Creating a new bucket by s3cmd results in access denied

Kazuhiro Suzuki kaz at basho.com
Wed Nov 11 09:04:17 EST 2015


I forgot to reply all.

On Wed, Nov 11, 2015 at 10:58 PM, Kazuhiro Suzuki <kaz at basho.com> wrote:
> One possibility is that riak_cs and stanchion have different admin.key
> and admin secret. So, please make sure whether your riak-cs.conf and
> stanchion.conf have the same admin.key and admin.secret. If not,
> stanchion responds 403 as a signature does not match.
>
> On Wed, Nov 11, 2015 at 5:12 PM, 野島 裕輔 <yusuke-nojima at cybozu.co.jp> wrote:
>> I have installed the Riak, Stanchion and Riak CS to Ubuntu 14.04, and created an admin user.
>> Then I attempted to create the new bucket with s3cmd, but it resulted in AccessDenied error.
>>
>> I tried the solution of http://riak-users.197444.n3.nabble.com/RIAK-CS-Unable-to-create-bucket-using-s3cmd-AccessDenied-td4032375.html, but still does not work.
>>
>> I found another thread http://riak-users.197444.n3.nabble.com/ERROR-S3-error-403-AccessDenied-Access-Denied-with-s3cmd-tt4033610.html, but no one answered the thread.
>>
>> Any ideas what was wrong with my setup?
>> Thanks for the help in advance.
>>
>> -------------------------
>> $ s3cmd mb s3://test
>> DEBUG: Updating Config.Config encoding -> UTF-8
>> DEBUG: Updating Config.Config follow_symlinks -> False
>> DEBUG: Updating Config.Config verbosity -> 30
>> DEBUG: Unicodising 'mb' using UTF-8
>> DEBUG: Unicodising 's3://test' using UTF-8
>> DEBUG: Command: mb
>> DEBUG: SignHeaders: 'PUT\n\n\n\nx-amz-date:Wed, 11 Nov 2015 07:36:55 +0000\n/test/'
>> DEBUG: CreateRequest: resource[uri]=/
>> DEBUG: SignHeaders: 'PUT\n\n\n\nx-amz-date:Wed, 11 Nov 2015 07:36:55 +0000\n/test/'
>> DEBUG: Processing request, please wait...
>> DEBUG: get_hostname(test): test.s3.amazonaws.com
>> DEBUG: format_uri(): http://test.s3.amazonaws.com/
>> DEBUG: Sending request method_string='PUT', uri='http://test.s3.amazonaws.com/', headers={'content-length': '0', 'Authorization': 'AWS LS_P9JF815TCCKTFOD4O:USeKvJH40fSHJy8kZFnRyJxGgcY=', 'x-amz-date': 'Wed, 11 Nov 2015 07:36:55 +0000'}, body=(0 bytes)
>> DEBUG: Response: {'status': 403, 'headers': {'date': 'Wed, 11 Nov 2015 07:36:55 GMT', 'content-length': '159', 'content-type': 'application/xml', 'server': 'Riak CS'}, 'reason': 'Forbidden', 'data': '<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>/test</Resource><RequestId></RequestId></Error>'}
>> DEBUG: S3Error: 403 (Forbidden)
>> DEBUG: HttpHeader: date: Wed, 11 Nov 2015 07:36:55 GMT
>> DEBUG: HttpHeader: content-length: 159
>> DEBUG: HttpHeader: content-type: application/xml
>> DEBUG: HttpHeader: server: Riak CS
>> DEBUG: ErrorXML: Code: 'AccessDenied'
>> DEBUG: ErrorXML: Message: 'Access Denied'
>> DEBUG: ErrorXML: Resource: '/test'
>> DEBUG: ErrorXML: RequestId: None
>> ERROR: Access to bucket 'test' was denied
>>
>> -------------------------
>> /var/log/stanchion/console.log says that the presented signature does not match:
>>
>> 2015-11-11 07:36:55.683 [debug] <0.169.0>@stanchion_auth:authenticate:41 Presented Signature: "rVYpULyFn0zsqUhizDUlQI+LfzA="
>> Calculated Signature: "aHCNYOFa7XT8PKS64fKNYyh7JGc="
>>
>> -------------------------
>> My .s3cfg looks like:
>>
>> [default]
>> access_key = LS_P9JF815TCCKTFOD4O
>> bucket_location = US
>> cloudfront_host = cloudfront.amazonaws.com
>> default_mime_type = binary/octet-stream
>> delete_removed = False
>> dry_run = False
>> enable_multipart = True
>> encoding = UTF-8
>> encrypt = False
>> follow_symlinks = False
>> force = False
>> get_continue = False
>> gpg_command = /usr/bin/gpg
>> gpg_decrypt = %(gpg_command)s -d --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
>> gpg_encrypt = %(gpg_command)s -c --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
