Project

General

Profile

Actions
Copy link

Bug #35988

open

RGW Ldap Authorization fails

Added by Anonymous over 5 years ago. Updated about 5 years ago.

Status:
In Progress
Priority:
Normal
Assignee:
Matt Benjamin
Target version:
-
% Done:

100%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

I believe that this is the same problem as 23091.

Trying to authenticate an ldap RGW user fails.

python /tmp/bucket.py 
EU
Traceback (most recent call last):
  File "/tmp/bucket.py", line 20, in <module>
    bucket = conn.create_bucket('testuser-new-bucket')
  File "/usr/local/lib/python2.7/dist-packages/boto/s3/connection.py", line 628, in create_bucket
    response.status, response.reason, body)
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><RequestId>tx00000000000000000000b-005b9bfd8c-11b8-default</RequestId><HostId>11b8-default-default</HostId></Error>

/var/log/ceph/ceph-client.rgw.vpm019.log

2018-09-14 18:14:46.797 7efdea2e2700 10 moving default.rgw.meta+users.keys+ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInRlc3R1c2VyIiwKICAgICAgICAia2V5IjogIi9ldGMvYmluZHBhc3MiCiAgICB9Cn0K to cache LRU end
2018-09-14 18:14:46.797 7efdea2e2700  5 error reading user info, uid=ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInRlc3R1c2VyIiwKICAgICAgICAia2V5IjogIi9ldGMvYmluZHBhc3MiCiAgICB9Cn0K can't authenticate
2018-09-14 18:14:46.797 7efdea2e2700 20 rgw::auth::s3::LocalEngine denied with reason=-2028
2018-09-14 18:14:46.797 7efdea2e2700 20 rgw::auth::s3::AWSAuthStrategy denied with reason=-13
2018-09-14 18:14:46.797 7efdea2e2700  5 Failed the auth strategy, reason=-13
2018-09-14 18:14:46.797 7efdea2e2700 10 failed to authorize request
2018-09-14 18:14:46.797 7efdea2e2700 20 handler->ERRORHANDLER: err_no=-13 new_err_no=-13
2018-09-14 18:14:46.801 7efdea2e2700  2 req 10:1.019706:s3:PUT /testuser-new-bucket/:create_bucket:op status=0
2018-09-14 18:14:46.801 7efdea2e2700  2 req 10:1.019745:s3:PUT /testuser-new-bucket/:create_bucket:http status=403
2018-09-14 18:14:46.801 7efdea2e2700  1 ====== req done req=0x7efdea2d9830 op status=0 http_status=403 ======
2018-09-14 18:14:46.801 7efdea2e2700 20 process_request() returned -13
2018-09-14 18:14:46.801 7efdea2e2700  1 civetweb: 0x55bdfea0c000: 172.21.2.19 - - [14/Sep/2018:18:14:45 +0000] "PUT /testuser-new-bucket/ HTTP/1.1" 403 389 - Boto/2.49.0 Python/2.7.12 Linux/4.4.0-24-generic
2018-09-14 18:14:52.165 7efe03efa700  2 RGWDataChangesLog::ChangesRenewThread: start

/etc/ceph/ceph.conf

[global]
public network = 172.21.2.0/21
fsid = f3b87010-5fc0-4721-8d54-d351a1a89e1e
mon_initial_members = vpm019, vpm125, vpm153
mon_host = 172.21.2.19,172.21.2.125,172.21.2.153
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
rgw_ldap_secret = "/etc/bindpass" 
rgw_ldap_uri = "ldap://vpm169.front.sepia.ceph.com" 
rgw_ldap_binddn = "uid=ceph,cn=users,cn=accounts,dc=front,dc=sepia,dc=ceph,dc=com" 
rgw_ldap_searchdn = "cn=users,cn=accounts,dc=front,dc=sepia,dc=ceph,dc=com" 
rgw_ldap_dnattr = "uid" 
rgw_s3_auth_use_ldap = "true" 
debug rgw = 20

[client.rgw.vpm019]
rgw_frontends = "civetweb port=7480"

/tmp/bucket.py

import boto
import boto.s3.connection

access_key = "ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInRlc3R1c2VyIiwKICAgICAgICAia2V5IjogIi9ldGMvYmluZHBhc3MiCiAgICB9Cn0K" 

secret_key = "" 

boto.config.add_section('s3')
boto.config.set('s3', 'use-sigv2', 'True')
conn = boto.connect_s3(
    aws_access_key_id = access_key,
    aws_secret_access_key = secret_key,
    host = "vpm019.front.sepia.ceph.com",
    port = 7480,
    is_secure=False,
    calling_format = boto.s3.connection.OrdinaryCallingFormat(),
    )

print boto.s3.connection.Location.EU
bucket = conn.create_bucket('testuser-new-bucket')
for bucket in conn.get_all_buckets():
    print "{name}\t{created}".format(
        name = bucket.name,
        created = bucket.creation_date,
)

ldapsearch using the uri, binddn and searchdn used in /etc/ceph/ceph.conf works.

ldapsearch -x -D 'uid=ceph,cn=users,cn=accounts,dc=front,dc=sepia,dc=ceph,dc=com' -H ldap://vpm169.front.sepia.ceph.com -b 'cn=users,cn=accounts,dc=front,dc=sepia,dc=ceph,dc=com' -s sub 'uid=testuser' -w t0pSecret
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=front,dc=sepia,dc=ceph,dc=com> with scope subtree
# filter: uid=testuser
# requesting: ALL
#

# testuser, users, accounts, front.sepia.ceph.com
dn: uid=testuser,cn=users,cn=accounts,dc=front,dc=sepia,dc=ceph,dc=com
displayName: test user
uid: testuser
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
initials: tu
gecos: test user
sn: user
homeDirectory: /home/testuser
mail: testuser@front.sepia.ceph.com
krbPrincipalName: testuser@FRONT.SEPIA.CEPH.COM
givenName: test
cn: test user
ipaUniqueID: 630cc0ba-b7af-11e8-8bed-525400ae0e7b
uidNumber: 1463400003
gidNumber: 1463400003
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=front,dc=sepia,dc=ceph,dc=com
krbPasswordExpiration: 20180913234827Z
krbLastPwdChange: 20180913234827Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Subtasks 1 (0 open1 closed)

Bug #23091: rgw + OpenLDAP = Failed the auth strategy, reason=-13DuplicateMatt Benjamin02/22/2018

Actions
Actions
Copy link

Also available in: Atom PDF