Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2371110

Summary: [rgw][server-access-logging]: aclRequired is not populated with yes for put/get requests involved with ACL
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Hemanth Sai <hmaheswa>
Component: RGWAssignee: N Balachandran <nibalach>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.1CC: ceph-eng-bugs, cephqe-warriors, mbenjamin, mkasturi, rpollack, tserlin, ylifshit
Target Milestone: ---   
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-20.1.0-26 Doc Type: Bug Fix
Doc Text:
.Log records now correctly indicate ACL-based authorization. Previously, the `aclRequired` field in the log record would display as with a hyphen (`-`), even when the request was authorized by an ACL. This was misleading because it suggested that the operation was authorized by a bucket policy. With this fix, the field is set to `Yes` whenever a request is authorized by an ACL.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-29 06:50:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2388233    

Description Hemanth Sai 2025-06-09 11:23:39 UTC 
Description of problem:
aclRequired is not populated with yes for put/get requests involved with ACL
according to aws docs:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/LogFormat.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#aclrequired-s3
(If the request required an ACL for authorization, the string is Yes. If no ACLs were required, the string is -)


log snippet:

[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ aws --endpoint-url http://10.0.65.81:80 s3api get-object-acl --bucket src-std-bkt1 --key obj9KB_with_acl_2
{
    "Owner": {
        "DisplayName": "hsm",
        "ID": "hsm"
    },
    "Grants": [
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        },
        {
            "Grantee": {
                "DisplayName": "hsm",
                "ID": "hsm",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ aws --endpoint-url http://10.0.65.81:80 --profile hsm2 s3 cp s3://src-std-bkt1/obj9KB_with_acl_2 obj9KB_with_acl_2_download_with_hsm2
download: s3://src-std-bkt1/obj9KB_with_acl_2 to ./obj9KB_with_acl_2_download_with_hsm2
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ aws --endpoint-url http://10.0.65.81:80 s3 cp s3://dest-bkt1/src-std-bkt1-logs-2025-06-05-18-58-00-12AF3S8OB2S2R93J -
hsm src-std-bkt1 [05/Jun/2025:19:02:41 +0000] 10.0.65.126 hsm2 83eda868-859a-4bae-b02f-0cdf8e3500b0.74208.7310061161770853668 REST.HEAD.OBJECT obj9KB_with_acl_2 "HEAD /src-std-bkt1/obj9KB_with_acl_2 HTTP/1.1" 200 - - 9000 - 7ms - "aws-cli/1.40.29 md/Botocore#1.38.30 ua/2.1 os/linux#5.14.0-503.40.1.el9_5.x86_64 md/arch#x86_64 lang/python#3.9.21 md/pyimpl#CPython m/D,N,Z,b cfg/retry-mode#legacy botocore/1.38.30" - - SigV4 - AuthHeader 10.0.65.81 - - -
hsm src-std-bkt1 [05/Jun/2025:19:02:41 +0000] 10.0.65.126 hsm2 83eda868-859a-4bae-b02f-0cdf8e3500b0.74208.6074931084405757323 REST.GET.OBJECT obj9KB_with_acl_2 "GET /src-std-bkt1/obj9KB_with_acl_2 HTTP/1.1" 200 - - 9000 - 2ms - "aws-cli/1.40.29 md/Botocore#1.38.30 ua/2.1 os/linux#5.14.0-503.40.1.el9_5.x86_64 md/arch#x86_64 lang/python#3.9.21 md/pyimpl#CPython m/D,N,Z,b cfg/retry-mode#legacy botocore/1.38.30" - - SigV4 - AuthHeader 10.0.65.81 - - -
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ curl http://10.0.65.81:80/src-std-bkt1/obj9KB_with_acl_2 -o obj9KB_with_acl_2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9000  100  9000    0     0  2197k      0 --:--:-- --:--:-- --:--:-- 2197k
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ 
[cephuser@ceph-pri-hsm-ms-80-8qtbn5-node6 ~]$ aws --endpoint-url http://10.0.65.81:80 s3 cp s3://dest-bkt1/src-std-bkt1-logs-2025-06-05-18-54-58-32H8X0SDEX5OE3NL -
hsm src-std-bkt1 [05/Jun/2025:18:54:58 +0000] 10.0.65.126 anonymous 83eda868-859a-4bae-b02f-0cdf8e3500b0.74208.16603409792951116062 REST.GET.OBJECT obj9KB_with_acl_2 "GET /src-std-bkt1/obj9KB_with_acl_2 HTTP/1.1" 200 - - 9000 - 59ms - "curl/7.76.1" - - - - QueryString 10.0.65.81 - - -


Version-Release number of selected component (if applicable):
ceph version 19.2.1-211.el9cp

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
aclRequired is populated with - for requests involved with ACL.

Expected results:
Expected aclRequired is populated with yes for requests involved with ACL.

Additional info:
Comment 6 errata-xmlrpc 2026-01-29 06:50:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 9.0 Security and Enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2026:1536