在使用Java AWS SDK在Ceph对象网关上创建角色时出现异常。

huangapple go评论76阅读模式
英文:

Exception when creating a role on Ceph Object Gateway using Java AWS SDK

问题

我正在尝试按照 Ceph 文档的 示例,使用 Java AWS SDK(版本 2.5.16)来测试其 STS 功能。在调用 IamClient 的 createRole 方法时,它在流程的早期阶段就失败了。抛出的异常是:

software.amazon.awssdk.services.iam.model.IamException: null (Service: Iam, Status Code: 403, Request ID: tx0000000000000000000f4-005f689d69-396f9b-default)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.handleErrorResponse(HandleResponseStage.java:115)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.handleResponse(HandleResponseStage.java:73)
    ...
    at software.amazon.awssdk.services.iam.DefaultIamClient.createRole(DefaultIamClient.java:1406)

所以并没有太多可以依据的信息。

调用 API 时使用的凭证的用户具有以下设置
(通过在命令行上运行 radosgw-admin user info --uid admin-api-user 获取):

{
    "user_id": "admin-api-user",
    "display_name": "Admin API User",
    "email": "",
    "suspended": 0,
    ...
    "keys": [
        {
            "user": "admin-api-user",
            "access_key": "abc",
            "secret_key": "xyz"
        }
    ],
    ...
}

当我尝试从命令行创建角色时,而不是使用 Java SDK 创建角色,通过运行

radosgw-admin role create --role-name=test --assume-role-policy-doc={"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/TESTER"]},"Action":["sts:AssumeRole"]}]}

它可以正常工作。对于可能导致问题的原因,任何提示都将不胜感激!

英文:

I am trying to follow the Ceph documentation's examples to test its STS functionality using the Java AWS SDK (v 2.5.16). It is failing rather early on in the process when calling the IamClient's createRole method. The exception thrown is:

software.amazon.awssdk.services.iam.model.IamException: null (Service: Iam, Status Code: 403, Request ID: tx0000000000000000000f4-005f689d69-396f9b-default)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.handleErrorResponse(HandleResponseStage.java:115)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.handleResponse(HandleResponseStage.java:73)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:58)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:41)
	at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:64)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:36)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.TimeoutExceptionHandlingStage.execute(TimeoutExceptionHandlingStage.java:77)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.TimeoutExceptionHandlingStage.execute(TimeoutExceptionHandlingStage.java:39)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage$RetryExecutor.doExecute(RetryableStage.java:113)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage$RetryExecutor.execute(RetryableStage.java:86)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:62)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:42)
	at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
	at software.amazon.awssdk.core.internal.http.StreamManagingStage.execute(StreamManagingStage.java:57)
	at software.amazon.awssdk.core.internal.http.StreamManagingStage.execute(StreamManagingStage.java:37)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.executeWithTimer(ApiCallTimeoutTrackingStage.java:80)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:60)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:42)
	at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
	at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:37)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:26)
	at software.amazon.awssdk.core.internal.http.AmazonSyncHttpClient$RequestExecutionBuilderImpl.execute(AmazonSyncHttpClient.java:240)
	at software.amazon.awssdk.core.client.handler.BaseSyncClientHandler.invoke(BaseSyncClientHandler.java:96)
	at software.amazon.awssdk.core.client.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:120)
	at software.amazon.awssdk.core.client.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:73)
	at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:44)
	at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:55)
	at software.amazon.awssdk.services.iam.DefaultIamClient.createRole(DefaultIamClient.java:1406)

so there is not much to go on.

The user whose credentials are being used in calling the API has the following settings
(obtained by runningradosgw-admin user info --uid admin-api-user on the command line)

{
    "user_id": "admin-api-user",
    "display_name": "Admin API User",
    "email": "",
    "suspended": 0,
    "max_buckets": 1000,
    "subusers": [],
    "keys": [
        {
            "user": "admin-api-user",
            "access_key": "abc",
            "secret_key": "xyz"
        }
    ],
    "swift_keys": [],
    "caps": [
        {
            "type": "buckets",
            "perm": "*"
        },
        {
            "type": "metadata",
            "perm": "*"
        },
        {
            "type": "usage",
            "perm": "*"
        },
        {
            "type": "users",
            "perm": "*"
        },
        {
            "type": "zone",
            "perm": "*"
        }
    ],
    "op_mask": "read, write, delete",
    "default_placement": "",
    "default_storage_class": "",
    "placement_tags": [],
    "bucket_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "user_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "temp_url_keys": [],
    "type": "rgw",
    "mfa_ids": []
}

When instead of trying to create the role using the Java SDK, I create it from the command line by running

radosgw-admin role create --role-name=test --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}

it works fine. Any hints at what might be causing the problem would be appreciated!

答案1

得分: 1

我刚刚发现文档没有列出所有可分配给用户的可用管理员权限。所以除了上面用户信息列表中的权限之外,还有两个可以添加的权限,分别是"roles"和"user-policy"。我在这个邮件列表条目中偶然发现了这些内容。
一旦我添加了"roles"权限,createRole调用就成功了。

英文:

Nevermind, I just figured out that the documentation does not list all the available admin capabilities that one can assign to a user. So apart from those in the user info listing above, there are two more which can be added, namely "roles" and "user-policy". I stumbled across those in a user info sample on this mailing list entry.
Once I added the "roles" capability, the createRole call succeeds.

huangapple
  • 本文由 发表于 2020年9月21日 22:00:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/63993872.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定