Red Hat Bugzilla – Bug 1472464
rgw multisite: objects encrypted with SSE-C fail to sync
Last modified: 2017-12-05 18:36:49 EST
Description of problem:
Objects encrypted with the SSE-C mode do not sync to other zones.
All objects encrypted with SSE-C in a multisite configuration.
Steps to Reproduce:
1. Set up a multisite configuration with two zones, including this additional value in ceph.conf:
rgw crypt require ssl = false
2. Create a bucket on the primary zone
3. Upload an object to that bucket on the primary zone, using these additional request headers:
The object never syncs to the secondary zone. The radosgw log will contain errors like 'data sync: ERROR: failed to sync object: BUCKET:563951e3-8440-4b01-aa6d-58b4fea0e5d0.4110.1/fooo' (where bucket name is BUCKET and object name is fooo).
The object syncs to the secondary zone in its encrypted form. The decrypted object can be read from the secondary zone with a GET request that includes the same x-amz-server-side-encryption- headers used to upload.
Multisite sync requests are rejected with '400 Bad Request' because they do not provide the x-amz-server-side-encryption- headers needed to decrypt the object data. This is enforced by rgw_s3_prepare_decrypt().
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.