我尝试设置LDAP(Active Directory)身份验证ceph rgw。我的ceph版本12.2.2。我的配置文件ceph.conf
[cephrgwhost]
rgw_frontends = civetweb port=443
rgw_ldap_uri = "ldap://adceph.ceph.int:389"
rgw_ldap_binddn = "CN=cephldap,CN=Users,DC=ceph,DC=int"
rgw_ldap_secret = "Password"
rgw_ldap_searchdn = "cn=users,dc=ceph,dc=int"
rgw_ldap_dnattr = "cn"
rgw_s3_auth_use_ldap = true
debug rgw = 20
在rgw主机上我发出三个命令
# export RGW_ACCESS_KEY_ID="<username>"
# export RGW_SECRET_ACCESS_KEY="<password>"
# radosgw-token --encode --ttype=ad
这些命令的结果是base64字符串:
ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJjZXBobGRhcCIsCiAgICAgICAgImtleSI6ICJwYXNzd29yZCIKICAgIH0KfQo=
在解码状态下,字符串看起来像这样。登录名和密码在此行中
{
"RGW_TOKEN": {
"version": 1,
"type": "ad",
"id": "cephldap",
"key": "password"
}
}
连接到rgw我使用python boto。我没有说明变量aws_secret_access_key的使用需求值
import boto
import boto.s3.connection
access_key = 'base64'
secret_key = ''
conn = boto.connect_s3(
aws_access_key_id = access_key,
aws_secret_access_key = secret_key,
host = 'cephrgwhost',
port = 7480,
is_secure=False, # uncomment if you are not using ssl
calling_format = boto.s3.connection.OrdinaryCallingFormat(),
)
for bucket in conn.get_all_buckets():
print bucket
print "{name}\t{created}".format(
name = bucket.name,
created = bucket.creation_date,
)
执行脚本会得到以下结果:
Traceback (most recent call last):
File "s3python.py", line 18, in <module>
for bucket in conn.get_all_buckets():
File "c:\Python27\lib\site-packages\boto\s3\connection.py", line 447, in get_a
ll_buckets
response.status, response.reason, body)
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><RequestId
>tx000000000000000000004-005b7e7f94-1ebb3-default</RequestId><HostId>1ebb3-defau
lt-default</HostId></Error>
cephrgwhost日志的内容(日志文件/var/log/ceph/ceph-client.rgw.cephrgwhost.log)。我正在查看cephrgwhost和adceph.ceph.int之间的流量,没有ldap流量存在
2018-08-23 15:20:26.424061 7fa4d427c700 20 CONTENT_LENGTH=0
2018-08-23 15:20:26.424099 7fa4d427c700 20 HTTP_ACCEPT_ENCODING=identity
2018-08-23 15:20:26.424104 7fa4d427c700 20 HTTP_AUTHORIZATION=AWS ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJjZXBobGRhcCIsCiAgICAgICAgImtleSI6ICJwYXNzd29yZCIKICAgIH0KfQo=:CRW41WihDir6Xj6cJihdMKj95/M=
2018-08-23 15:20:26.424109 7fa4d427c700 20 HTTP_DATE=Thu, 23 Aug 2018 12:20:20 GMT
2018-08-23 15:20:26.424111 7fa4d427c700 20 HTTP_HOST=ceph132v12.ceph.int:7480
2018-08-23 15:20:26.424123 7fa4d427c700 20 HTTP_USER_AGENT=Boto/2.49.0 Python/2.7.10 Windows/7
2018-08-23 15:20:26.424131 7fa4d427c700 20 REQUEST_METHOD=GET
2018-08-23 15:20:26.424133 7fa4d427c700 20 REQUEST_URI=/
2018-08-23 15:20:26.424134 7fa4d427c700 20 SCRIPT_URI=/
2018-08-23 15:20:26.424136 7fa4d427c700 20 SERVER_PORT=7480
2018-08-23 15:20:26.424139 7fa4d427c700 1 ====== starting new request req=0x7fa4d42761f0 =====
2018-08-23 15:20:26.424190 7fa4d427c700 2 req 9:0.000041::GET /::initializing for trans_id = tx000000000000000000009-005b7ea68a-1ebb3-default
2018-08-23 15:20:26.424202 7fa4d427c700 10 rgw api priority: s3=5 s3website=4
2018-08-23 15:20:26.424204 7fa4d427c700 10 host=ceph132v12.ceph.int
2018-08-23 15:20:26.424211 7fa4d427c700 20 subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0
2018-08-23 15:20:26.424215 7fa4d427c700 20 final domain/bucket subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0 s->info.domain= s->info.request_uri=/
2018-08-23 15:20:26.424264 7fa4d427c700 20 get_handler handler=26RGWHandler_REST_Service_S3
2018-08-23 15:20:26.424270 7fa4d427c700 10 handler=26RGWHandler_REST_Service_S3
