Creating a new bucket by s3cmd results in access denied

野島 裕輔 yusuke-nojima at cybozu.co.jp
Wed Nov 11 20:22:41 EST 2015


After setting admin.key and admin.secret in /etc/stanchion/stanchion.conf, "s3cmd mb" succeeded!
Thank you very much!


----- Original Message -----
Subject: Re: Creating a new bucket by s3cmd results in access denied
Date: Wed, 11 Nov 2015 23:04:17 +0900
From: Kazuhiro Suzuki <kaz at basho.com>
To: "野島 裕輔"<yusuke-nojima at cybozu.co.jp>
Cc: riak-users <riak-users at lists.basho.com>
Kazuhiro Suzuki wrote:
> I forgot to reply all.
> 
> On Wed, Nov 11, 2015 at 10:58 PM, Kazuhiro Suzuki <kaz at basho.com> wrote:
> > One possibility is that riak_cs and stanchion have different admin.key
> > and admin secret. So, please make sure whether your riak-cs.conf and
> > stanchion.conf have the same admin.key and admin.secret. If not,
> > stanchion responds 403 as a signature does not match.
> >
> > On Wed, Nov 11, 2015 at 5:12 PM, 野島 裕輔 <yusuke-nojima at cybozu.co.jp> wrote:
> >> I have installed the Riak, Stanchion and Riak CS to Ubuntu 14.04, and created an admin user.
> >> Then I attempted to create the new bucket with s3cmd, but it resulted in AccessDenied error.
> >>
> >> I tried the solution of http://riak-users.197444.n3.nabble.com/RIAK-CS-Unable-to-create-bucket-using-s3cmd-AccessDenied-td4032375.html, but still does not work.
> >>
> >> I found another thread http://riak-users.197444.n3.nabble.com/ERROR-S3-error-403-AccessDenied-Access-Denied-with-s3cmd-tt4033610.html, but no one answered the thread.
> >>
> >> Any ideas what was wrong with my setup?
> >> Thanks for the help in advance.
> >>
> >> -------------------------
> >> $ s3cmd mb s3://test
> >> DEBUG: Updating Config.Config encoding -> UTF-8
> >> DEBUG: Updating Config.Config follow_symlinks -> False
> >> DEBUG: Updating Config.Config verbosity -> 30
> >> DEBUG: Unicodising 'mb' using UTF-8
> >> DEBUG: Unicodising 's3://test' using UTF-8
> >> DEBUG: Command: mb
> >> DEBUG: SignHeaders: 'PUT\n\n\n\nx-amz-date:Wed, 11 Nov 2015 07:36:55 +0000\n/test/'
> >> DEBUG: CreateRequest: resource[uri]=/
> >> DEBUG: SignHeaders: 'PUT\n\n\n\nx-amz-date:Wed, 11 Nov 2015 07:36:55 +0000\n/test/'
> >> DEBUG: Processing request, please wait...
> >> DEBUG: get_hostname(test): test.s3.amazonaws.com
> >> DEBUG: format_uri(): http://test.s3.amazonaws.com/
> >> DEBUG: Sending request method_string='PUT', uri='http://test.s3.amazonaws.com/', headers={'content-length': '0', 'Authorization': 'AWS LS_P9JF815TCCKTFOD4O:USeKvJH40fSHJy8kZFnRyJxGgcY=', 'x-amz-date': 'Wed, 11 Nov 2015 07:36:55 +0000'}, body=(0 bytes)
> >> DEBUG: Response: {'status': 403, 'headers': {'date': 'Wed, 11 Nov 2015 07:36:55 GMT', 'content-length': '159', 'content-type': 'application/xml', 'server': 'Riak CS'}, 'reason': 'Forbidden', 'data': '<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>/test</Resource><RequestId></RequestId></Error>'}
> >> DEBUG: S3Error: 403 (Forbidden)
> >> DEBUG: HttpHeader: date: Wed, 11 Nov 2015 07:36:55 GMT
> >> DEBUG: HttpHeader: content-length: 159
> >> DEBUG: HttpHeader: content-type: application/xml
> >> DEBUG: HttpHeader: server: Riak CS
> >> DEBUG: ErrorXML: Code: 'AccessDenied'
> >> DEBUG: ErrorXML: Message: 'Access Denied'
> >> DEBUG: ErrorXML: Resource: '/test'
> >> DEBUG: ErrorXML: RequestId: None
> >> ERROR: Access to bucket 'test' was denied
> >>
> >> -------------------------
> >> /var/log/stanchion/console.log says that the presented signature does not match:
> >>
> >> 2015-11-11 07:36:55.683 [debug] <0.169.0>@stanchion_auth:authenticate:41 Presented Signature: "rVYpULyFn0zsqUhizDUlQI+LfzA="
> >> Calculated Signature: "aHCNYOFa7XT8PKS64fKNYyh7JGc="
> >>
> >> -------------------------
> >> My .s3cfg looks like:
> >>
> >> [default]
> >> access_key = LS_P9JF815TCCKTFOD4O
> >> bucket_location = US
> >> cloudfront_host = cloudfront.amazonaws.com
> >> default_mime_type = binary/octet-stream
> >> delete_removed = False
> >> dry_run = False
> >> enable_multipart = True
> >> encoding = UTF-8
> >> encrypt = False
> >> follow_symlinks = False
> >> force = False
> >> get_continue = False
> >> gpg_command = /usr/bin/gpg
