks s3://cloudcuckooland/shoemaker
> > > cobbler.ks -> s3://cloudcuckooland/shoemaker [1 of 1]
> > > 6964 of 6964 100% in 0s 114.14 kB/s done
> > > [root at cpn-int-store-03 ~]# s3cmd la
> > > 2013-10-09 14:47 6964 s3://cloudcuckooland/shoemaker
> > > 
> > > [root at cpn-int-store-03 ~]# s3cmd get s3://cloudcuckooland/shoemaker /tmp/shoemaker.tmp 
> > > s3://cloudcuckooland/shoemaker -> /tmp/shoemaker.tmp [1 of 1]
> > > 6964 of 6964 100% in 0s 659.50 kB/s done
> > > 
> > > [root at cpn-int-store-03 ~]# s3cmd rb --force s3://cloudcuckooland
> > > WARNING: Bucket is not empty. Removing all the objects from it first. This may take some time...
> > > File s3://cloudcuckooland/shoemaker deleted
> > > Bucket 's3://cloudcuckooland/' removed
> > > 
> > > 
> > > Things that do not work: 
> > > Riak CS Control: Create user
> > > Riak CS Control: List users
> > > 
> > > Note: With anonymous user creation set to true, I was able to view information about users and modify them.
> > > 
> > > I was however able to view the information about a particular user. 
> > > [root at cpn-int-store-03 ~]# s3cmd get s3://riak-cs/user -
> > > s3://riak-cs/user -> <stdout> [1 of 1]
> > > <?xml version="1.0" encoding="UTF-8"?><User><Email>xxxx at cisco.com (mailto:xxxx at cisco.com)</Email><DisplayName>xxxxx</DisplayName><Name>Rory Irvine</Name><KeyId>5VI-NIFLNIHKRNGKPBVX</KeyId><KeySec 338 of 338 100% in 0s 4.57 kB/s doneeySecret><Id>c26c71a140f18b6853b45fd3ce4a672e0471b62a04920c2a77def7a0bfbcde0d</Id><Status>enabled</Status></User>
> > > 
> > > [root at cpn-int-store-03 ~]# s3cmd get s3://riak-cs/user/9UND62Q1-EIDE9YO1GI0 -
> > > s3://riak-cs/user/9UND62Q1-EIDE9YO1GI0 -> <stdout> [1 of 1]
> > > <?xml version="1.0" encoding="UTF-8"?><User><Email>foobar at example.com (mailto:foobar at example.com)</Email><DisplayName>foobar</DisplayName><Name>foo bar</Name><KeyId>9UND62Q1-EIDE9YO1GI0</KeyId><KeySecret>4o 333 of 333 100% in 0s 43.04 kB/s doneet><Id>6057fd7d3a7c43b06f839441585d35de197baa57a4696318803afd81c5887aec</Id><Status>disabled</Status></User>
> > > 
> > > 
> > > Thanks, 
> > > 
> > > Siddhu 
> > > 
> > > From: Dmitri Zagidulin <dzagidulin at basho.com (mailto:dzagidulin at basho.com)>
> > > Date: Wednesday, 9 October 2013 16:02 
> > > 
> > > To: Siddhu Warrier <siwarrie at cisco.com (mailto:siwarrie at cisco.com)>
> > > Cc: "riak-users at lists.basho.com (mailto:riak-users at lists.basho.com)" <riak-users at lists.basho.com (mailto:riak-users at lists.basho.com)>
> > > Subject: Re: Unable to configure Riak-CS-Control to manage users
> > > 
> > > Thanks Siddhu,
> > > Couple more questions.
> > > 
> > > 1) Can you include a couple more sections from the Riak CS config (specifically, the anonymous_user_creation section and the admin_key).
> > > 
> > > 2) Just to double-check, can you re-include the Riak CS Control config? (the whole riak_cs_control section).
> > > 
> > > 3) Describe again exactly which parts are working and which aren't. What do you see when you open the Riak CS Control web interface? (And which commands are working with s3cmd?)
> > > 
> > > 
> > > 
> > > On Wed, Oct 9, 2013 at 10:50 AM, Siddhu Warrier (siwarrie) <siwarrie at cisco.com (mailto:siwarrie at cisco.com)> wrote:
> > > > Hi Dimitri, 
> > > > 
> > > > Thank you for your email. I just tried this. I still have the same problem, except that I no longer get 403 errors in my Riak CS error log (as a matter of fact, I get nothing at all in my Riak CS, Riak CS Control, Stanchion, and Riak error logs). 
> > > > 
> > > > I've put the basic config section of my riak-cs/app.config here for your reference. 
