Support #37157
openhow to use "RGW_ACCESS_KEY_ID" with S3/swift for AD user ?
0%
Description
ceph --version
ceph version 13.2.2 (02899bfda814146b021136e9d8e80eba494e1126) mimic (stable)
Cluster status is healthy.
I have a Ceph Object Gateway configured to use Ceph Storage cluster, tested S3/Swift "testuser" with "my_new_bucket" created by following the guide below, all works !
http://docs.ceph.com/docs/mimic/install/install-ceph-gateway/#using-the-gateway
I want to test more from using Microsoft AD user to write from Ceph Object Gateway node to use Ceph Object Storage function, following the guide:
1). http://docs.ceph.com/docs/mimic/radosgw/ldap-auth/
2). https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html-single/ceph_object_gateway_with_ldapad_guide/index#rgw-ldap-test-the-configuration-ldap
I did setup AD/DNS server, and registered Ceph Object Gateway node for services, tested OS access on Ceph Object Gateway node from AD domain user, it works. Next I follow the doc above to use AD user for S3/swift write on Object Gateway.
Issue: there is no details, and no examples on how to use "RGW_ACCESS_KEY_ID" with S3/swift for AD user.
4.2. Export an LDAP Token: ( Red Hat Doc )
- export RGW_ACCESS_KEY_ID="<username>"
- export RGW_SECRET_ACCESS_KEY="<password>"
- radosgw-token --encode --ttype=ad
- export RGW_ACCESS_KEY_ID="*****************************************************************"
4.3. Test the Configuration with an S3 Client ( Red Hat Doc), ---The secret is no longer required !!!
Question_1:
If I have an AD user "ceph_user", with password as "ceph_user_passwd", run test below:
- export RGW_ACCESS_KEY_ID="ceph_user"
- export RGW_SECRET_ACCESS_KEY="ceph_user_passwd"
- radosgw-token --encode --ttype=ad
- export RGW_ACCESS_KEY_ID="*****", should this step use output from radosgw-token for "*****", is this make "ceph_user" = "radosgw-token" ? Why ?
Question_2:
S3 python API uses 2 lines below to get authentication pass in ceph object storage, what should be used as for adosgw-token here ?(http://docs.ceph.com/docs/mimic/radosgw/s3/python/ )
aws_access_key_id = access_key,
aws_secret_access_key = secret_key,Question_3:
2.6. Add a Gateway User:
[global]
...
rgw_ldap_secret = /etc/bindpass
...
What is the contains for file "/etc/bindpass" ? Does anyone has an example in more details ?
Thanks for help !
Ben
Updated by Benjamin Lu over 5 years ago
Add more details in my test, get error "403 Forbidden" :
[testobj@obj_gtway01 ~]$ cat /etc/ceph/ceph.conf
[global]
fsid = 2cd4ded4-763a-4c65-b650-7d8234c37f00
public_network = 10.0.100.0/24
cluster_network = 10.0.10.0/24
mon_initial_members = node0015, node0016, node0017
mon_host = 10.0.100.15,10.0.100.16,10.0.100.17
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
mon_allow_pool_delete = true
- config object gataway to use AD/LDAP authentication:
rgw_ldap_secret = "/etc/bindpass"
rgw_ldap_uri = ldaps://10.0.100.18:636
rgw_ldap_binddn = "uid=ceph,cn=Users,cn=accounts,dc=gokeuslab,dc=local"
rgw_ldap_searchdn = "cn=Users,cn=accounts,dc=gokeuslab,dc=local"
rgw_ldap_dnattr = "cn"
rgw_s3_auth_use_ldap = true
rgw_override_bucket_index_max_shards = 10
#debug ms = 1
#debug rgw = 20
[client.rgw.object_gateway01]
rgw_frontends = "civetweb port=80"
[client]
mon_host = 10.0.100.15:6789,10.0.100.16:6789,10.0.100.17:6789
====================================================================
[testobj@obj_gtway01 ~]$ ldapsearch -x -D "ceph" -W -h 10.0.100.18 -b "ou=Users,dc=gokeuslab,dc=local" -s sub 'uid=ceph'Enter LDAP Password:
- extended LDIF #
- LDAPv3
- base <ou=Users,dc=gokeuslab,dc=local> with scope subtree
- filter: uid=ceph
- requesting: ALL #
- search result
search: 2
result: 32 No such object
matchedDN: DC=gokeuslab,DC=local
text: 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best
match of:
'DC=gokeuslab,DC=local'
- numResponses: 1
[testobj@obj_gtway01 ~]$
[testobj@obj_gtway01 ~]$ ldapsearch -x -D "testobj" -W -h 10.0.100.18 -b "ou=Users,dc=gokeuslab,dc=local" -s sub 'uid=testobj'
Enter LDAP Password: - extended LDIF #
- LDAPv3
- base <ou=Users,dc=gokeuslab,dc=local> with scope subtree
- filter: uid=testobj
- requesting: ALL #
- search result
search: 2
result: 32 No such object
matchedDN: DC=gokeuslab,DC=local
text: 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best
match of:
'DC=gokeuslab,DC=local'
- numResponses: 1
[testobj@obj_gtway01 ~]$
=======================================================================
[testobj@obj_gtway01 ~]$ export RGW_ACCESS_KEY_ID="testobj"
[testobj@obj_gtway01 ~]$ export RGW_SECRET_ACCESS_KEY=""
[testobj@obj_gtway01 ~]$ radosgw-token --encode --ttype=ad
ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJ0ZXN0b2JqIiwKICAgICAgICAia2V5IjogIiIKICAgIH0KfQo=
[testobj@obj_gtway01 ~]$ export RGW_ACCESS_KEY_ID="ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJ0ZXN0b2JqIiwKICAgICAgICAia2V5IjogIiIKICAgIH0KfQo="
[testobj@obj_gtway01 ~]$ vi create_s3_test_bucket.py
[testobj@obj_gtway01 ~]$ cat create_s3_test_bucket.py
#! /usr/bin/python
import boto
import boto.s3.connection
#access_key = 'put your access key here!'
