0

On a fresh Centos server I've installed Riak CS 2.1.1 on top of Riak 2.1.3 with Stanchion 2.1.1 using official guide.

I was able to create new users when anonymous_user_creation is enabled in Riak CS conf file. But when I disable it and try to create new user via Riak Control (1.0.2) I get an 409 Conflict HTTP status code. Or when I try to list all users via s3curl (I've set up ~/.s3curl file with right credentials and used ./s3curl.pl --id=cdn -- -k https://s3.example.com:8081/riak-cs/users command to send request) I get an error:

<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>/riak-cs/users</Resource><RequestId></RequestId></Error>

I've set admin.key and admin.secret in both Riak CS and Stanchion configs to values that I got creating anonymous user. I tried to create another anonymous user and double checked that I'm taking right values for key and secret.

There is no trace of errors in Riak, Stanchion or Riak CS logs - except Riak CS access logs, but that doesn't tell much.

I have no idea what to do next. Any suggestions would be welcome.

skaurus
  • 1,581
  • 17
  • 27
  • 1
    If you enable debug logging in both Riak CS and s3curl they should both log the String To Sign value - make sure that is the same first. If it is, and you still get denied, check which signing algorithm each side uses, I vaguely recall a discussion on Riak CS not supporting the latest one. – Joe Feb 04 '16 at 19:11
  • @Joe, how do I enable debug logging in Riak CS? There is no mention of this in [configuration reference](http://docs.basho.com/riakcs/latest/cookbooks/configuration/configuration-reference/) – skaurus Feb 04 '16 at 19:18
  • 1
    follow the link from http://docs.basho.com/riakcs/latest/cookbooks/configuration/configuration-reference/#Logging to https://github.com/basho/lager/blob/master/README.md#configuration, then either add a new file backend with level debug or raise the existing console.log – Joe Feb 04 '16 at 20:28
  • @Joe, thanks! STS from riak-cs logs: ["GET","\n",[],"\n",[],"\n",["Mon, 08 Feb 2016 14:00:58 +0000","\n"],[],["/riak-cs/users",[]]]; from s3curl: GET\n\n\nMon, 08 Feb 2016 14:10:28 +0000\n/s3.doma.in/riak-cs/users. I can see what is wrong here. Will try to fix. – skaurus Feb 08 '16 at 15:03

1 Answers1

0

Thanks to @Joe help, I was able to debug this issue at least for s3curl.

It turned out to be related to the fact that I've chosen "direct" configuration of Riak CS instead of "proxy". That means that I have given it its own hostname instead of "s3.amazonaws.com" (Riak CS is really trying to disguise as real S3 due to clients compatibility issues).

And while Riak CS used this string to calculate checksum (in erlang-y format):

["GET","\n",[],"\n",[],"\n",["Mon, 08 Feb 2016 14:00:58 +0000","\n"],[],["/riak-cs/users",[]]]

s3curl, having encountered unknown hostname, used this one:

GET\n\n\nMon, 08 Feb 2016 14:10:28 +0000\n/s3.mydoma.in/riak-cs/users

Which caused Access Denied.

Fix - add to ~/.s3curl string like:

push @endpoints, 's3.mydoma.in';

Now I'll try to debug Riak CS Control.

skaurus
  • 1,581
  • 17
  • 27