Bug 2316975

Summary: s3 with keystone ec2 auth fails when rgw_s3_auth_order puts local before external
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Casey Bodley <cbodley>
Component: RGWAssignee: Pritha Srivastava <prsrivas>
Status: VERIFIED --- QA Contact: Tejas <tchandra>
Severity: medium Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.0CC: ceph-eng-bugs, cephqe-warriors, mbenjamin, rpollack, tchandra, tserlin
Target Milestone: ---Flags: prsrivas: needinfo? (mbenjamin)
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.2.1-123.el9cp Doc Type: Bug Fix
Doc Text:
.S3 requests no longer rejected if local is listed before external for the authentication order Previously, S3 requests were rejected when the request is not authenticated successfully by the local authentication engine. As a result, S3 requests using OpenStack Keystone EC2 credentials failed to authenticate with Ceph Object Gateway when the authentication order had local before external With this fix, S3 requests signed using OpenStack Keystone EC2 credentials successfully authenticate with Ceph Object gateway, even with the authentication order has local listed before external.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2351689    

Description Casey Bodley 2024-10-07 14:58:10 UTC 
Description of problem:

with non-default setting of rgw_s3_auth_order that puts "local" before "external", s3 requests with keystone ec2 credentials fail with:

> 2024-07-19T20:26:54.036+0000 7f18284d2640 20 req 16144285743181518599 0.000000000s s3:list_buckets rgw::auth::s3::LocalEngine rejected with reason=-2028
> 2024-07-19T20:26:54.036+0000 7f18284d2640 20 req 16144285743181518599 0.000000000s s3:list_buckets rgw::auth::s3::AWSAuthStrategy rejected with reason=-2028
> 2024-07-19T20:26:54.036+0000 7f18284d2640  5 req 16144285743181518599 0.000000000s s3:list_buckets Failed the auth strategy, reason=-2028
> 2024-07-19T20:26:54.036+0000 7f18284d2640 10 failed to authorize request

in this case, the local engine's error prevents us from trying the external (keystone) engine, so we return that error directly


Version-Release number of selected component (if applicable):


How reproducible: when keystone is used for s3 auth and rgw_s3_auth_order is reversed


Steps to Reproduce:
1. set up keystone and ec2 credentials
2. configure "rgw_s3_auth_order: sts, local, external"
3. issue s3 requests with ec2 credentials

Actual results:

403 Forbidden (InvalidAccessKeyId)

Expected results:

200 OK

Additional info:
Comment 1 Storage PM bot 2024-10-07 14:58:22 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.