Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 1936647

Summary: [RGW] Using LDAP with HDP/S3A unable to put objects
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Mike Hackett <mhackett>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: Tejas <tchandra>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1CC: cbodley, ceph-eng-bugs, dparkes, gsitlani, kbader, mbenjamin, mmuench, sweil, tserlin
Target Milestone: ---   
Target Release: 4.2z1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-14.2.11-146.el8cp, ceph-14.2.11-146.el7cp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2006703 (view as bug list) Environment:
Last Closed: 2021-04-28 20:13:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2006703    

Description Mike Hackett 2021-03-08 20:58:10 UTC 
Description of problem:
When using LDAP or LDAP-sts light with HDP/S3A we can list and delete to a bucket, but we cannot put objects.

We are testing to auth methods:

- Plain LDAP auth
- STS-lite authentication

When using the AWS CLI we are able to do all operations without issues in both of the cases plain ldap and STS-lite.

When again testing using the same exact credentials with HDP/S3A  we get very strange behaviour:

- Plain LDAP auth:  we are able to list and delete objects, we can't put objects into buckets(or create folder/objetcs), we get a 400 error from the ldap engine

- STS-lite auth: we are able to list and delete objects, we can't put objects into buckets(or create folder/objetcs), we get a 403 error from the STSengine.   (with STS-light we are using a S3A provider that we give it the STS credentials, so it's not running the getssesion API call,  it just using the STS creds and token created previously)


Version-Release number of selected component (if applicable):
4.1




Additional info:
Comment 12 errata-xmlrpc 2021-04-28 20:13:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage security, bug fix, and enhancement Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1452