Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2315856

Summary: s3 GetObject with partNumber doesn't decrypt SSE-C or SSE-S3
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Vidushi Mishra <vimishra>
Component: RGWAssignee: Marcus Watts <mwatts>
Status: CLOSED ERRATA QA Contact: Vidushi Mishra <vimishra>
Severity: medium Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.0CC: ceph-eng-bugs, cephqe-warriors, mbenjamin, rpollack, tserlin
Target Milestone: ---   
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-20.1.0-26 Doc Type: Bug Fix
Doc Text:
.Multipart object decryption now works for `partNumber` requests Previously, if a multipart object was encrypted using SSE-C or SSE-S3, a get object request with `partNumber` did not decrypt the part. With this fix, the logic was updated to attach the saved crypt prefix, if present, when the get action is a get-part operation. This enables Ceph Object Gateway to decrypt the part for get object requests with `partNumber`.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-29 06:52:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2388233    

Description Vidushi Mishra 2024-10-01 08:24:12 UTC 
Description of problem:

When retrieving an object part via the aws s3api get-object command with --part-number, if the object is encrypted using SSE-S3 or SSE-C, the retrieved part remains encrypted instead of being automatically decrypted.

# ceph config set client.rgw.india.ms rgw_crypt_default_encryption_key  4YSmvJtBv0aZ7geVgAsdpRnLBEwWSWlMIGnRS8a9TSA=

# aws --profile alice s3api create-multipart-upload --bucket new-alice-bucket-1 --key mp1

# aws --profile alice s3api upload-part --bucket new-alice-bucket-1  --key mp1 --part-number 1 --body part1-20M --upload-id 2~QourcEfLkXi2hPBOqwlADPXOK7iOEam

# aws --profile alice s3api upload-part --bucket new-alice-bucket-1  --key mp1 --part-number 2 --body part2-20M --upload-id 2~QourcEfLkXi2hPBOqwlADPXOK7iOEam

# aws --profile alice s3api  complete-multipart-upload --bucket new-alice-bucket-1  --key mp1 --upload-id 2~QourcEfLkXi2hPBOqwlADPXOK7iOEam --multipart-upload file://multipart.json


# aws --profile alice s3api  get-object --bucket new-alice-bucket-1  --key mp1 --part-number 1 test-part-1

[root@magna045 ~]# md5sum  test-part-1
97b7b940f61199ed8b6f2937360558d9

[root@magna045 ~]# md5sum part1-20M
8f4e33f3dc3e414ff94e5fb6905cba8c  part1-20M


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 6 errata-xmlrpc 2026-01-29 06:52:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 9.0 Security and Enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2026:1536