Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use Jira Cloud for all bug tracking management.

Bug 2371109

Summary: [rgw][server-access-logging]: AuthenticationType in standard log record is populated with QueryString for unauthenticated requests as well
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Hemanth Sai <hmaheswa>
Component: RGWAssignee: N Balachandran <nibalach>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.1CC: ceph-eng-bugs, cephqe-warriors, mbenjamin, rpollack, tserlin, vereddy, ylifshit
Target Milestone: ---   
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-20.1.0-26 Doc Type: Bug Fix
Doc Text:
.Log records now correctly indicate authentication type for unauthenticated requests Previously, the `AuthenticationType` field in the log record was incorrectly set to `QueryString` for unauthenticated requests. With this fix, the field is set to hyphen (`-`) for unauthenticated requests.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-29 06:49:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2388233    

Description Hemanth Sai 2025-06-09 11:09:34 UTC 
Description of problem:
AuthenticationType is populated with QueryString for both unauthenticated requests and presigned url.

according to aws doc, AuthHeader for authentication headers, QueryString for query string (presigned URL), or a - for unauthenticated requests.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/LogFormat.html


log snippet:

[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ curl http://10.0.65.81:80/src-std-bkt1/obj9KB_with_acl_2 -o obj9KB_with_acl_2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9000  100  9000    0     0  2197k      0 --:--:-- --:--:-- --:--:-- 2197k
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ aws --endpoint-url http://10.0.65.81:80 s3 cp s3://dest-bkt1/src-std-bkt1-logs-2025-06-05-18-54-58-32H8X0SDEX5OE3NL -
hsm src-std-bkt1 [05/Jun/2025:18:54:58 +0000] 10.0.65.126 anonymous 83eda868-859a-4bae-b02f-0cdf8e3500b0.74208.16603409792951116062 REST.GET.OBJECT obj9KB_with_acl_2 "GET /src-std-bkt1/obj9KB_with_acl_2 HTTP/1.1" 200 - - 9000 - 59ms - "curl/7.76.1" - - - - QueryString 10.0.65.81 - - -


[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ venv/bin/python
Python 3.9.21 (main, Dec  5 2024, 00:00:00) 
[GCC 11.5.0 20240719 (Red Hat 11.5.0-2)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> import requests
>>> client = boto3.client("s3", aws_access_key_id="abc", aws_secret_access_key="abc",endpoint_url="http://10.0.65.81:80", region_name="us-east-1")
>>> 
>>> client.generate_presigned_url(ClientMethod="put_object", HttpMethod='PUT', Params={"Bucket": "src-std-bkt1", "Key": "obj9KB_with_presignedurl_1", "ACL": "private"})
'http://10.0.65.81:80/src-std-bkt1/obj9KB_with_presignedurl_1?AWSAccessKeyId=abc&Signature=k6O3RCw3nKdFXv%2FfKaabpSGVeN0%3D&x-amz-acl=private&Expires=1749193750'
>>> 
>>> requests.put('http://10.0.65.81:80/src-std-bkt1/obj9KB_with_presignedurl_1?AWSAccessKeyId=abc&Signature=k6O3RCw3nKdFXv%2FfKaabpSGVeN0%3D&x-amz-acl=private&Expires=1749193750',headers={'Origin':'example.com','x-amz-acl': 'private'},data=open('/home/cephuser/obj9KB'))
<Response [200]>
>>> 
>>> 
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ aws --endpoint-url http://10.0.65.81:80  s3 ls s3://src-std-bkt1
2025-06-05 17:28:10       9000 obj9KB_1
2025-06-05 17:28:56       9000 obj9KB_2
2025-06-05 18:26:31       9000 obj9KB_with_acl_1
2025-06-05 18:26:20       9000 obj9KB_with_acl_2
2025-06-06 06:11:16       9000 obj9KB_with_presignedurl_1
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ aws --endpoint-url http://10.0.65.81:80 s3 cp s3://dest-bkt1/src-std-bkt1-logs-2025-06-06-06-11-16-O8PSCUVWG99MKBTB -
hsm src-std-bkt1 [06/Jun/2025:06:11:16 +0000] 10.0.65.126 hsm 83eda868-859a-4bae-b02f-0cdf8e3500b0.74208.16713924396845144484 REST.PUT.OBJECT obj9KB_with_presignedurl_1 "PUT /src-std-bkt1/obj9KB_with_presignedurl_1?AWSAccessKeyId=abc&Signature=k6O3RCw3nKdFXv%2FfKaabpSGVeN0%3D&x-amz-acl=private&Expires=1749193750 HTTP/1.1" 200 - 9000 9000 - 64ms - "python-requests/2.32.3" - - SigV2 - QueryString 10.0.65.81 - - -


Version-Release number of selected component (if applicable):
ceph version 19.2.1-211.el9cp

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
AuthenticationType is populated with QueryString for both unauthenticated requests and presigned url.

Expected results:
Expected QueryString for presigned url and - for unauthenticated requests

Additional info:
Comment 5 errata-xmlrpc 2026-01-29 06:49:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 9.0 Security and Enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2026:1536