I am using Object Storage Service - Put Bucket ACL on Alibaba Cloud Instance. As PutBucketACL interface is used to modify the access permissions for a bucket. Using below mentioned request syntax.
PUT /? acl HTTP/1.1
x-oss-acl: Permission
Host: BucketName.oss-cn-hangzhou.aliyuncs.com
Date: GMT Date
Authorization: SignatureValue
I am getting 403 Forbidden message and Error Code is showing as AccessDenied.
I appreciate any assistance with this.
For your request, the result should be introduced like follows
HTTP/1.1 200 OK
x-oss-request-id: xxxxxxxxxxxxx
Date: GMT Date
Content-Length: 0
Connection: keep-alive
Server: AliyunOSS
If it fails and throws an error like 403 Forbidden then you are not authorized to change the bucket ACL permissions.
Please check the following to ensure the access
Check whether you have enough permission to change the bucket permission (Bucket Owernership)
Check whether you are using the correct Accesskey Pairs
Check the host (This also may cause 403 Forbidden error)
Related
I need help in figuring out how to enable CORS (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) on an object-storage bucket please?
At the moment, Cross-Origin-Resource sharing is enabled for OCI ObjectStorage native & Swift API.
➜ ~ git:(master) ✗ curl -I https://objectstorage.us-phoenix-1.oraclecloud.com
HTTP/1.1 404 Not Found
Date: Wed, 12 Dec 2018 01:52:00 GMT
Connection: keep-alive
opc-request-id: 286901e2-4180-812c-2779-18b415009904
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,PUT,GET,HEAD,DELETE,OPTIONS
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Access-Control-Allow-Credentials,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Connection,opc-client-info,opc-request-id
Sadly, it seems like Oracle's object storage does not support CORS headers (nor ACLS - shame).
If you are generating pre-signed URLs to files in the private bucket, you could use the "Sec-Fetch-Mode" request header to know if the browser will check CORS for file.
See details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode
So you can do the following:
if Sec-Fetch-Mode = cors, you should download the file to your server and then send it to the browser (that way the file origin will be the same as your application).
if it's not, then you can generate a pre-signed URL and redirect the browser to it.
One last thing, IE and Safari browsers will not send the "Sec-Fetch-Mode" header even if they still check for cors, so in their case, the solution of sending the file through your server is to be done.
More about pre-signed URLs: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html
In our company the web app that we are testing uses the active directory roles assigned to the user for accessing the website.
Edit:
Important information that I forgot to mention is that, while accessing the website I am not prompted for the username and password. The website is only displayed if I have the correct Active Directory role assigned to my user profile.
For Example,
Opening IE as myself - able to access the website.
Opening IE as a service account (with required Active Directory roles) - able to access the website.
Opening IE as a different user outside my project - not able to access the website.
I have tried (skeptically, desperate to get it working) Basic/ Kerberos Authorization in the HTTP Authorization Manager and even running JMeter as that service account still no luck. I keep getting the below
Thread Name: Users 1-1
Sample Start: 2017-04-26 17:08:18 CDT
Load time: 83
Connect Time: 13
Latency: 83
Size in bytes: 438
Sent bytes:136
Headers size in bytes: 243
Body size in bytes: 195
Sample Count: 1
Error Count: 1
Data type ("text"|"bin"|""): text
Response code: 401
Response message: Unauthorized
Response headers:
HTTP/1.1 401 Unauthorized
Server: nginx/1.10.1
Date: Wed, 26 Apr 2017 22:08:18 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Negotiate
X-Frame-Options: deny
X-Content-Type-Options: nosniff
HTTPSampleResult fields:
ContentType: text/html
DataEncoding: null
I am just trying to find out if any one here has got the JMeter working in a similar scenario/ if any one can point me in the right direction to overcome this hurdle.
Thanks all for your help in advance.
You need to identify the exact implementation of the authentication in your application.
Given you receive WWW-Authenticate: Negotiate - this is definitely not Basic HTTP Auth.
Negotiate may stand either for NTLM or for Kerberos (or in some cases for both, i.e. if Kerberos is not successful it will fall back to NTLM) and JMeter needs to be configured differently for these schemes.
For example for NTLM you need to provide only credentials and domain in the HTTP Authorization Manager and for Kerberos you need to populate Realm and set your Kerberos settings (KDC and login config) under jaas.conf and krb5.conf files
See Windows Authentication with Apache JMeter article for more information and example configurations.
I'm following the steps here . I've got the authorization code in the browser, but get a:
** Access error: protocol error: "Server error: HTTP/1.0 400 Bad Request"
when I generate my request to try and obtain my token. I changed the target to http so that I could trace the http request in wireshark and I get this with line wrap added:
POST /oauth2/v3/token HTTP/1.0
Accept: */*
Accept-Charset: utf-8
Host: www.googleapis.com
User-Agent: REBOL
Content-Type: application/x-www-form-urlencoded
Content-Length: 251
code=url-encoded-my-authorisation-code&
client_id=my-client-id.apps.googleusercontent.com&
client_secret=my-client-secret&
redirect_uri=urn-blah-blah&
grant_type=authorization_code
which looks good to me.
