Amazon web services 403小鬼对AWS海王星的禁止错误_Amazon Web Services_Amazon Iam_Gremlin_Gremlin Server_Amazon Neptune

Amazon web services 403小鬼对AWS海王星的禁止错误

amazon-web-services gremlin

Amazon web services 403小鬼对AWS海王星的禁止错误,amazon-web-services,amazon-iam,gremlin,gremlin-server,amazon-neptune,Amazon Web Services,Amazon Iam,Gremlin,Gremlin Server,Amazon Neptune,非常感谢你的帮助我正试图按照上的说明设置我的AWS Neptune环境。设置似乎很好，我可以使用Neptune笔记本安装来检查状态。状态消息为： { "status": "healthy", "startTime": "Tue May 12 04:24:52 UTC 2020", "dbEngineVersion": "1.0.2.2.R2", "role": "writer", "gremlin": { "version": "tinkerpop-3.4.3"

非常感谢你的帮助

我正试图按照上的说明设置我的AWS Neptune环境。设置似乎很好，我可以使用Neptune笔记本安装来检查状态。状态消息为：

{
  "status": "healthy",
  "startTime": "Tue May 12 04:24:52 UTC 2020",
  "dbEngineVersion": "1.0.2.2.R2",
  "role": "writer",
  "gremlin": {
    "version": "tinkerpop-3.4.3"
  },
  "sparql": {
    "version": "sparql-1.1"
  },
  "labMode": {
    "ObjectIndex": "disabled",
    "ReadWriteConflictDetection": "enabled"
  }
}

但是，我无法通过EC2客户端实例中的Gremlin控制台连接到它，我得到403禁止错误，如下所示：


         \,,,/
         (o o)
-----oOOo-(3)-oOOo-----
plugin activated: tinkerpop.server
plugin activated: tinkerpop.utilities
plugin activated: tinkerpop.tinkergraph
gremlin> :remote connect tinkerpop.server conf/neptune-remote.yaml
WARN  org.apache.tinkerpop.gremlin.driver.Cluster  - Using deprecated SSL trustCertChainFile support
ERROR org.apache.tinkerpop.gremlin.driver.Handler$GremlinResponseHandler  - Could not process the response
io.netty.handler.codec.http.websocketx.WebSocketHandshakeException: Invalid handshake response getStatus: 403 Forbidden
    at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker13.verify(WebSocketClientHandshaker13.java:226)
    at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker.finishHandshake(WebSocketClientHandshaker.java:276)
    at org.apache.tinkerpop.gremlin.driver.handler.WebSocketClientHandler.channelRead0(WebSocketClientHandler.java:69)
    at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)

hosts: [<my neptune cluster name>.cluster-<cluster id>.ap-southeast-2.neptune.amazonaws.com]
port: 8182
connectionPool: { enableSsl: true, trustCertChainFile: "SFSRootCAG2.pem"}
serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0, config: { serializeResultToString: true }}

我分配给EC2实例的IAM角色具有以下策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "neptune-db:*"
            ],
            "Resource": [
                "arn:aws:neptune-db:ap-southeast-2:<my aws account number>:*/*"
            ]
        }
    ]
}

{
“版本”：“2012-10-17”，
“声明”：[
{
“效果”：“允许”，
“行动”：[
“海王星db:*”
],
“资源”：[
“arn:aws:neptune db:ap-southeast-2:：*/*”
]
}
]
}

我的neptune-remote.yaml文件如下：


         \,,,/
         (o o)
-----oOOo-(3)-oOOo-----
plugin activated: tinkerpop.server
plugin activated: tinkerpop.utilities
plugin activated: tinkerpop.tinkergraph
gremlin> :remote connect tinkerpop.server conf/neptune-remote.yaml
WARN  org.apache.tinkerpop.gremlin.driver.Cluster  - Using deprecated SSL trustCertChainFile support
ERROR org.apache.tinkerpop.gremlin.driver.Handler$GremlinResponseHandler  - Could not process the response
io.netty.handler.codec.http.websocketx.WebSocketHandshakeException: Invalid handshake response getStatus: 403 Forbidden
    at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker13.verify(WebSocketClientHandshaker13.java:226)
    at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker.finishHandshake(WebSocketClientHandshaker.java:276)
    at org.apache.tinkerpop.gremlin.driver.handler.WebSocketClientHandler.channelRead0(WebSocketClientHandler.java:69)
    at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)

hosts: [<my neptune cluster name>.cluster-<cluster id>.ap-southeast-2.neptune.amazonaws.com]
port: 8182
connectionPool: { enableSsl: true, trustCertChainFile: "SFSRootCAG2.pem"}
serializer: { className: org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0, config: { serializeResultToString: true }}

主机：[.cluster-.ap-southest-2.neptune.amazonaws.com]
港口：8182
connectionPool:{enableSsl:true，trustCertChainFile:“SFSRootCAG2.pem”}
序列化程序：{className:org.apache.tinkerpop.gremlin.driver.ser.GryoMessageSerializerV3d0，配置：{serializeResultToString:true}}

为了调试这个问题，我尝试使用ApacheTinkerpoGremlin控制台版本3.4.1、3.4.3和3.4.6。它们都有相同的错误响应

我还尝试通过telnet成功连接到上述主机端口，如下所示，因此这不是SG或连接问题：

$ telnet <my neptune cluster name>.cluster-<cluster id>.ap-southeast-2.neptune.amazonaws.com 8182
Trying 172.30.1.200...
Connected to xxxxx-xxxxxxxx.cluster-xxxxxx.ap-southeast-2.neptune.amazonaws.com.
Escape character is '^]'.

$telnet.cluster-.ap-southest-2.neptune.amazonaws.com 8182
正在尝试172.30.1.200。。。
已连接到xxxxx-xxxxxxxx.cluster-xxxxxx.ap-southest-2.neptune.amazonaws.com。
转义字符为“^]”。

我为此奋斗了一段时间，任何帮助/暗示都将不胜感激

谢谢

根据评论添加答案，以防其他人也发现这一点

如果为Amazon Neptune群集启用IAM身份验证，则必须使用SIG V4对所有查询请求进行签名。有关更多信息，请参见[1]

[1]

很高兴尝试帮助您。一些有助于缩小问题范围的问题…您的群集上是否启用了IAM身份验证？从EC2实例中，您可以执行以下操作：curl:8182/status？EC2实例是否与Neptune位于同一VPC？嗨，开尔文，非常感谢您的帮助。我刚刚尝试了curl:8182/status，得到了以下结果：curl：（52）服务器的空回复。ec2实例与Neptune位于同一VPC中，但它与AWS指令位于公共子网中。您的Neptune群集是否启用了IAM安全？如果需要，您必须使用SIG V4对请求进行签名。您可以卷曲集群的/status API吗？您应该在curl命令中使用HTTPS<代码>curl https://:8182/状态。检查这是否有效。我相当肯定，如果在集群中确实启用了IAM Auth，那么它也应该为您提供403。要检查这一点，请使用Neptune控制台或CLI描述群集的详细信息。已为Neptune群集启用IAM db Auth。当我尝试卷曲https://:8182/status时，我得到了{“requestId”：“…”，“code”：“AccessDeniedException”，“detailedMessage”：“缺少身份验证令牌”}错误。