> > > > 
> > > > %% Riak CS http/https port and IP address to listen at 
> > > > %% for object storage activity
> > > > {cs_ip, "10.0.1.202"},
> > > > {cs_port, 8080 } ,
> > > > 
> > > > %% Riak node to which Riak CS accesses 
> > > > {riak_ip, "10.0.1.202"},
> > > > {riak_pb_port, 8087 } ,
> > > > 
> > > > %% Configuration for access to request 
> > > > %% serialization service
> > > > {stanchion_ip, "10.0.1.202"},
> > > > {stanchion_port, 8085 },
> > > > {stanchion_ssl, false },
> > > > 
> > > > 
> > > > Thanks, 
> > > > 
> > > > Siddhu 
> > > > 
> > > > From: Dmitri Zagidulin <dzagidulin at basho.com (mailto:dzagidulin at basho.com)>
> > > > Date: Wednesday, 9 October 2013 15:38
> > > > To: Siddhu Warrier <siwarrie at cisco.com (mailto:siwarrie at cisco.com)>
> > > > Cc: "riak-users at lists.basho.com (mailto:riak-users at lists.basho.com)" <riak-users at lists.basho.com (mailto:riak-users at lists.basho.com)>
> > > > Subject: Re: Unable to configure Riak-CS-Control to manage users
> > > > 
> > > > (Just to be extra clear, that's meant to be a comma at the end of that directive, not a period. Also, don't forget to restart Riak CS Control, after changing the proxy host).
> > > > 
> > > > 
> > > > On Wed, Oct 9, 2013 at 10:36 AM, Dmitri Zagidulin <dzagidulin at basho.com (mailto:dzagidulin at basho.com)> wrote:
> > > > > Hi Siddhu,
> > > > > 
> > > > > Can you try changing 'cs_proxy_host' to localhost? So:
> > > > > 
> > > > > {cs_proxy_host, "127.0.0.1" }.
> > > > > 
> > > > > and retry.
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > On Wed, Oct 9, 2013 at 9:55 AM, Siddhu Warrier (siwarrie) <siwarrie at cisco.com (mailto:siwarrie at cisco.com)> wrote:
> > > > > > Hi, 
> > > > > > 
> > > > > > I have a two node Riak CS (1.4) cluster set up on two nodes (node-1 and node-2 henceforth). Node-1 is the headnode. Both node-1 and node-2 are running CentOS-6.4. 
> > > > > > 
> > > > > > Node-1 
> > > > > > Riak 1.4.2
> > > > > > Stanchion 1.4.1
> > > > > > Riak-CS 1.4.1
> > > > > > Riak-CS-Control 1.0.2
> > > > > > 
> > > > > > Node-2
> > > > > > Riak 1.4.2
> > > > > > Riak-CS 1.4.1
> > > > > > 
> > > > > > I have got Riak CS working, and have created admin credentials that I've set correctly on stanchion, riak-cs, and riak-cs-control on node 1, and on riak-cs on node 2. I am able to use the admin credentials to perform operations on the bucket using s3cmd.
> > > > > > 
> > > > > > However, when I try to list riak-cs users using the riak-cs-control, I get no results. The error that comes up in /var/log/riak-cs.log is: 
> > > > > > 10.0.1.202 - - [09/Oct/2013:13:09:31 +0000] "GET /buckets/users/objects HTTP/1.1" 403 160 "" ""
> > > > > > 
> > > > > > I also receive a 403 when I try to create an admin user.
> > > > > > 
> > > > > > I saw https://github.com/basho/riak_cs_control/issues/31 and set my /etc/riak-cs-control/app.config file up to use the cs_proxy_host parameter as well, though I'm not using proxies, but to no avail. I have reproduced the relevant section of my riak-cs-control/app.config here: 
> > > > > > {riak_cs_control, [
> > > > > > %% What port to run the application on.
> > > > > > {port, 8000 },
> > > > > > 
> > > > > > %% Instance of Riak CS you wish to talk to. 
> > > > > > {cs_hostname, "10.0.1.202" },
> > > > > > {cs_port, 8080 },
> > > > > > {cs_protocol, "http" },
> > > > > > 
> > > > > > %% Proxy information; necessary if you are using s3.amazonaws.com (http://s3.amazonaws.com) as 
> > > > > > %% your hostname.
> > > > > > {cs_proxy_host, "10.0.1.202" },
> > > > > > {cs_proxy_port, 8080 },
> > > > > > 
> > > > > > %% Credentials you want the application to run as. 
> > > > > > {cs_admin_key, "5VI-NIFLNIHKRNGKPBVX" },
> > > > > > {cs_admin_secret, "xxxxxxx" },
> > > > > > 
> > > > > > %% Specify the bucket name for administration options. 
> > > > > > {cs_administration_bucket, "riak-cs" }
> > > > > > ]},
> > > > > > 
> > > > > > 
> > > > > > Is there something I am missing/doing wrong? 
> > > > > > 
> > > > > > Thanks, 
> > > > > > 
> > > > > > Siddhu 
> > > > > > _______________________________________________
> > > > > > riak-users mailing list
> > > > > > riak-users at lists.basho.com (mailto:riak-users at lists.basho.com)
> > > > > > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
> > > > > 
> > > > 
> > > 
> > 
> 
> 
> _______________________________________________
> riak-users mailing list
> riak-users at lists.basho.com (mailto:riak-users at lists.basho.com)
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com







More information about the riak-users mailing list