Project

General

Profile

Bug #15234

multisite: rgw returns NoSuchKey if a user from a non default zone tries to create a bucket

Added by Abhishek Lekshmanan about 8 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

If a user is created in a non-master zone and tries to create a bucket, it results in a 404 instead of a 403, we get a ErrorNoSuchKey instead of InvalidAccessKeyId

some logs below:
client log:

s3 -us create foobar

ERROR: ErrorNoSuchKey
  Extra Details:
    BucketName: foobar
    RequestId: tx000000000000000000489-0056f1224f-101d-fra
    HostId: 101d-fra-de

RGW secondary zone:

2016-03-22 11:45:35.409559 7fb3897fa700  1 ====== starting new request req=0x7fb3897f78d0 =====
2016-03-22 11:45:35.409572 7fb3897fa700  2 req 1161:0.000014::PUT /foobar/::initializing for trans_id = tx000000000000000000489-0056f1224f-101d-fra
2016-03-22 11:45:35.409576 7fb3897fa700 10 host=localhost
2016-03-22 11:45:35.409578 7fb3897fa700 20 subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0
2016-03-22 11:45:35.409586 7fb3897fa700 10 meta>> HTTP_X_AMZ_DATE
2016-03-22 11:45:35.409588 7fb3897fa700 10 x>> x-amz-date:Tue, 22 Mar 2016 10:45:35 GMT
2016-03-22 11:45:35.409599 7fb3897fa700 20 get_handler handler=25RGWHandler_REST_Bucket_S3
2016-03-22 11:45:35.409602 7fb3897fa700 10 handler=25RGWHandler_REST_Bucket_S3
2016-03-22 11:45:35.409602 7fb3897fa700  2 req 1161:0.000044:s3:PUT /foobar/::getting op 1
2016-03-22 11:45:35.409615 7fb3897fa700 10 op=27RGWCreateBucket_ObjStore_S3
2016-03-22 11:45:35.409616 7fb3897fa700  2 req 1161:0.000058:s3:PUT /foobar/:create_bucket:authorizing
2016-03-22 11:45:35.409637 7fb3897fa700 10 get_canon_resource(): dest=/foobar/
2016-03-22 11:45:35.409638 7fb3897fa700 10 auth_hdr:
PUT

x-amz-date:Tue, 22 Mar 2016 10:45:35 GMT
/foobar/
2016-03-22 11:45:35.409673 7fb3897fa700 15 calculated digest=IgDsG/rq6BocF4iXWCXxG8LOpTg=
2016-03-22 11:45:35.409674 7fb3897fa700 15 auth_sign=IgDsG/rq6BocF4iXWCXxG8LOpTg=
2016-03-22 11:45:35.409674 7fb3897fa700 15 compare=0
2016-03-22 11:45:35.409676 7fb3897fa700  2 req 1161:0.000117:s3:PUT /foobar/:create_bucket:normalizing buckets and tenants
2016-03-22 11:45:35.409677 7fb3897fa700 10 s->object=<NULL> s->bucket=foobar
2016-03-22 11:45:35.409679 7fb3897fa700  2 req 1161:0.000120:s3:PUT /foobar/:create_bucket:init permissions
2016-03-22 11:45:35.409680 7fb3897fa700  2 req 1161:0.000121:s3:PUT /foobar/:create_bucket:recalculating target
2016-03-22 11:45:35.409680 7fb3897fa700  2 req 1161:0.000122:s3:PUT /foobar/:create_bucket:reading permissions
2016-03-22 11:45:35.409682 7fb3897fa700  2 req 1161:0.000123:s3:PUT /foobar/:create_bucket:init op
2016-03-22 11:45:35.409683 7fb3897fa700  2 req 1161:0.000124:s3:PUT /foobar/:create_bucket:verifying op mask
2016-03-22 11:45:35.409683 7fb3897fa700 20 required_mask= 2 user.op_mask=7
2016-03-22 11:45:35.409684 7fb3897fa700  2 req 1161:0.000125:s3:PUT /foobar/:create_bucket:verifying op permissions
2016-03-22 11:45:35.410088 7fb3897fa700  2 req 1161:0.000529:s3:PUT /foobar/:create_bucket:verifying op params
2016-03-22 11:45:35.410093 7fb3897fa700  2 req 1161:0.000535:s3:PUT /foobar/:create_bucket:pre-executing
2016-03-22 11:45:35.410107 7fb3897fa700  2 req 1161:0.000548:s3:PUT /foobar/:create_bucket:executing
2016-03-22 11:45:35.410129 7fb3897fa700 20 get_system_obj_state: rctx=0x7fb3897f67d0 obj=fra.rgw.data.root:foobar state=0x7fb41c014268 s->prefetch_data=0
2016-03-22 11:45:35.410137 7fb3897fa700 10 cache get: name=fra.rgw.data.root+foobar : miss
2016-03-22 11:45:35.410574 7fb3897fa700 10 cache put: name=fra.rgw.data.root+foobar info.flags=0
2016-03-22 11:45:35.410581 7fb3897fa700 10 adding fra.rgw.data.root+foobar to cache LRU end
2016-03-22 11:45:35.410586 7fb3897fa700  0 sending create_bucket request to master zonegroup
2016-03-22 11:45:35.410597 7fb3897fa700 20 RGWEnv::set(): HTTP_DATE: Tue Mar 22 10:45:35 2016
2016-03-22 11:45:35.410599 7fb3897fa700 20 > HTTP_DATE -> Tue Mar 22 10:45:35 2016
2016-03-22 11:45:35.410602 7fb3897fa700 10 get_canon_resource(): dest=/foobar/
2016-03-22 11:45:35.410602 7fb3897fa700 10 generated canonical header: PUT