#secret_key = 'put your secret key here!'
access_key = "ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJ0ZXN0b2JqIiwKICAgICAgICAia2V5IjogIiIKICAgIH0KfQo="
secret_key = ""
conn = boto.connect_s3(
aws_access_key_id = access_key,
aws_secret_access_key = secret_key,
host = 'obj_gtway01', port = 7480,
is_secure=False, # uncomment if you are not using ssl
calling_format = boto.s3.connection.OrdinaryCallingFormat(),
)
bucket = conn.create_bucket('s3_bucket')
for bucket in conn.get_all_buckets():
print "{name}\t{created}".format(
name = bucket.name,
created = bucket.creation_date,
)
[testobj@obj_gtway01 ~]$ chmod 755 create_s3_test_bucket.py
[testobj@obj_gtway01 ~]$ ./create_s3_test_bucket.py
Traceback (most recent call last):
File "./create_s3_test_bucket.py", line 17, in <module>
bucket = conn.create_bucket('s3_bucket')
File "/usr/lib/python2.7/site-packages/boto/s3/connection.py", line 625, in create_bucket
response.status, response.reason, body)
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
<Error><Code>AccessDenied</Code><RequestId>tx00000000000000000000d-005becd4ed-346704-default</RequestId><HostId>346704-default-default</HostId></Error>
[testobj@obj_gtway01 ~]$
Updated by Matt Benjamin over 5 years ago
Hi Benjamin,
1. setting the user to be the token transfers the bundle unmodified to RGW--when the S3 signing method is v2--you can't use v4 ** but see below
2. the secret key can be anything--I think it can be blank
3. /etc/bindpass contains a password for the binddn, which is the ldap credential RGW will use to search ldap
- in recent RGW, it is now possible to use aws v4 signing in combination with ldap--by using ldap only to perform GetSessionToken, which can return an STS::Lite temporary credential--the former operation would need to use v2, but after establishing an STS token, v4 signing could be used
Updated by Benjamin Lu over 5 years ago
3. /etc/bindpass contains a password for the binddn, which is the ldap credential RGW will use to search ldap
- in recent RGW, it is now possible to use aws v4 signing in combination with ldap--by using ldap only to perform GetSessionToken, which can return an STS::Lite temporary credential--the former operation would need to use v2, but after establishing an STS token, v4 signing could be used
-------------------------------
Hi Matt,
Thank you for spending time on my question.
I still have question about file "/etc/bindpass", is this file store all AD user password same as in AD ? Or the password for the binddn is something like "secret_key" or "token"? Do you have an example?
Best regards,
Ben
Updated by Benjamin Lu over 5 years ago
Hi Matt,
Here is the solution that fixed the AD user access to RGW using its token with LDAP in my test Env, there is nothing related to v2, v4 signing.
Step 1:
Put below lines in "/etc/ceph/ceph.conf" on my RGW server "rgw.obj_gtway01" :
- config object gataway to use AD/LDAP authentication:
rgw_ldap_uri = "ldap://10.0.100.18"
rgw_ldap_binddn = "Administrator@mylab.local" ## "mylab.local" is my AD domain.
rgw_ldap_secret = "/etc/bindpasswd"
rgw_ldap_searchdn = "cn=users,dc=mylab,dc=local"
rgw_ldap_searchfilter = "(&(objectClass=user)(sAMAccountName=USERNAME))"
rgw_s3_auth_use_ldap = true
Step 2:
Add AD user "s3user" in AD server.
- echo "s3user_PASSWORD" > /etc/bindpasswd
- systemctl restart ceph-radosgw@rgw.obj_gtway01
- export RGW_ACCESS_KEY_ID=s3user
- export RGW_SECRET_ACCESS_KEY="*********"
- radosgw-token --encode --ttype=ad ### this create token to s3user below:
ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQi**********
Step 6,
Create a s3 API python script to create bucket in Ceph storage:
- vi create_s3_connection_with_token.py
#! /usr/bin/python
import boto
import boto.s3.connection
access_key = "ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQi**********"
secret_key = ''
conn = boto.connect_s3(
aws_access_key_id = access_key,
aws_secret_access_key = secret_key,
host = 'obj_gtway01', port = 7480,
is_secure=False, # uncomment if you are not using ssl
calling_format = boto.s3.connection.OrdinaryCallingFormat(),
)
bucket = conn.create_bucket('s3user-bucket4')
for bucket in conn.get_all_buckets():
print "{name}\t{created}".format(
name = bucket.name,
created = bucket.creation_date,
)
Step 7,
Test the s3 API to create bucket:
[root@obj_gtway01 s3user]# ./create_s3_connection_with_token.py
s3user-bucket4 2018-12-01T01:44:36.901Z
Tips:
1). make sure the contains in ceph.conf matches setup in AD server.
2). make sure the user password in "/etc/bindpasswd" is one line with no empty space inside.
This issue tracker can be closed now!
-Ben