2018-08-23 15:20:26.424272 7fa4d427c700 2 req 9:0.000134:s3:GET /::getting op 0
2018-08-23 15:20:26.424280 7fa4d427c700 10 op=26RGWListBuckets_ObjStore_S3
2018-08-23 15:20:26.424282 7fa4d427c700 2 req 9:0.000144:s3:GET /:list_buckets:verifying requester
2018-08-23 15:20:26.424289 7fa4d427c700 20 rgw::auth::StrategyRegistry::s3_main_strategy_t: trying rgw::auth::s3::AWSAuthStrategy
2018-08-23 15:20:26.424292 7fa4d427c700 20 rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::S3AnonymousEngine
2018-08-23 15:20:26.424296 7fa4d427c700 20 rgw::auth::s3::S3AnonymousEngine denied with reason=-1
2018-08-23 15:20:26.424304 7fa4d427c700 20 rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::AWSv2ExternalAuthStrategy
2018-08-23 15:20:26.424306 7fa4d427c700 20 rgw::auth::s3::AWSv2ExternalAuthStrategy: trying rgw::auth::s3::LDAPEngine
2018-08-23 15:20:26.424332 7fa4d427c700 10 get_canon_resource(): dest=/
2018-08-23 15:20:26.424335 7fa4d427c700 10 string_to_sign:
GET
Thu, 23 Aug 2018 12:20:20 GMT
/
2018-08-23 15:20:26.425295 7fa4d427c700 12 auth search filter: (cn=cephldap)
2018-08-23 15:20:26.426999 7fa4d427c700 5 auth ldap_search_s error uid=cephldap ldap err=1
2018-08-23 15:20:26.442038 7fa4d427c700 5 auth ldap_search_s error uid=cephldap ldap err=1
2018-08-23 15:20:26.442066 7fa4d427c700 20 rgw::auth::s3::LDAPEngine denied with reason=-13
2018-08-23 15:20:26.442071 7fa4d427c700 20 rgw::auth::s3::AWSv2ExternalAuthStrategy denied with reason=-13
2018-08-23 15:20:26.442073 7fa4d427c700 20 rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::LocalEngine
2018-08-23 15:20:26.442100 7fa4d427c700 10 get_canon_resource(): dest=/
2018-08-23 15:20:26.442103 7fa4d427c700 10 string_to_sign:
GET
Thu, 23 Aug 2018 12:20:20 GMT
/
2018-08-23 15:20:26.442164 7fa4d427c700 20 get_system_obj_state: rctx=0x7fa4d4273ac0 obj=default.rgw.meta:users.keys:ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJjZXBobGRhcCIsCiAgICAgICAgImtleSI6ICJwYXNzd29yZCIKICAgIH0KfQo= state=0x5563c351ef60 s->prefetch_data=0
2018-08-23 15:20:26.442182 7fa4d427c700 10 cache get: name=default.rgw.meta+users.keys+ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJjZXBobGRhcCIsCiAgICAgICAgImtleSI6ICJwYXNzd29yZCIKICAgIH0KfQo= : type miss (requested=0x6, cached=0x0)
2018-08-23 15:20:26.444163 7fa4d427c700 10 moving default.rgw.meta+users.keys+ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJjZXBobGRhcCIsCiAgICAgICAgImtleSI6ICJwYXNzd29yZCIKICAgIH0KfQo= to cache LRU end
2018-08-23 15:20:26.444182 7fa4d427c700 5 error reading user info, uid=ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJjZXBobGRhcCIsCiAgICAgICAgImtleSI6ICJwYXNzd29yZCIKICAgIH0KfQo= can't authenticate
2018-08-23 15:20:26.444186 7fa4d427c700 20 rgw::auth::s3::LocalEngine denied with reason=-2028
2018-08-23 15:20:26.444189 7fa4d427c700 20 rgw::auth::s3::AWSAuthStrategy denied with reason=-13
2018-08-23 15:20:26.444191 7fa4d427c700 20 rgw::auth::StrategyRegistry::s3_main_strategy_t: trying rgw::auth::s3::AWSAuthStrategy
2018-08-23 15:20:26.444194 7fa4d427c700 20 rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::S3AnonymousEngine
2018-08-23 15:20:26.444198 7fa4d427c700 20 rgw::auth::s3::S3AnonymousEngine denied with reason=-1
2018-08-23 15:20:26.444200 7fa4d427c700 20 rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::AWSv2ExternalAuthStrategy
2018-08-23 15:20:26.444202 7fa4d427c700 20 rgw::auth::s3::AWSv2ExternalAuthStrategy: trying rgw::auth::s3::LDAPEngine