Tue Mar 22 10:45:35 2016
/foobar/
2016-03-22 11:45:35.410619 7fb3897fa700 15 generated auth header: AWS 1555b35654ad1656d804:tgcKBd+JzBElhzZ8IuKXAQWDFWk=
2016-03-22 11:45:35.410639 7fb3897fa700 20 sending request to http://localhost:8001/foobar/?&rgwx-uid=fra1&rgwx-region=5af575e5-6238-4a27-bb12-5274e6f30ecf
2016-03-22 11:45:35.415427 7fb3897fa700 10 receive_http_header
2016-03-22 11:45:35.415431 7fb3897fa700 10 received header:HTTP/1.1 404 Not Found
2016-03-22 11:45:35.415432 7fb3897fa700 10 receive_http_header
2016-03-22 11:45:35.415432 7fb3897fa700 10 received header:x-amz-request-id: tx0000000000000000007d1-0056f1224f-1025-nue
2016-03-22 11:45:35.415435 7fb3897fa700 10 receive_http_header
2016-03-22 11:45:35.415435 7fb3897fa700 10 received header:Content-Length: 169
2016-03-22 11:45:35.415436 7fb3897fa700 10 receive_http_header
2016-03-22 11:45:35.415437 7fb3897fa700 10 received header:Accept-Ranges: bytes
2016-03-22 11:45:35.415438 7fb3897fa700 10 receive_http_header
2016-03-22 11:45:35.415438 7fb3897fa700 10 received header:Content-Type: application/xml
2016-03-22 11:45:35.415439 7fb3897fa700 10 receive_http_header
2016-03-22 11:45:35.415439 7fb3897fa700 10 received header:Date: Tue, 22 Mar 2016 10:45:35 GMT
2016-03-22 11:45:35.415440 7fb3897fa700 10 receive_http_header
2016-03-22 11:45:35.415441 7fb3897fa700 10 received header:
2016-03-22 11:45:35.415488 7fb3897fa700  2 req 1161:0.005929:s3:PUT /foobar/:create_bucket:completing
2016-03-22 11:45:35.415527 7fb3897fa700  2 req 1161:0.005968:s3:PUT /foobar/:create_bucket:op status=-2
2016-03-22 11:45:35.415530 7fb3897fa700  2 req 1161:0.005971:s3:PUT /foobar/:create_bucket:http status=404
2016-03-22 11:45:35.415532 7fb3897fa700  1 ====== req done req=0x7fb3897f78d0 op status=-2 http_status=404 ======

RGW Primary Region:

