Description of problem: The mechanism for bucket notification utilizing SASL and SCRAM-SHA-256 does not work. Version-Release number of selected component (if applicable): 5.0z4 How reproducible: Steps to Reproduce: 1. Setup bucket notifications using SASL with SCRAM-SHA-256 Mechanism. Actual results: According to RGW logs, numerous bucket notifications have been retiring and eventually failing due to connection timeout. Authentication fails, according to Kafka logs. Expected results: Notifications managed to be pushed to Kafka. Additional info: A customer asked that this be addressed as soon as possible and deamnds a hotfix when fixed Adding Github PR https://github.com/ceph/ceph/pull/48911 Screenshots of the RGW's log will be added tomorrow.
note that PR #48911 is just for testing SASL with SCRAM-SHA-256 mechanism. the actual work of supporting SASL with mechanisms other than PLAIN is this: https://github.com/ceph/ceph/pull/4818 please also note that the combination of SASL (regardless of mechanism) over non-TLS connection (a.k.a PLAINTEXT) will be supported only when: rgw_allow_notification_secrets_in_cleartext=true since we consider sending user/password over non-TLS connection a security issue.
Created attachment 1930740 [details] RGW log contaiing bucket notifications retries and eventually fails.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat Ceph Storage 6.0 Bug Fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:1360