2316975 – s3 with keystone ec2 auth fails when rgw_s3_auth_order puts local before external

Bug 2316975 - s3 with keystone ec2 auth fails when rgw_s3_auth_order puts local before external

Summary: s3 with keystone ec2 auth fails when rgw_s3_auth_order puts local before exte...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	8.1
Assignee:	Pritha Srivastava
QA Contact:	Tejas
Docs Contact:	Rivka Pollack
URL:
Whiteboard:
Depends On:
Blocks:	2351689
TreeView+	depends on / blocked

Reported:	2024-10-07 14:58 UTC by Casey Bodley
Modified:	2025-10-25 04:25 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ceph-19.2.1-123.el9cp
Doc Type:	Bug Fix
Doc Text:	.S3 requests no longer rejected if local is listed before external for the authentication order Previously, S3 requests were rejected when the request is not authenticated successfully by the local authentication engine. As a result, S3 requests using OpenStack Keystone EC2 credentials failed to authenticate with Ceph Object Gateway when the authentication order had local before external With this fix, S3 requests signed using OpenStack Keystone EC2 credentials successfully authenticate with Ceph Object gateway, even with the authentication order has local listed before external.
Clone Of:
Environment:
Last Closed:	2025-06-26 12:17:01 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Ceph Project Bug Tracker	68393	None	None	None	2024-10-07 14:58:09 UTC
Red Hat Issue Tracker	RHCEPH-9930	None	None	None	2024-10-07 14:58:55 UTC
Red Hat Product Errata	RHSA-2025:9775	None	None	None	2025-06-26 12:17:09 UTC

Description Casey Bodley 2024-10-07 14:58:10 UTC

Description of problem:

with non-default setting of rgw_s3_auth_order that puts "local" before "external", s3 requests with keystone ec2 credentials fail with:

> 2024-07-19T20:26:54.036+0000 7f18284d2640 20 req 16144285743181518599 0.000000000s s3:list_buckets rgw::auth::s3::LocalEngine rejected with reason=-2028
> 2024-07-19T20:26:54.036+0000 7f18284d2640 20 req 16144285743181518599 0.000000000s s3:list_buckets rgw::auth::s3::AWSAuthStrategy rejected with reason=-2028
> 2024-07-19T20:26:54.036+0000 7f18284d2640  5 req 16144285743181518599 0.000000000s s3:list_buckets Failed the auth strategy, reason=-2028
> 2024-07-19T20:26:54.036+0000 7f18284d2640 10 failed to authorize request

in this case, the local engine's error prevents us from trying the external (keystone) engine, so we return that error directly


Version-Release number of selected component (if applicable):


How reproducible: when keystone is used for s3 auth and rgw_s3_auth_order is reversed


Steps to Reproduce:
1. set up keystone and ec2 credentials
2. configure "rgw_s3_auth_order: sts, local, external"
3. issue s3 requests with ec2 credentials

Actual results:

403 Forbidden (InvalidAccessKeyId)

Expected results:

200 OK

Additional info:

Comment 1 Storage PM bot 2024-10-07 14:58:22 UTC

Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.

Comment 7 errata-xmlrpc 2025-06-26 12:17:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.1 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:9775

Comment 8 Red Hat Bugzilla 2025-10-25 04:25:22 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.