Bug #15234
multisite: rgw returns NoSuchKey if a user from a non default zone tries to create a bucket
% Done:
0%
Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
If a user is created in a non-master zone and tries to create a bucket, it results in a 404 instead of a 403, we get a ErrorNoSuchKey instead of InvalidAccessKeyId
some logs below:
client log:
s3 -us create foobar ERROR: ErrorNoSuchKey Extra Details: BucketName: foobar RequestId: tx000000000000000000489-0056f1224f-101d-fra HostId: 101d-fra-de
RGW secondary zone:
2016-03-22 11:45:35.409559 7fb3897fa700 1 ====== starting new request req=0x7fb3897f78d0 ===== 2016-03-22 11:45:35.409572 7fb3897fa700 2 req 1161:0.000014::PUT /foobar/::initializing for trans_id = tx000000000000000000489-0056f1224f-101d-fra 2016-03-22 11:45:35.409576 7fb3897fa700 10 host=localhost 2016-03-22 11:45:35.409578 7fb3897fa700 20 subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0 2016-03-22 11:45:35.409586 7fb3897fa700 10 meta>> HTTP_X_AMZ_DATE 2016-03-22 11:45:35.409588 7fb3897fa700 10 x>> x-amz-date:Tue, 22 Mar 2016 10:45:35 GMT 2016-03-22 11:45:35.409599 7fb3897fa700 20 get_handler handler=25RGWHandler_REST_Bucket_S3 2016-03-22 11:45:35.409602 7fb3897fa700 10 handler=25RGWHandler_REST_Bucket_S3 2016-03-22 11:45:35.409602 7fb3897fa700 2 req 1161:0.000044:s3:PUT /foobar/::getting op 1 2016-03-22 11:45:35.409615 7fb3897fa700 10 op=27RGWCreateBucket_ObjStore_S3 2016-03-22 11:45:35.409616 7fb3897fa700 2 req 1161:0.000058:s3:PUT /foobar/:create_bucket:authorizing 2016-03-22 11:45:35.409637 7fb3897fa700 10 get_canon_resource(): dest=/foobar/ 2016-03-22 11:45:35.409638 7fb3897fa700 10 auth_hdr: PUT x-amz-date:Tue, 22 Mar 2016 10:45:35 GMT /foobar/ 2016-03-22 11:45:35.409673 7fb3897fa700 15 calculated digest=IgDsG/rq6BocF4iXWCXxG8LOpTg= 2016-03-22 11:45:35.409674 7fb3897fa700 15 auth_sign=IgDsG/rq6BocF4iXWCXxG8LOpTg= 2016-03-22 11:45:35.409674 7fb3897fa700 15 compare=0 2016-03-22 11:45:35.409676 7fb3897fa700 2 req 1161:0.000117:s3:PUT /foobar/:create_bucket:normalizing buckets and tenants 2016-03-22 11:45:35.409677 7fb3897fa700 10 s->object=<NULL> s->bucket=foobar 2016-03-22 11:45:35.409679 7fb3897fa700 2 req 1161:0.000120:s3:PUT /foobar/:create_bucket:init permissions 2016-03-22 11:45:35.409680 7fb3897fa700 2 req 1161:0.000121:s3:PUT /foobar/:create_bucket:recalculating target 2016-03-22 11:45:35.409680 7fb3897fa700 2 req 1161:0.000122:s3:PUT /foobar/:create_bucket:reading permissions 2016-03-22 11:45:35.409682 7fb3897fa700 2 req 1161:0.000123:s3:PUT /foobar/:create_bucket:init op 2016-03-22 11:45:35.409683 7fb3897fa700 2 req 1161:0.000124:s3:PUT /foobar/:create_bucket:verifying op mask 2016-03-22 11:45:35.409683 7fb3897fa700 20 required_mask= 2 user.op_mask=7 2016-03-22 11:45:35.409684 7fb3897fa700 2 req 1161:0.000125:s3:PUT /foobar/:create_bucket:verifying op permissions 2016-03-22 11:45:35.410088 7fb3897fa700 2 req 1161:0.000529:s3:PUT /foobar/:create_bucket:verifying op params 2016-03-22 11:45:35.410093 7fb3897fa700 2 req 1161:0.000535:s3:PUT /foobar/:create_bucket:pre-executing 2016-03-22 11:45:35.410107 7fb3897fa700 2 req 1161:0.000548:s3:PUT /foobar/:create_bucket:executing 2016-03-22 11:45:35.410129 7fb3897fa700 20 get_system_obj_state: rctx=0x7fb3897f67d0 obj=fra.rgw.data.root:foobar state=0x7fb41c014268 s->prefetch_data=0 2016-03-22 11:45:35.410137 7fb3897fa700 10 cache get: name=fra.rgw.data.root+foobar : miss 2016-03-22 11:45:35.410574 7fb3897fa700 10 cache put: name=fra.rgw.data.root+foobar info.flags=0 2016-03-22 11:45:35.410581 7fb3897fa700 10 adding fra.rgw.data.root+foobar to cache LRU end 2016-03-22 11:45:35.410586 7fb3897fa700 0 sending create_bucket request to master zonegroup 2016-03-22 11:45:35.410597 7fb3897fa700 20 RGWEnv::set(): HTTP_DATE: Tue Mar 22 10:45:35 2016 2016-03-22 11:45:35.410599 7fb3897fa700 20 > HTTP_DATE -> Tue Mar 22 10:45:35 2016 2016-03-22 11:45:35.410602 7fb3897fa700 10 get_canon_resource(): dest=/foobar/ 2016-03-22 11:45:35.410602 7fb3897fa700 10 generated canonical header: PUT Tue Mar 22 10:45:35 2016 /foobar/ 2016-03-22 11:45:35.410619 7fb3897fa700 15 generated auth header: AWS 1555b35654ad1656d804:tgcKBd+JzBElhzZ8IuKXAQWDFWk= 2016-03-22 11:45:35.410639 7fb3897fa700 20 sending request to http://localhost:8001/foobar/?