Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2150907

Summary: [RFE] Bucket Notifications Using SASL with SCRAM-SHA-256 Mechanism
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Raz <rmaabari>
Component: RGWAssignee: Yuval Lifshitz <ylifshit>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: urgent Docs Contact: Akash Raj <akraj>
Priority: unspecified    
Version: 5.0CC: akraj, amilzon, cbodley, ceph-eng-bugs, cephqe-warriors, gjose, hmaheswa, kbader, kkeithle, mbenjamin, tserlin, uboppana, vumrao, ylifshit
Target Milestone: ---Keywords: FutureFeature
Target Release: 6.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ceph-17.2.5-50.el9cp Doc Type: Enhancement
Doc Text:
.Kafka SASL/SCRAM security mechanism is added to bucket notifications With this release, Kafka SASL/SCRAM security mechanism is added to bucket notifications. To know how to use the feature, refer to the "kafka" section https://docs.ceph.com/en/latest/radosgw/notifications/#create-a-topic[_Create a topic_]. Note that end-to-end configuration for the feature,in case of testing, is out of scope of Ceph. To know more about end-to-end testing see https://github.com/ceph/ceph/blob/main/src/test/rgw/bucket_notification/README.rst#kafka-security-tests[_Kafka security tests_].
 Story Points: ---
Clone Of:
: 2160209 (view as bug list) Environment:
Last Closed: 2023-03-20 18:59:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2160209    
Attachments:
Description Flags
RGW log contaiing bucket notifications retries and eventually fails. none

Description Raz 2022-12-05 15:46:27 UTC 
Description of problem:
The mechanism for bucket notification utilizing SASL and SCRAM-SHA-256 does not work.


Version-Release number of selected component (if applicable):
5.0z4

How reproducible:


Steps to Reproduce:
1. Setup bucket notifications using SASL with SCRAM-SHA-256 Mechanism.


Actual results:
According to RGW logs, numerous bucket notifications have been retiring and eventually failing due to connection timeout.

Authentication fails, according to Kafka logs.

Expected results:
Notifications managed to be pushed to Kafka.

Additional info:

A customer asked that this be addressed as soon as possible and deamnds a hotfix when fixed

Adding Github PR 
https://github.com/ceph/ceph/pull/48911

Screenshots of the RGW's log will be added tomorrow.
Comment 1 Yuval Lifshitz 2022-12-05 17:35:52 UTC 
note that PR #48911 is just for testing SASL with SCRAM-SHA-256 mechanism.
the actual work of supporting SASL with mechanisms other than PLAIN is this: https://github.com/ceph/ceph/pull/4818

please also note that the combination of SASL (regardless of mechanism) over non-TLS connection (a.k.a PLAINTEXT) will be supported only when:
rgw_allow_notification_secrets_in_cleartext=true
since we consider sending user/password over non-TLS connection a security issue.
Comment 2 Raz 2022-12-07 09:30:56 UTC 
Created attachment 1930740 [details]
RGW log contaiing bucket notifications retries and eventually fails.
Comment 30 errata-xmlrpc 2023-03-20 18:59:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 6.0 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:1360