When I use the http instead, I get this message
{"error":"internal_failure","error_description":"SSL is required to perform this operation."}
but unfortunately it's not telling me if my request is otherwise off to help me with the ssl request.
PS: I've progressed further. I removed the URL encoding from the redirect_uri and now I get an invalid_grant error. Before this it complained of a missing scheme for the redirect_uri.
On one occasion I did success in obtaining an access token but I've not been able to reproduce this. I saw my app listed in those I've granted access tokens. I removed my app and tried to grant again but keep failing.
My clock is correct so that's not the issue. The oauth2 playground works fine and as far as i can tell I'm doing the same but without success.
Mine is an installed app so I can't provide my credentials to the playground as a way to trust their redirect_uri is not provided and I get an error.
It seems that there is a limit on refresh_tokens and although removing the app from those with authority to access my calendar did not work, deleting my project from the https://console.developers.google.com/ and recreating them worked. My code then ran successfully without any changes.
Try change url to get info about token from Google use https://www.googleapis.com/oauth2/v3/tokeninfo?access_token={accessToken}
Be careful vith version api
I am using Jmeter for performance testing and as i try to replay the request I am getting the following response header
I am using HTTP Authorization Manager with the following info
base url - example.com
username - username
password - kind
domain - example.com:80
Realm -
Mech - Basic_digest
Body size in bytes: 0
Sample Count: 1
Error Count: 1
Response code: 401
Response message: Unauthorized
Response headers:
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="Secured Area"
Server: BigIP
Connection: Keep-Alive
Content-Length: 0
anythoughts on what I should try different
Thanks
Assumption 1: you're providing realm Mech and server expects it to be Secured Area.
As per RFC 1945
The realm attribute (case-insensitive) is required for all
authentication schemes which issue a challenge. The realm value
(case-sensitive), in combination with the canonical root URL of the
server being accessed, defines the protection space. These realms
allow the protected resources on a server to be partitioned into a
set of protection spaces, each with its own authentication scheme
and/or authorization database. The realm value is a string, generally
assigned by the origin server, which may have additional semantics
specific to the authentication scheme.
So try changing "Realm" in to "Secured Area" in HTTP Authorization Manager to see how it goes.
Assumption 2: authentication is not "Basic". See Windows Authentication with Apache JMeter guide for details on how to bypass NTLM and Kerberos authentication challenges.
3/13 - I did resolve this by adding a authorization header and removing the authorization manager all together.
I followed all the instructions and 'troubleshooting' guide for CORS but I have a feeling it's just not working.. i've spent the last 2 days just trying to list a bucket contents and not matter how i configure my CORS for my bucket it fails same way.
What I'm using:
An angularJS client app talking directly to Google Cloud Storage using JSON API from my local machine (i.e. localhost)
Followed all the advice here:
https://developers.google.com/storage/docs/cross-origin
My Bucket:
gs://okrp-dev
THE ERROR (chrome latest browser)
XMLHttpRequest cannot load https://storage.googleapis.com/storage/v1beta2/b/okrp-dev/o. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.
My CORS file now (though i've tried every other permutation):
bash-3.2$ gsutil cors get gs://okrp-dev
<?xml version="1.0" ?>
<CorsConfig>
<Cors>
<Origins>
<Origin>*</Origin>
<Origin>
http://localhost</Origin>
</Origins>
<Methods>
<Method>GET</Method>
<Method>POST</Method>
<Method>HEAD</Method>
</Methods>
<ResponseHeaders>
<ResponseHeader>*</ResponseHeader>
</ResponseHeaders>
<MaxAgeSec>86400</MaxAgeSec>
</Cors>
</CorsConfig>
Trace from Chrome dev tools Network tab:
Remote Address:74.125.193.132:443
Request URL:https://storage.googleapis.com/storage/v1beta2/b/okrp-dev/o
Request Method:OPTIONS
Status Code:200 OK
Request Headers
:host:
storage.googleapis.com
:method:OPTIONS
:path: /storage/v1beta2/b/okrp-dev/o
:scheme:https
:version:
HTTP/1.1
accept:*/*
accept-encoding:
gzip,deflate,sdch
accept-language:en-US,en;q=0.8,tr;q=0.6
access-control-request-headers:access-control-allow-origin, accept, authentication
access-control-request-method:GET
cache-control:
no-cache
origin:
http://localhost
pragma:
no-cache
referer:http://localhost/okrp/app/
Response Headersview source
alternate-protocol:443:quic
cache-control:
private, max-age=0
content-length:0
content-type:
text/html; charset=UTF-8
server:HTTP Upload Server Built on Mar 5 2014 15:51:04 (1394063464)
status:200 OK
version:
HTTP/1.1
NOTE I have the authentication working fine. I'm no longer getting a 401. Only 404.
NOTE I also of course totally opened up all permission on the bucket and object and that does not help at all.
How else can I troubleshoot this??