Bug 2181251
| Summary: | rgw: keystone EC2 auth does not support STREAMING-AWS4-HMAC-SHA256-PAYLOAD | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Matt Benjamin (redhat) <mbenjamin> |
| Component: | RGW | Assignee: | Marcus Watts <mwatts> |
| Status: | CLOSED ERRATA | QA Contact: | Hemanth Sai <hmaheswa> |
| Severity: | medium | Docs Contact: | Akash Raj <akraj> |
| Priority: | unspecified | ||
| Version: | 5.3 | CC: | akraj, ceph-eng-bugs, cephqe-warriors, kdreyer, mwatts, tserlin |
| Target Milestone: | --- | Flags: | mbenjamin:
needinfo?
(mwatts) mkasturi: needinfo? (mwatts) mbenjamin: needinfo? (mwatts) akraj: needinfo? (mwatts) |
| Target Release: | 6.1z1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ceph-17.2.6-99.el9cp | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-03 16:45:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2221020 | ||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat Ceph Storage 6.1 Bug Fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:4473 |
Description of problem: /* Some external authorizers (like Keystone) aren't fully compliant with * AWSv4. They do not provide the secret_key which is necessary to handle * the streamed upload. */ Tested on current Pacific (16.2.11), with Keystone Xena, the same test works on local rgw user. The test is to use any client capable of chunked upload, warp form MinIO here. On large object chunked upload it refuses with 501 Not Implemented response when keystone access key is used, while using local rgw user it passes. This happens of course only with s3v4 signature on STREAMING-AWS4-HMAC-SHA256-PAYLOAD transfer.