Bug 2268234

Summary: [rgw][s3-tests]: test_list_buckets_invalid_auth and test_list_buckets_bad_auth both failed with "AccessDenied" error code but it is expecting "InvalidAccessKeyId" and "SignatureDoesNotMatch"
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Hemanth Sai <hmaheswa>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED ERRATA QA Contact: Chaithra <ckulal>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.0CC: akraj, ceph-eng-bugs, cephqe-warriors, ckulal, mbenjamin, rpollack, tserlin
Target Milestone: ---Keywords: Automation, Regression
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.1.0-68.el9cp Doc Type: Bug Fix
Doc Text:
.Error code of local authentication engine is now returned correctly Previously, incorrect error codes were returned when the local authentication engine was specified last in the authentication order and when the previous authentication engines were not applicable. As a result, incorrect error codes were returned. With this fix, the code returns the error code of the local authentication engine in case the previous external authentication engines are not applicable for authenticating a request and correct error codes are returned.
 Story Points: ---
Clone Of:
: 2311625 (view as bug list) Environment:
Last Closed: 2024-11-25 09:00:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2311625, 2317218    

Description Hemanth Sai 2024-03-06 18:40:37 UTC 
Description of problem:
[rgw][s3-tests]: test_list_buckets_invalid_auth and test_list_buckets_bad_auth both failed with "AccessDenied" error code but it is expecting "InvalidAccessKeyId" and "SignatureDoesNotMatch" respectively


2024-02-12 14:07:14,393 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'________________________ test_list_buckets_invalid_auth ________________________'
2024-02-12 14:07:14,393 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b''
2024-02-12 14:07:14,394 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'    def test_list_buckets_invalid_auth():'
2024-02-12 14:07:14,394 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'        bad_auth_client = get_bad_auth_client()'
2024-02-12 14:07:14,395 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'        e = assert_r'
2024-02-12 14:07:14,395 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'aises(ClientError, bad_auth_client.list_buckets)'
2024-02-12 14:07:14,396 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'        status, error_code = _get_status_and_error_code(e.response)'
2024-02-12 14:07:14,397 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'        assert status == 403'
2024-02-12 14:07:14,397 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b">       assert error_code == 'InvalidAccessKeyId'"
2024-02-12 14:07:14,398 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b"E       AssertionError: assert 'AccessDenied' == 'InvalidAccessKeyId'"
2024-02-12 14:07:14,399 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'E         '
2024-02-12 14:07:14,399 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'E         - InvalidAccessKeyId'
2024-02-12 14:07:14,400 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'E         + AccessDenied'
2024-02-12 14:07:14,400 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b''
2024-02-12 14:07:14,401 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b's3tests_boto3/functional/test_s3.py:5174: AssertionError'
2024-02-12 14:07:14,401 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'--------------------------- Captured stdout teardown ---------------------------'
2024-02-12 14:07:14,402 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'Done with cleanup of buckets in tests.'
2024-02-12 14:07:14,402 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'Done with cleanup of buckets in tests.'
2024-02-12 14:07:14,403 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'Done with cleanup of buckets in tests.'
2024-02-12 14:07:14,404 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'__________________________ test_list_buckets_bad_auth __________________________'
2024-02-12 14:07:14,404 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b''
2024-02-12 14:07:14,405 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'    def test_list_buckets_bad_auth():'
2024-02-12 14:07:14,405 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'        main_access_key = get_main_aws_access_key()'
2024-02-12 14:07:14,406 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'        bad_auth_client = get_bad_auth_client(aws_access_key_id=main_access_key)'
2024-02-12 14:07:14,407 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'        e = assert_raises(ClientError, bad_auth_client.list_buckets)'
2024-02-12 14:07:14,407 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'        status, error_code = _get_status_and_error_code(e.response)'
2024-02-12 14:07:14,408 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'        assert status == 403'
2024-02-12 14:07:14,408 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'>       assert e'
2024-02-12 14:07:14,409 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b"rror_code == 'SignatureDoesNotMatch'"
2024-02-12 14:07:14,409 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b"E       AssertionError: assert 'AccessDenied' == 'SignatureDoesNotMatch'"
2024-02-12 14:07:14,410 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'E         '
2024-02-12 14:07:14,411 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'E         - SignatureDoesNotMatch'
2024-02-12 14:07:14,411 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b'E         + AccessDenied'
2024-02-12 14:07:14,412 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b''
2024-02-12 14:07:14,412 (cephci.test_s3) [DEBUG] - cephci.Weekly.rgw.23.cephci.ceph.ceph.py:1528 - b's3tests_boto3/functional/test_s3.py:5182: AssertionError'



automation fail logs on 7.0z1 and 7.1:

http://magna002.ceph.redhat.com/cephci-jenkins/test-runs/18.2.0-153/Weekly/rgw/27/tier-2_ssl_rgw_ecpool_test/execute_s3tests_0.log

http://magna002.ceph.redhat.com/cephci-jenkins/test-runs/18.2.1-11/Weekly/rgw/23/sanity_rgw/execute_s3tests_0.log




these tests passed on pacific and quincy
pass logs on pacific and quincy:

http://magna002.ceph.redhat.com/cephci-jenkins/test-runs/16.2.10-248/Weekly/rgw/11/tier-2_rgw_ssl_s3tests/execute_s3tests_0.log

http://magna002.ceph.redhat.com/cephci-jenkins/test-runs/16.2.10-248/Weekly/rgw/11/tier-2_rgw_regression/execute_s3tests_0.log

http://magna002.ceph.redhat.com/cephci-jenkins/test-runs/17.2.6-196/Weekly/rgw/24/tier-2_rgw_regression/execute_s3tests_0.log

http://magna002.ceph.redhat.com/cephci-jenkins/test-runs/17.2.6-196/Weekly/rgw/24/tier-2_rgw_ssl_s3tests/execute_s3tests_0.log


Version-Release number of selected component (if applicable):
ceph version 18.2.0-153

How reproducible:
always

Steps to Reproduce:
1.deploy rhcs cluster 7.0 with rgw daemon
2.clone and configure s3tests repo
3.execute s3tests

Actual results:
test_list_buckets_invalid_auth and test_list_buckets_bad_auth both failed with "AccessDenied" error code

Expected results:
expected error code for test_list_buckets_invalid_auth and test_list_buckets_bad_auth are "InvalidAccessKeyId" and "SignatureDoesNotMatch" respectively

Additional info:
Comment 8 errata-xmlrpc 2024-11-25 09:00:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 8.0 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:10216
Comment 9 Red Hat Bugzilla 2025-03-26 04:25:24 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days