>> gpg_passphrase = cybozu123
>> guess_mime_type = True
>> host_base = s3.amazonaws.com
>> host_bucket = %(bucket)s.s3.amazonaws.com
>> human_readable_sizes = False
>> invalidate_on_cf = False
>> list_md5 = False
>> log_target_prefix =
>> mime_type =
>> multipart_chunk_size_mb = 15
>> preserve_attrs = True
>> progress_meter = True
>> proxy_host = 127.0.0.1
>> proxy_port = 8080
>> recursive = False
>> recv_chunk = 4096
>> reduced_redundancy = False
>> secret_key = dz0oUJqZBowOmTobwyaCaZcrO7PgL69ArCSnfQ==
>> send_chunk = 4096
>> simpledb_host = sdb.amazonaws.com
>> skip_existing = False
>> socket_timeout = 300
>> urlencoding_mode = normal
>> use_https = False
>> verbosity = DEBUG
>> website_endpoint = http://%(bucket)s.s3-website-%(location)s.amazonaws.com/
>> website_error =
>> website_index = index.html
>> signature_v2 = True
>>
>>
>> -------------------------
>> Versions:
>>
>> riak: 2.0.5
>> riak-cs: 2.0.1
>> stanchion: 2.0.0
>> s3cmd: 1.1.0-beta3
>>
>> -------------------------
>> Traffic between Riak CS and Stanchion aquired by tcpdump is:
>>
>> POST /buckets HTTP/1.1
>> content-type: application/json
>> content-md5: owB6xF/s2H7XLFzMR3vYnw==
>> content-length: 462
>> te:
>> host: 127.0.0.1:8085
>> authorization: MOSS LS_P9JF815TCCKTFOD4O:rVYpULyFn0zsqUhizDUlQI+LfzA=
>> date: Wed, 11 Nov 2015 07:36:55 GMT
>> connection: keep-alive
>>
>> {"bucket":"test","requester":"LS_P9JF815TCCKTFOD4O","acl":{"version":1,"owner":{"display_name":"yusuke-nojima","canonical_id":"7a48a8c7c33b1f9e72793cd06e4ca9b505389543bf17f3c056be289d17d10bc0","key_id":"LS_
>> P9JF815TCCKTFOD4O"},"grants":[{"display_name":"yusuke-nojima","canonical_id":"7a48a8c7c33b1f9e72793cd06e4ca9b505389543bf17f3c056be289d17d10bc0","permissions":["FULL_CONTROL"]}],"creation_time":{"mega_seconds":1447,"seconds":227415,"micro_seconds":682371}}}
>>
>>
>> HTTP/1.1 403 Forbidden
>> Server: MochiWeb/1.1 WebMachine/1.10.8 (that head fake, tho)
>> Date: Wed, 11 Nov 2015 07:36:55 GMT
>> Content-Length: 162
>>
>> <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>/test</Resource><RequestId></RequestId></Error>
>>
>>
>> -------------------------
>> "s3cmd ls" works fine:
>>
>> $ s3cmd ls
>> DEBUG: Updating Config.Config encoding -> UTF-8
>> DEBUG: Updating Config.Config follow_symlinks -> False
>> DEBUG: Updating Config.Config verbosity -> 30
>> DEBUG: Unicodising 'ls' using UTF-8
>> DEBUG: Command: ls
>> DEBUG: SignHeaders: 'GET\n\n\n\nx-amz-date:Wed, 11 Nov 2015 07:47:00 +0000\n/'
>> DEBUG: CreateRequest: resource[uri]=/
>> DEBUG: SignHeaders: 'GET\n\n\n\nx-amz-date:Wed, 11 Nov 2015 07:47:00 +0000\n/'
>> DEBUG: Processing request, please wait...
>> DEBUG: get_hostname(None): s3.amazonaws.com
>> DEBUG: format_uri(): http://s3.amazonaws.com/
>> DEBUG: Sending request method_string='GET', uri='http://s3.amazonaws.com/', headers={'content-length': '0', 'Authorization': 'AWS LS_P9JF815TCCKTFOD4O:y6iQZ6mli0mMQ7n7V/a1hJti0r8=', 'x-amz-date': 'Wed, 11 Nov 2015 07:47:00 +0000'}, body=(0 bytes)
>> DEBUG: Response: {'status': 200, 'headers': {'date': 'Wed, 11 Nov 2015 07:47:00 GMT', 'content-length': '273', 'content-type': 'application/xml', 'server': 'Riak CS'}, 'reason': 'OK', 'data': '<?xml version="1.0" encoding="UTF-8"?><ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>7a48a8c7c33b1f9e72793cd06e4ca9b505389543bf17f3c056be289d17d10bc0</ID><DisplayName>yusuke-nojima</DisplayName></Owner><Buckets/></ListAllMyBucketsResult>'}
>>
>> -------------------------
>>
>> _______________________________________________
>> riak-users mailing list
>> riak-users at lists.basho.com
>> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
>
>
>
> --
> Kazuhiro Suzuki | Basho Japan KK



-- 
Kazuhiro Suzuki | Basho Japan KK




More information about the riak-users mailing list