2271399 – [rgw-ms][assume-role]:After a successful assume role api call on the secondary site, s3 bucket create fails with http_status 403

Bug 2271399 - [rgw-ms][assume-role]:After a successful assume role api call on the secondary site, s3 bucket create fails with http_status 403

Summary: [rgw-ms][assume-role]:After a successful assume role api call on the secondar...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW-Multisite
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	7.1
Assignee:	Pritha Srivastava
QA Contact:	Vidushi Mishra
Docs Contact:	Akash Raj
URL:
Whiteboard:
Duplicates (1):	2293036 (view as bug list)
Depends On:
Blocks:	2267614 2271595 2273547 2293036 2298578 2298579
TreeView+	depends on / blocked

Reported:	2024-03-25 12:47 UTC by Vidushi Mishra
Modified:	2025-01-30 09:36 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ceph-18.2.1-120.el9cp
Doc Type:	Bug Fix
Doc Text:	.The authentication of the forwarded request on the primary site no longer fails Previously, an S3 request issued to secondary failed if temporary credentials returned by STS were used to sign the request. The failure occured because the request would be forwarded to the primary and signed using a system user's credentials which do not match the temporary credentials in the session token of the forwarded request. As a result of unmatched credentials, the authentication of the forwarded request on the primary site fails, which results in the failure of the S3 operation. With this fix, the authentication is by-passed by using temporary credentials in the session token in case a request is forwarded from secondary to primary. The system user's credentials are used to complete the authentication successfully.
Clone Of:
Clones:	2271595 2293036 (view as bug list)
Environment:
Last Closed:	2024-06-13 14:30:27 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	ceph ceph pull 56576	None	Draft	[DNM] rgw/sts: correcting authentication in case s3 ops are directed to a primary from secondary after assumerole.	2024-03-29 08:32:57 UTC
Github	red-hat-storage cephci pull 3545	None	open	Integration of assume-role test at multisite.	2024-03-27 09:11:05 UTC
Red Hat Issue Tracker	RHCEPH-8622	None	None	None	2024-03-25 12:47:32 UTC
Red Hat Product Errata	RHSA-2024:3925	None	None	None	2024-06-13 14:30:39 UTC

Comment 19 errata-xmlrpc 2024-06-13 14:30:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Critical: Red Hat Ceph Storage 7.1 security, enhancements, and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:3925

Note You need to log in before you can comment on or make changes to this bug.