Project

General

Profile

Bug #10062

s3-test failures using keystone authentication

Added by Abhishek Lekshmanan about 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Target version:
-
Start date:
11/11/2014
Due date:
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

Using ceph 0.86 along with keystone gives about ~22 failures, while the same setup creating users with cephx authentication gives no failures. The failures are listed below,

ceph version 0.86 (97dcc0539dfa7dac3de74852305d51580b7b1f82)
s3tests.functional.test_headers.test_object_create_bad_date_before_today ... FAIL
s3tests.functional.test_headers.test_object_create_bad_date_after_today ... FAIL
s3tests.functional.test_headers.test_object_create_bad_date_after_end ... FAIL
s3tests.functional.test_headers.test_bucket_create_bad_date_before_today ... FAIL
s3tests.functional.test_headers.test_bucket_create_bad_date_after_today ... FAIL

s3tests.functional.test_s3.test_post_object_authenticated_request ... FAIL
s3tests.functional.test_s3.test_post_object_upload_larger_than_chunk ... FAIL
s3tests.functional.test_s3.test_post_object_set_key_from_filename ... FAIL
s3tests.functional.test_s3.test_post_object_ignored_header ... FAIL
s3tests.functional.test_s3.test_post_object_case_insensitive_condition_fields ... FAIL
s3tests.functional.test_s3.test_post_object_escaped_field_values ... FAIL
s3tests.functional.test_s3.test_post_object_success_redirect_action ... FAIL
s3tests.functional.test_s3.test_post_object_invalid_date_format ... FAIL
s3tests.functional.test_s3.test_post_object_user_specified_header ... FAIL
s3tests.functional.test_s3.test_post_object_condition_is_case_sensitive ... FAIL
s3tests.functional.test_s3.test_post_object_expires_is_case_sensitive ... FAIL
s3tests.functional.test_s3.test_post_object_missing_expires_condition ... FAIL
s3tests.functional.test_s3.test_post_object_missing_conditions_list ... FAIL
s3tests.functional.test_s3.test_post_object_upload_size_limit_exceeded ... FAIL
s3tests.functional.test_s3.test_post_object_missing_content_length_argument ... FAIL
s3tests.functional.test_s3.test_post_object_invalid_content_length_argument ... FAIL
s3tests.functional.test_s3.test_post_object_upload_size_below_minimum ... FAIL
s3tests.functional.test_s3.test_bucket_acl_default ... FAIL

the radosgw conf section was the standard one from docs

[client.radosgw.gateway]
host = ceph
keyring = /etc/ceph/ceph.client.radosgw.keyring
rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
log file = /var/log/ceph/client.radosgw.gateway.log 
rgw keystone url = http://127.0.0.1:35357
rgw keystone admin token = nova
rgw keystone accepted roles = admin, Member, _member_
rgw keystone token cache size = 100
rgw keystone revocation interval = 600
rgw s3 auth use keystone = true


Related issues

Related to rgw - Bug #10698: rgw: not failing POST requests if keystone not configured Resolved 01/30/2015

Associated revisions

Revision 4b35ae06 (diff)
Added by Abhishek Lekshmanan almost 4 years ago

rgw: check for timestamp for s3 keystone auth

This commit ensures that we check for timestamp of s3 request is within
acceptable grace time of radosgw
Addresses some failures in #10062
Fixes: #10062
Signed-off-by: Abhishek Lekshmanan <>

Revision 8b3dfc94 (diff)
Added by Abhishek Lekshmanan almost 4 years ago

rgw: check keystone auth also for s3 post requests

This patch adds keystone auth for s3 post requests, once a user fails in
cephx authentication, they are checked for keystone if configured.

Fixes #10062
Signed-off-by: Abhishek Lekshmanan <>

Revision 4e4372b8 (diff)
Added by Abhishek Lekshmanan almost 4 years ago

rgw: check for timestamp for s3 keystone auth

This commit ensures that we check for timestamp of s3 request is within
acceptable grace time of radosgw
Addresses some failures in #10062
Fixes: #10062
Signed-off-by: Abhishek Lekshmanan <>

(cherry picked from commit 4b35ae067fef9f97b886afe112d662c61c564365)

Revision 98866208 (diff)
Added by Abhishek Lekshmanan almost 4 years ago

rgw: check keystone auth also for s3 post requests

This patch adds keystone auth for s3 post requests, once a user fails in
cephx authentication, they are checked for keystone if configured.

Fixes #10062
Signed-off-by: Abhishek Lekshmanan <>

(cherry picked from commit 8b3dfc9472022ea45ad24e02e0aa21dfdad798f8)

Revision 9074eb7c (diff)
Added by Abhishek Lekshmanan over 3 years ago

rgw: check for timestamp for s3 keystone auth

This commit ensures that we check for timestamp of s3 request is within
acceptable grace time of radosgw
Addresses some failures in #10062
Fixes: #10062
Signed-off-by: Abhishek Lekshmanan <>

(cherry picked from commit 4b35ae067fef9f97b886afe112d662c61c564365)

History

#1 Updated by Abhishek Lekshmanan about 4 years ago

Looks like for a few of them eg. the date ones occur as it looks like radosgw doesn't consider checking the date headers once keystone returns successfully.

#2 Updated by Sage Weil almost 4 years ago

  • Priority changed from Normal to High

#3 Updated by Yehuda Sadeh almost 4 years ago

Fix merged into master.

#4 Updated by Yehuda Sadeh almost 4 years ago

  • Status changed from New to Resolved

#5 Updated by Abhishek Lekshmanan almost 4 years ago

Hi Yehuda, Sage

the patch addressed only the first 5 or so failures as mentioned.

The post_object* tests were still failing with a 403. Diving into this a
bit more, it looks like for post requests in rgw S3, only
`rgw_get_user_info_by_access_key` method is tried from the access_key recvd (as we don't authorize like get/put which tries keystone etc.), which fails with keystone

#6 Updated by Yehuda Sadeh almost 4 years ago

  • Backport set to firefly, giant

#7 Updated by Yehuda Sadeh almost 4 years ago

  • Status changed from Resolved to Pending Backport

#8 Updated by Loic Dachary almost 4 years ago

  • Status changed from Pending Backport to Resolved

#9 Updated by Yehuda Sadeh over 3 years ago

  • Status changed from Resolved to Pending Backport

#10 Updated by Loic Dachary over 3 years ago

  • Description updated (diff)

#11 Updated by Loic Dachary over 3 years ago

  • Subject changed from s3-test faolures using keystone authentication to s3-test failures using keystone authentication

#13 Updated by Abhishek Lekshmanan over 3 years ago

Loic Dachary wrote:

the backport should be combined with the issue #10698 patch as well

#14 Updated by Loic Dachary over 3 years ago

  • Status changed from Pending Backport to Resolved
  • Backport deleted (firefly, giant)

Backporting #10698 instead

#15 Updated by Abhishek Lekshmanan over 3 years ago

Loic Dachary wrote:

Backporting #10698 instead

Hi #10968 only fixes the POST issue, the timestamp checking introduced in pull [[https://github.com/ceph/ceph/pull/2993]] will probably have to be made seperately?

Also available in: Atom PDF