> >> gpg_decrypt = %(gpg_command)s -d --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
> >> gpg_encrypt = %(gpg_command)s -c --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
> >> gpg_passphrase = cybozu123
> >> guess_mime_type = True
> >> host_base = s3.amazonaws.com
> >> host_bucket = %(bucket)s.s3.amazonaws.com
> >> human_readable_sizes = False
> >> invalidate_on_cf = False
> >> list_md5 = False
> >> log_target_prefix =
> >> mime_type =
> >> multipart_chunk_size_mb = 15
> >> preserve_attrs = True
> >> progress_meter = True
> >> proxy_host = 127.0.0.1
> >> proxy_port = 8080
> >> recursive = False
> >> recv_chunk = 4096
> >> reduced_redundancy = False
> >> secret_key = dz0oUJqZBowOmTobwyaCaZcrO7PgL69ArCSnfQ==
> >> send_chunk = 4096
> >> simpledb_host = sdb.amazonaws.com
> >> skip_existing = False
> >> socket_timeout = 300
> >> urlencoding_mode = normal
> >> use_https = False
> >> verbosity = DEBUG
> >> website_endpoint = http://%(bucket)s.s3-website-%(location)s.amazonaws.com/
> >> website_error =
> >> website_index = index.html
> >> signature_v2 = True
> >>
> >>
> >> -------------------------
> >> Versions:
> >>
> >> riak: 2.0.5
> >> riak-cs: 2.0.1
> >> stanchion: 2.0.0
> >> s3cmd: 1.1.0-beta3
> >>
> >> -------------------------
> >> Traffic between Riak CS and Stanchion aquired by tcpdump is:
> >>
> >> POST /buckets HTTP/1.1
> >> content-type: application/json
> >> content-md5: owB6xF/s2H7XLFzMR3vYnw==
> >> content-length: 462
> >> te:
> >> host: 127.0.0.1:8085
> >> authorization: MOSS LS_P9JF815TCCKTFOD4O:rVYpULyFn0zsqUhizDUlQI+LfzA=
> >> date: Wed, 11 Nov 2015 07:36:55 GMT
> >> connection: keep-alive
> >>
> >> {"bucket":"test","requester":"LS_P9JF815TCCKTFOD4O","acl":{"version":1,"owner":{"display_name":"yusuke-nojima","canonical_id":"7a48a8c7c33b1f9e72793cd06e4ca9b505389543bf17f3c056be289d17d10bc0","key_id":"LS_
> >> P9JF815TCCKTFOD4O"},"grants":[{"display_name":"yusuke-nojima","canonical_id":"7a48a8c7c33b1f9e72793cd06e4ca9b505389543bf17f3c056be289d17d10bc0","permissions":["FULL_CONTROL"]}],"creation_time":{"mega_seconds":1447,"seconds":227415,"micro_seconds":682371}}}
> >>
> >>
> >> HTTP/1.1 403 Forbidden
> >> Server: MochiWeb/1.1 WebMachine/1.10.8 (that head fake, tho)
> >> Date: Wed, 11 Nov 2015 07:36:55 GMT
> >> Content-Length: 162
> >>
> >> <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>/test</Resource><RequestId></RequestId></Error>
> >>
> >>
> >> -------------------------
> >> "s3cmd ls" works fine:
> >>
> >> $ s3cmd ls
> >> DEBUG: Updating Config.Config encoding -> UTF-8
> >> DEBUG: Updating Config.Config follow_symlinks -> False
> >> DEBUG: Updating Config.Config verbosity -> 30
> >> DEBUG: Unicodising 'ls' using UTF-8
> >> DEBUG: Command: ls
> >> DEBUG: SignHeaders: 'GET\n\n\n\nx-amz-date:Wed, 11 Nov 2015 07:47:00 +0000\n/'
> >> DEBUG: CreateRequest: resource[uri]=/
> >> DEBUG: SignHeaders: 'GET\n\n\n\nx-amz-date:Wed, 11 Nov 2015 07:47:00 +0000\n/'
> >> DEBUG: Processing request, please wait...
> >> DEBUG: get_hostname(None): s3.amazonaws.com
> >> DEBUG: format_uri(): http://s3.amazonaws.com/
> >> DEBUG: Sending request method_string='GET', uri='http://s3.amazonaws.com/', headers={'content-length': '0', 'Authorization': 'AWS LS_P9JF815TCCKTFOD4O:y6iQZ6mli0mMQ7n7V/a1hJti0r8=', 'x-amz-date': 'Wed, 11 Nov 2015 07:47:00 +0000'}, body=(0 bytes)
> >> DEBUG: Response: {'status': 200, 'headers': {'date': 'Wed, 11 Nov 2015 07:47:00 GMT', 'content-length': '273', 'content-type': 'application/xml', 'server': 'Riak CS'}, 'reason': 'OK', 'data': '<?xml version="1.0" encoding="UTF-8"?><ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>7a48a8c7c33b1f9e72793cd06e4ca9b505389543bf17f3c056be289d17d10bc0</ID><DisplayName>yusuke-nojima</DisplayName></Owner><Buckets/></ListAllMyBucketsResult>'}
> >>
> >> -------------------------
> >>
> >> _______________________________________________
> >> riak-users mailing list
> >> riak-users at lists.basho.com
> >> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
> >
> >
> >
> > --
> > Kazuhiro Suzuki | Basho Japan KK
> 
> 
> 
> -- 
> Kazuhiro Suzuki | Basho Japan KK




More information about the riak-users mailing list