堆栈内存溢出
  简体   繁体   English

使用 Java AWS SDK 在 Ceph Object 网关上创建角色时出现异常

[英]Exception when creating a role on Ceph Object Gateway using Java AWS SDK

 原文  2020-09-21 14:00:43       java/ amazon-iam/ ceph/ aws-sts/ radosgw

问题描述

I am trying to follow the Ceph documentation's examples to test its STS functionality using the Java AWS SDK (v 2.5.16).我正在尝试按照 Ceph 文档的示例使用 Java AWS SDK (v 2.5.16) 测试其 STS 功能。 It is failing rather early on in the process when calling the IamClient's createRole method.在调用 IamClient 的 createRole 方法时,它在过程的早期就失败了。 The exception thrown is:抛出的异常是:

software.amazon.awssdk.services.iam.model.IamException: null (Service: Iam, Status Code: 403, Request ID: tx0000000000000000000f4-005f689d69-396f9b-default)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.handleErrorResponse(HandleResponseStage.java:115)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.handleResponse(HandleResponseStage.java:73)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:58)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:41)
    at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:64)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:36)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.TimeoutExceptionHandlingStage.execute(TimeoutExceptionHandlingStage.java:77)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.TimeoutExceptionHandlingStage.execute(TimeoutExceptionHandlingStage.java:39)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage$RetryExecutor.doExecute(RetryableStage.java:113)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage$RetryExecutor.execute(RetryableStage.java:86)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:62)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:42)
    at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
    at software.amazon.awssdk.core.internal.http.StreamManagingStage.execute(StreamManagingStage.java:57)
    at software.amazon.awssdk.core.internal.http.StreamManagingStage.execute(StreamManagingStage.java:37)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.executeWithTimer(ApiCallTimeoutTrackingStage.java:80)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:60)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:42)
    at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
    at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:37)
    at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:26)
    at software.amazon.awssdk.core.internal.http.AmazonSyncHttpClient$RequestExecutionBuilderImpl.execute(AmazonSyncHttpClient.java:240)
    at software.amazon.awssdk.core.client.handler.BaseSyncClientHandler.invoke(BaseSyncClientHandler.java:96)
    at software.amazon.awssdk.core.client.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:120)
    at software.amazon.awssdk.core.client.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:73)
    at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:44)
    at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:55)
    at software.amazon.awssdk.services.iam.DefaultIamClient.createRole(DefaultIamClient.java:1406)

so there is not much to go on.所以没有太多到go上。

The user whose credentials are being used in calling the API has the following settings (obtained by running radosgw-admin user info --uid admin-api-user on the command line)其凭据用于调用 API 的用户具有以下设置(通过在命令行上运行radosgw-admin user info --uid admin-api-user获得)

{
    "user_id": "admin-api-user",
    "display_name": "Admin API User",
    "email": "",
    "suspended": 0,
    "max_buckets": 1000,
    "subusers": [],
    "keys": [
        {
            "user": "admin-api-user",
            "access_key": "abc",
            "secret_key": "xyz"
        }
    ],
    "swift_keys": [],
    "caps": [
        {
            "type": "buckets",
            "perm": "*"
        },
        {
            "type": "metadata",
            "perm": "*"
        },
        {
            "type": "usage",
            "perm": "*"
        },
        {
            "type": "users",
            "perm": "*"
        },
        {
            "type": "zone",
            "perm": "*"
        }
    ],
    "op_mask": "read, write, delete",
    "default_placement": "",
    "default_storage_class": "",
    "placement_tags": [],
    "bucket_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "user_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "temp_url_keys": [],
    "type": "rgw",
    "mfa_ids": []
}

When instead of trying to create the role using the Java SDK, I create it from the command line by running当我没有尝试使用 Java SDK 创建角色时,我通过运行从命令行创建它

radosgw-admin role create --role-name=test --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}

it works fine.它工作正常。 Any hints at what might be causing the problem would be appreciated!任何可能导致问题的提示都将不胜感激!

1 个解决方案

解决方案1
 1  2020-09-22 07:49:40

Nevermind, I just figured out that the documentation does not list all the available admin capabilities that one can assign to a user.没关系,我只是发现文档没有列出可以分配给用户的所有可用管理功能。 So apart from those in the user info listing above, there are two more which can be added, namely "roles" and "user-policy".所以除了上面列出的用户信息之外,还有两个可以添加,即“角色”和“用户策略”。 I stumbled across those in a user info sample on this mailing list entry.我在这个邮件列表条目的用户信息样本中偶然发现了那些。 Once I added the "roles" capability, the createRole call succeeds.一旦我添加了“角色”功能,createRole 调用就会成功。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 尝试使用 AWS Java v2 SDK 完成分段上传时出现 S3Exception - S3Exception when trying to complete multi-part upload using the AWS Java v2 SDK 使用 S3AsyncClient 从 AWS Java SDK 2 中的 GetObjectResponse 获取 S3Object InputStream? - Get an S3Object InputStream from a GetObjectResponse in AWS Java SDK 2 Using S3AsyncClient? 使用 AWS Java SDK 执行 PutItem 时出现“配置文件不包含配置文件的凭据”错误 - 'Profile file contained no credentials for profile' error when doing PutItem using AWS Java SDK 使用 Javascript 的 Amplify SDK 为未经授权的用户使用 Cognito 身份池访问 AWS API 网关方法 - Access AWS API Gateway method using Cognito Identity pool for unauthorized users using Amplify SDK for Javascript 在 AWS S3 中设置 object 元数据 Java SDK - Set object metadata in AWS S3 Java SDK AmazonWebService - 我应该使用 AWS API 网关还是 AWS SDK - AmazonWebService - Should i use AWS API Gateway or AWS SDK 如何检查 AWS API 网关授权方中的用户角色? - How to check for user role in AWS API gateway authorizer? AWS API 网关:CORS 和空事件 Object - AWS API Gateway : CORS and Empty Event Object AWS JS SDK:如何使用根 IAM 账户从子账户/其他角色访问 GameLift 数据? - AWS JS SDK: How do I access GameLift data from a subaccount / another role using the root IAM account? 为什么在通过 API 网关调用时,Java 中的 AWS Lambda 代码返回“内部服务器错误”? - why does this AWS Lambda code in Java return "internal server error" when invoked via an API gateway?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM