Bug 2105950 - [RHOS17][RFE] RGW does not support get object with temp_url using SHA256 digest (required for FIPS)
Summary: [RHOS17][RFE] RGW does not support get object with temp_url using SHA256 dige...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 5.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 6.1
Assignee: Marcus Watts
QA Contact: Hemanth Sai
Akash Raj
URL:
Whiteboard:
Depends On:
Blocks: 2071977 2107098 2192813
TreeView+ depends on / blocked
 
Reported: 2022-07-11 10:07 UTC by bkopilov
Modified: 2023-10-14 04:25 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
.Swift object storage dialect now includes support for `SHA-256` and `SHA-512` digest algorithms Previously, support for digest algorithms was added by OpenStack Swift in 2022, but Ceph Object Gateway had not implemented them. With this release, Ceph Object Gateway’s Swift object storage dialect now includes support for `SHA-256` and `SHA-512` digest methods in `tempurl` operations. Ceph Object Gateway can now correctly handle `tempurl` operations by recent OpenStack Swift clients.
Clone Of:
Environment:
Last Closed: 2023-06-15 09:15:33 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 56564 0 None None None 2022-07-14 11:50:59 UTC
Red Hat Issue Tracker OSP-17549 0 None None None 2022-07-11 10:13:14 UTC
Red Hat Issue Tracker RHCEPH-4738 0 None None None 2022-07-11 10:25:47 UTC
Red Hat Product Errata RHSA-2023:3623 0 None None None 2023-06-15 09:16:56 UTC

Description bkopilov 2022-07-11 10:07:26 UTC 
Description of problem:
Rhos17 , ceph backend with radosgw

tempest tests failed due to permissions.
tempest.api.object_storage.test_object_temp_url.ObjectTempUrlTest.test_get_object_using_temp_url[id-f91c96d4-1230-4bba-8eb9-84476d18d991]
tempest.api.object_storage.test_object_temp_url.ObjectTempUrlTest.test_get_object_using_temp_url_key_2[id-671f9583-86bd-4128-a034-be282a68c5d8]
tempest.api.object_storage.test_object_temp_url.ObjectTempUrlTest.test_get_object_using_temp_url_with_inline_query_parameter[id-9d9cfd90-708b-465d-802c-e4a8090b823d]
tempest.api.object_storage.test_object_temp_url.ObjectTempUrlTest.test_head_object_using_temp_url[id-249a0111-5ad3-4534-86a7-1993d55f9185]
tempest.api.object_storage.test_object_temp_url.ObjectTempUrlTest.test_put_object_using_temp_url[id-9b08dade-3571-4152-8a4f-a4f2a873a735]



Looks like the problem related to object get action when temp_url is used.
the time synced between undercloud and the overcloud.


Traceback from tempest side :

