Bug 2181251 - rgw: keystone EC2 auth does not support STREAMING-AWS4-HMAC-SHA256-PAYLOAD
Summary: rgw: keystone EC2 auth does not support STREAMING-AWS4-HMAC-SHA256-PAYLOAD
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 5.3
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 6.1z1
Assignee: Marcus Watts
QA Contact: Hemanth Sai
Akash Raj
URL:
Whiteboard:
Depends On:
Blocks: 2221020
TreeView+ depends on / blocked
 
Reported: 2023-03-23 12:49 UTC by Matt Benjamin (redhat)
Modified: 2023-12-02 04:26 UTC (History)
6 users (show)

Fixed In Version: ceph-17.2.6-99.el9cp
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-03 16:45:09 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 58908 0 None None None 2023-03-23 12:49:13 UTC
Github ceph ceph pull 50550 0 None open rgw/keystone: use secret key from EC2 for sigv4 streaming mode 2023-04-05 16:14:42 UTC
Red Hat Issue Tracker RHCEPH-6300 0 None None None 2023-03-23 12:53:27 UTC
Red Hat Product Errata RHBA-2023:4473 0 None None None 2023-08-03 16:46:26 UTC

Description Matt Benjamin (redhat) 2023-03-23 12:49:14 UTC 
Description of problem:

    /* Some external authorizers (like Keystone) aren't fully compliant with
     * AWSv4. They do not provide the secret_key which is necessary to handle
     * the streamed upload. */

Tested on current Pacific (16.2.11), with Keystone Xena, the same test works on local rgw user.

The test is to use any client capable of chunked upload, warp form MinIO here. On large object chunked upload it refuses with 501 Not Implemented response when keystone access key is used, while using local rgw user it passes. This happens of course only with s3v4 signature on STREAMING-AWS4-HMAC-SHA256-PAYLOAD transfer.
Comment 11 errata-xmlrpc 2023-08-03 16:45:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 6.1 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:4473
Comment 12 Red Hat Bugzilla 2023-12-02 04:26:28 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.