2018-08-23 15:20:26.444223 7fa4d427c700 10 get_canon_resource(): dest=/
2018-08-23 15:20:26.444225 7fa4d427c700 10 string_to_sign:
GET
Thu, 23 Aug 2018 12:20:20 GMT
/
2018-08-23 15:20:26.444630 7fa4d427c700 12 auth search filter: (cn=cephldap)
2018-08-23 15:20:26.445286 7fa4d427c700 5 auth ldap_search_s error uid=cephldap ldap err=1
2018-08-23 15:20:26.455836 7fa4d427c700 5 auth ldap_search_s error uid=cephldap ldap err=1
2018-08-23 15:20:26.455864 7fa4d427c700 20 rgw::auth::s3::LDAPEngine denied with reason=-13
2018-08-23 15:20:26.455869 7fa4d427c700 20 rgw::auth::s3::AWSv2ExternalAuthStrategy denied with reason=-13
2018-08-23 15:20:26.455871 7fa4d427c700 20 rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::LocalEngine
2018-08-23 15:20:26.455894 7fa4d427c700 10 get_canon_resource(): dest=/
2018-08-23 15:20:26.455898 7fa4d427c700 10 string_to_sign:
GET
Thu, 23 Aug 2018 12:20:20 GMT
/
2018-08-23 15:20:26.455909 7fa4d427c700 20 get_system_obj_state: rctx=0x7fa4d4273ac0 obj=default.rgw.meta:users.keys:ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJjZXBobGRhcCIsCiAgICAgICAgImtleSI6ICJwYXNzd29yZCIKICAgIH0KfQo= state=0x5563c351ef60 s->prefetch_data=0
2018-08-23 15:20:26.455918 7fa4d427c700 10 cache get: name=default.rgw.meta+users.keys+ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJjZXBobGRhcCIsCiAgICAgICAgImtleSI6ICJwYXNzd29yZCIKICAgIH0KfQo= : type miss (requested=0x6, cached=0x0)
2018-08-23 15:20:26.457111 7fa4d427c700 10 cache put: name=default.rgw.meta+users.keys+ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJjZXBobGRhcCIsCiAgICAgICAgImtleSI6ICJwYXNzd29yZCIKICAgIH0KfQo= info.flags=0x0
2018-08-23 15:20:26.457120 7fa4d427c700 10 moving default.rgw.meta+users.keys+ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJjZXBobGRhcCIsCiAgICAgICAgImtleSI6ICJwYXNzd29yZCIKICAgIH0KfQo= to cache LRU end
2018-08-23 15:20:26.457138 7fa4d427c700 5 error reading user info, uid=ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAiYWQiLAogICAgICAgICJpZCI6ICJjZXBobGRhcCIsCiAgICAgICAgImtleSI6ICJwYXNzd29yZCIKICAgIH0KfQo= can't authenticate
2018-08-23 15:20:26.457154 7fa4d427c700 20 rgw::auth::s3::LocalEngine denied with reason=-2028
2018-08-23 15:20:26.457159 7fa4d427c700 20 rgw::auth::s3::AWSAuthStrategy denied with reason=-13
2018-08-23 15:20:26.457161 7fa4d427c700 5 Failed the auth strategy, reason=-13
2018-08-23 15:20:26.457163 7fa4d427c700 10 failed to authorize request
2018-08-23 15:20:26.457165 7fa4d427c700 20 handler->ERRORHANDLER: err_no=-13 new_err_no=-13
2018-08-23 15:20:26.457300 7fa4d427c700 2 req 9:0.033161:s3:GET /:list_buckets:op status=0
2018-08-23 15:20:26.457307 7fa4d427c700 2 req 9:0.033169:s3:GET /:list_buckets:http status=403
2018-08-23 15:20:26.457312 7fa4d427c700 1 ====== req done req=0x7fa4d42761f0 op status=0 http_status=403 ======
2018-08-23 15:20:26.457326 7fa4d427c700 20 process_request() returned -13
2018-08-23 15:20:26.457411 7fa4d427c700 1 civetweb: 0x5563c3739000: 10.201.0.131 - - [23/Aug/2018:15:20:26 +0300] "GET / HTTP/1.1" 1 0 - Boto/2.49.0 Python/2.7.10 Windows/7
2018-08-23 15:20:30.973550 7fa4f48d7700 2 RGWDataChangesLog::ChangesRenewThread: start
在日志中,以下行表示5 auth ldap_search_s error uid=cephldap ldap err=1它试图联系ldap并返回该错误,你确定ceph.conf中的ldap配置设置即。 binddn和searchdn是正确的吗?
是的我确定ldap配置正确。我将rgw_ldap_(设置)移动到配置文件ceph.conf中的[global]部分,并删除字符串rgw_ldap_uri =“ldap://adceph.ceph.int:389”port“:389”并在rgw_ldap_secret上更改rgw_ldap_secret =“Password” = / path / to / pass和身份验证开始工作。