2016-03-22 11:45:35.414889 7f504c7d0700  1 ====== starting new request req=0x7f504c7cd8d0 =====
2016-03-22 11:45:35.414901 7f504c7d0700  2 req 2001:0.000012::PUT /foobar/::initializing for trans_id = tx0000000000000000007d1-0056f1224f-1025-nue
2016-03-22 11:45:35.414904 7f504c7d0700 10 host=localhost
2016-03-22 11:45:35.414906 7f504c7d0700 20 subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0
2016-03-22 11:45:35.414926 7f504c7d0700 20 get_handler handler=25RGWHandler_REST_Bucket_S3
2016-03-22 11:45:35.414929 7f504c7d0700 10 handler=25RGWHandler_REST_Bucket_S3
2016-03-22 11:45:35.414931 7f504c7d0700  2 req 2001:0.000042:s3:PUT /foobar/::getting op 1
2016-03-22 11:45:35.414939 7f504c7d0700 10 op=27RGWCreateBucket_ObjStore_S3
2016-03-22 11:45:35.414940 7f504c7d0700  2 req 2001:0.000051:s3:PUT /foobar/:create_bucket:authorizing
2016-03-22 11:45:35.414957 7f504c7d0700 10 get_canon_resource(): dest=/foobar/
2016-03-22 11:45:35.414959 7f504c7d0700 10 auth_hdr:
PUT

Tue Mar 22 10:45:35 2016
/foobar/
2016-03-22 11:45:35.414989 7f504c7d0700 15 calculated digest=tgcKBd+JzBElhzZ8IuKXAQWDFWk=
2016-03-22 11:45:35.414990 7f504c7d0700 15 auth_sign=tgcKBd+JzBElhzZ8IuKXAQWDFWk=
2016-03-22 11:45:35.414991 7f504c7d0700 15 compare=0
2016-03-22 11:45:35.414992 7f504c7d0700 20 system request
2016-03-22 11:45:35.415005 7f504c7d0700 20 get_system_obj_state: rctx=0x7f504c7cbb20 obj=nue.rgw.users.uid:fra1 state=0x7f515800aa78 s->prefetch_data=0
2016-03-22 11:45:35.415013 7f504c7d0700 10 cache get: name=nue.rgw.users.uid+fra1 : miss
2016-03-22 11:45:35.415363 7f504c7d0700 10 cache put: name=nue.rgw.users.uid+fra1 info.flags=0
2016-03-22 11:45:35.415370 7f504c7d0700 10 adding nue.rgw.users.uid+fra1 to cache LRU end
2016-03-22 11:45:35.415377 7f504c7d0700  0 User lookup failed!
2016-03-22 11:45:35.415378 7f504c7d0700 10 failed to authorize request
2016-03-22 11:45:35.415380 7f504c7d0700 20 handler->ERRORHANDLER: err_no=-2 new_err_no=-2
2016-03-22 11:45:35.415432 7f504c7d0700  2 req 2001:0.000542:s3:PUT /foobar/:create_bucket:op status=0
2016-03-22 11:45:35.415435 7f504c7d0700  2 req 2001:0.000546:s3:PUT /foobar/:create_bucket:http status=404
2016-03-22 11:45:35.415438 7f504c7d0700  1 ====== req done req=0x7f504c7cd8d0 op status=0 http_status=404 ======

Associated revisions

Revision bcdb467a (diff)
Added by Abhishek Lekshmanan about 8 years ago

rgw: return -EACCESS for system requests also

In a multisite scenario, if a user created in a secondary zone tries to
create a bucket, fail with AccessDenied instead of a NoSuchKey, which
doesn't make sense for a create Bucket request for eg.

Fixes: #15234
Signed-off-by: Abhishek Lekshmanan <>

History

#1 Updated by Abhishek Lekshmanan about 8 years ago

  • Status changed from New to In Progress
  • Assignee set to Abhishek Lekshmanan

#2 Updated by Abhishek Lekshmanan about 8 years ago

  • Status changed from In Progress to Fix Under Review

#3 Updated by Abhishek Lekshmanan almost 8 years ago

  • Affected Versions v10.1.1 added

#4 Updated by Abhishek Lekshmanan over 6 years ago

  • Status changed from Fix Under Review to Resolved

Also available in: Atom PDF