Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2371109

Summary: [rgw][server-access-logging]: AuthenticationType in standard log record is populated with QueryString for unauthenticated requests as well
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Hemanth Sai <hmaheswa>
Component: RGWAssignee: N Balachandran <nibalach>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.1CC: ceph-eng-bugs, cephqe-warriors, mbenjamin, rpollack, tserlin, vereddy, ylifshit
Target Milestone: ---   
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-20.1.0-26 Doc Type: Bug Fix
Doc Text:
.Log records now correctly indicate authentication type for unauthenticated requests Previously, the `AuthenticationType` field in the log record was incorrectly set to `QueryString` for unauthenticated requests. With this fix, the field is set to hyphen (`-`) for unauthenticated requests.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-29 06:49:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2388233    

Description Hemanth Sai 2025-06-09 11:09:34 UTC 
Description of problem:
AuthenticationType is populated with QueryString for both unauthenticated requests and presigned url.

according to aws doc, AuthHeader for authentication headers, QueryString for query string (presigned URL), or a - for unauthenticated requests.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/LogFormat.html


log snippet:

[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ curl http://10.0.65.81:80/src-std-bkt1/obj9KB_with_acl_2 -o obj9KB_with_acl_2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9000  100  9000    0     0  2197k      0 --:--:-- --:--:-- --:--:-- 2197k
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ aws --endpoint-url http://10.0.65.81:80 s3 cp s3://dest-bkt1/src-std-bkt1-logs-2025-06-05-18-54-58-32H8X0SDEX5OE3NL -
hsm src-std-bkt1 [05/Jun/2025:18:54:58 +0000] 10.0.65.126 anonymous 83eda868-859a-4bae-b02f-0cdf8e3500b0.74208.16603409792951116062 REST.GET.OBJECT obj9KB_with_acl_2 "GET /src-std-bkt1/obj9KB_with_acl_2 HTTP/1.1" 200 - - 9000 - 59ms - "curl/7.76.1" - - - - QueryString 10.0.65.81 - - -


[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ venv/bin/python
Python 3.9.21 (main, Dec  5 2024, 00:00:00) 
[GCC 11.5.0 20240719 (Red Hat 11.5.0-2)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> import requests
>>> client = boto3.client("s3", aws_access_key_id="abc", aws_secret_access_key="abc",endpoint_url="http://10.0.65.81:80", region_name="us-east-1")
>>> 
>>> client.generate_presigned_url(ClientMethod="put_object", HttpMethod='PUT', Params={"Bucket": "src-std-bkt1", "Key": "obj9KB_with_presignedurl_1", "ACL": "private"})
'http://10.0.65.81:80/src-std-bkt1/obj9KB_with_presignedurl_1?AWSAccessKeyId=abc&Signature=k6O3RCw3nKdFXv%2FfKaabpSGVeN0%3D&x-amz-acl=private&Expires=1749193750'
>>> 
>>> requests.put('http://10.0.65.81:80/src-std-bkt1/obj9KB_with_presignedurl_1?AWSAccessKeyId=abc&Signature=k6O3RCw3nKdFXv%2FfKaabpSGVeN0%3D&x-amz-acl=private&Expires=1749193750',headers={'Origin':'example.com','x-amz-acl': 'private'},data=open('/home/cephuser/obj9KB'))
<Response [200]>
>>> 
>>> 
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ aws --endpoint-url http://10.0.65.81:80  s3 ls s3://src-std-bkt1
2025-06-05 17:28:10       9000 obj9KB_1
2025-06-05 17:28:56       9000 obj9KB_2
2025-06-05 18:26:31       9000 obj9KB_with_acl_1
2025-06-05 18:26:20       9000 obj9KB_with_acl_2
2025-06-06 06:11:16       9000 obj9KB_with_presignedurl_1
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ aws --endpoint-url http://10.0.65.81:80 s3 cp s3://dest-bkt1/src-std-bkt1-logs-2025-06-06-06-11-16-O8PSCUVWG99MKBTB -
hsm src-std-bkt1 [06/Jun/2025:06:11:16 +0000] 10.0.65.126 hsm 83eda868-859a-4bae-b02f-0cdf8e3500b0.74208.16713924396845144484 REST.PUT.OBJECT obj9KB_with_presignedurl_1 "PUT /src-std-bkt1/obj9KB_with_presignedurl_1?AWSAccessKeyId=abc&Signature=k6O3RCw3nKdFXv%2FfKaabpSGVeN0%3D&x-amz-acl=private&Expires=1749193750 HTTP/1.1" 200 - 9000 9000 - 64ms - "python-requests/2.32.3" - - SigV2 - QueryString 10.0.65.81 - - -


Version-Release number of selected component (if applicable):
ceph version 19.2.1-211.el9cp

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
AuthenticationType is populated with QueryString for both unauthenticated requests and presigned url.

Expected results:
Expected QueryString for presigned url and - for unauthenticated requests

Additional info:
Comment 5 errata-xmlrpc 2026-01-29 06:49:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 9.0 Security and Enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2026:1536