testtools.testresult.real._StringException: pythonlogging:'': {{{
2022-07-08 21:36:13,542 107319 INFO     [tempest.lib.common.rest_client] Request (ObjectTempUrlTest:setUp): 204 HEAD https://10.0.0.112:13808/swift/v1/AUTH_426e6a1c8a7344fc987bc5dde93c9b37 0.009s
2022-07-08 21:36:13,543 107319 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: None
    Response - Headers: {'x-timestamp': '1657316173.54163', 'x-account-container-count': '1', 'x-account-object-count': '1', 'x-account-bytes-used': '1024', 'x-account-bytes-used-actual': '4096', 'x-account-storage-policy-default-placement-container-count': '1', 'x-account-storage-policy-default-placement-object-count': '1', 'x-account-storage-policy-default-placement-bytes-used': '1024', 'x-account-storage-policy-default-placement-bytes-used-actual': '4096', 'x-account-meta-temp-url-key': 'Meta', 'x-trans-id': 'tx0000093d99e4118e564fc-0062c8a34d-37a2-default', 'x-openstack-request-id': 'tx0000093d99e4118e564fc-0062c8a34d-37a2-default', 'accept-ranges': 'bytes', 'content-type': 'application/json; charset=utf-8', 'date': 'Fri, 08 Jul 2022 21:36:13 GMT', 'connection': 'close', 'status': '204', 'content-location': 'https://10.0.0.112:13808/swift/v1/AUTH_426e6a1c8a7344fc987bc5dde93c9b37'}
        Body: b''
2022-07-08 21:36:13,551 107319 INFO     [tempest.lib.common.rest_client] Request (ObjectTempUrlTest:test_get_object_using_temp_url): 403 GET https://10.0.0.112:13808/swift/v1/AUTH_426e6a1c8a7344fc987bc5dde93c9b37/tempest-TestContainer-1109999474/tempest-TestObject-1968150659?temp_url_sig=1238e7330e4aa963381dc833eedcd05a9b7de9465e6b5d16483ba91afe2f0654&temp_url_expires=1657317173 0.008s
2022-07-08 21:36:13,551 107319 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: None
    Response - Headers: {'content-length': '117', 'x-trans-id': 'tx00000839b0fbb63e18f96-0062c8a34d-37a2-default', 'x-openstack-request-id': 'tx00000839b0fbb63e18f96-0062c8a34d-37a2-default', 'accept-ranges': 'bytes', 'content-type': 'application/json; charset=utf-8', 'date': 'Fri, 08 Jul 2022 21:36:13 GMT', 'connection': 'close', 'status': '403', 'content-location': 'https://10.0.0.112:13808/swift/v1/AUTH_426e6a1c8a7344fc987bc5dde93c9b37/tempest-TestContainer-1109999474/tempest-TestObject-1968150659?temp_url_sig=1238e7330e4aa963381dc833eedcd05a9b7de9465e6b5d16483ba91afe2f0654&temp_url_expires=1657317173'}
        Body: b'{"Code":"AccessDenied","RequestId":"tx00000839b0fbb63e18f96-0062c8a34d-37a2-default","HostId":"37a2-default-default"}'
}}}

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/tempest/common/utils/__init__.py", line 89, in wrapper
    return func(*func_args, **func_kwargs)
  File "/usr/lib/python3.9/site-packages/tempest/api/object_storage/test_object_temp_url.py", line 102, in test_get_object_using_temp_url
    resp, body = self.object_client.get(url)
  File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 314, in get
    return self.request('GET', url, extra_headers, headers)
  File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 720, in request
    self._error_checker(resp, resp_body)
  File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 821, in _error_checker
    raise exceptions.Forbidden(resp_body, resp=resp)
tempest.lib.exceptions.Forbidden: Forbidden
Details: {'Code': 'AccessDenied', 'RequestId': 'tx00000839b0fbb63e18f96-0062c8a34d-37a2-default', 'HostId': '37a2-default-default'}


Version-Release number of selected component (if applicable):


How reproducible:
with radosgw .

Steps to Reproduce:

Actual results:


Expected results:


Additional info:
Comment 3 RHEL Program Management 2022-07-11 10:25:45 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Comment 4 bkopilov 2022-07-11 10:44:24 UTC 
ceph.conf: 
[root@controller-0 ceph-admin]# more assimilate_ceph.conf 
[global]
fsid = dd5fa3bb-4c1e-50c7-be91-2b4b46578e21
mon host = 172.17.3.104
osd_pool_default_pg_num = 32
osd_pool_default_pgp_num = 32
osd_pool_default_size = 3
rgw_keystone_accepted_admin_roles = ResellerAdmin, swiftoperator
rgw_keystone_accepted_roles = member, Member, admin
rgw_keystone_admin_domain = default
rgw_keystone_admin_password = vnFDtT0dztNZ50GMOWDg02oSX
rgw_keystone_admin_project = service
rgw_keystone_admin_user = swift
rgw_keystone_api_version = 3
rgw_keystone_implicit_tenants = true
rgw_keystone_revocation_interval = 0
rgw_keystone_url = http://172.17.1.101:5000
rgw_max_attr_name_len = 128
rgw_max_attr_size = 256
rgw_max_attrs_num_in_req = 90
rgw_s3_auth_use_keystone = true
rgw_swift_account_in_url = true
rgw_swift_enforce_content_length = true
rgw_swift_versioning_enabled = true
rgw_trust_forwarded_https = true
Comment 47 errata-xmlrpc 2023-06-15 09:15:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 6.1 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:3623
Comment 48 Red Hat Bugzilla 2023-10-14 04:25:21 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.