&rgwx-uid=fra1&rgwx-region=5af575e5-6238-4a27-bb12-5274e6f30ecf 2016-03-22 11:45:35.415427 7fb3897fa700 10 receive_http_header 2016-03-22 11:45:35.415431 7fb3897fa700 10 received header:HTTP/1.1 404 Not Found 2016-03-22 11:45:35.415432 7fb3897fa700 10 receive_http_header 2016-03-22 11:45:35.415432 7fb3897fa700 10 received header:x-amz-request-id: tx0000000000000000007d1-0056f1224f-1025-nue 2016-03-22 11:45:35.415435 7fb3897fa700 10 receive_http_header 2016-03-22 11:45:35.415435 7fb3897fa700 10 received header:Content-Length: 169 2016-03-22 11:45:35.415436 7fb3897fa700 10 receive_http_header 2016-03-22 11:45:35.415437 7fb3897fa700 10 received header:Accept-Ranges: bytes 2016-03-22 11:45:35.415438 7fb3897fa700 10 receive_http_header 2016-03-22 11:45:35.415438 7fb3897fa700 10 received header:Content-Type: application/xml 2016-03-22 11:45:35.415439 7fb3897fa700 10 receive_http_header 2016-03-22 11:45:35.415439 7fb3897fa700 10 received header:Date: Tue, 22 Mar 2016 10:45:35 GMT 2016-03-22 11:45:35.415440 7fb3897fa700 10 receive_http_header 2016-03-22 11:45:35.415441 7fb3897fa700 10 received header: 2016-03-22 11:45:35.415488 7fb3897fa700 2 req 1161:0.005929:s3:PUT /foobar/:create_bucket:completing 2016-03-22 11:45:35.415527 7fb3897fa700 2 req 1161:0.005968:s3:PUT /foobar/:create_bucket:op status=-2 2016-03-22 11:45:35.415530 7fb3897fa700 2 req 1161:0.005971:s3:PUT /foobar/:create_bucket:http status=404 2016-03-22 11:45:35.415532 7fb3897fa700 1 ====== req done req=0x7fb3897f78d0 op status=-2 http_status=404 ======
RGW Primary Region:
2016-03-22 11:45:35.414889 7f504c7d0700 1 ====== starting new request req=0x7f504c7cd8d0 ===== 2016-03-22 11:45:35.414901 7f504c7d0700 2 req 2001:0.000012::PUT /foobar/::initializing for trans_id = tx0000000000000000007d1-0056f1224f-1025-nue 2016-03-22 11:45:35.414904 7f504c7d0700 10 host=localhost 2016-03-22 11:45:35.414906 7f504c7d0700 20 subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0 2016-03-22 11:45:35.414926 7f504c7d0700 20 get_handler handler=25RGWHandler_REST_Bucket_S3 2016-03-22 11:45:35.414929 7f504c7d0700 10 handler=25RGWHandler_REST_Bucket_S3 2016-03-22 11:45:35.414931 7f504c7d0700 2 req 2001:0.000042:s3:PUT /foobar/::getting op 1 2016-03-22 11:45:35.414939 7f504c7d0700 10 op=27RGWCreateBucket_ObjStore_S3 2016-03-22 11:45:35.414940 7f504c7d0700 2 req 2001:0.000051:s3:PUT /foobar/:create_bucket:authorizing 2016-03-22 11:45:35.414957 7f504c7d0700 10 get_canon_resource(): dest=/foobar/ 2016-03-22 11:45:35.414959 7f504c7d0700 10 auth_hdr: PUT Tue Mar 22 10:45:35 2016 /foobar/ 2016-03-22 11:45:35.414989 7f504c7d0700 15 calculated digest=tgcKBd+JzBElhzZ8IuKXAQWDFWk= 2016-03-22 11:45:35.414990 7f504c7d0700 15 auth_sign=tgcKBd+JzBElhzZ8IuKXAQWDFWk= 2016-03-22 11:45:35.414991 7f504c7d0700 15 compare=0 2016-03-22 11:45:35.414992 7f504c7d0700 20 system request 2016-03-22 11:45:35.415005 7f504c7d0700 20 get_system_obj_state: rctx=0x7f504c7cbb20 obj=nue.rgw.users.uid:fra1 state=0x7f515800aa78 s->prefetch_data=0 2016-03-22 11:45:35.415013 7f504c7d0700 10 cache get: name=nue.rgw.users.uid+fra1 : miss 2016-03-22 11:45:35.415363 7f504c7d0700 10 cache put: name=nue.rgw.users.uid+fra1 info.flags=0 2016-03-22 11:45:35.415370 7f504c7d0700 10 adding nue.rgw.users.uid+fra1 to cache LRU end 2016-03-22 11:45:35.415377 7f504c7d0700 0 User lookup failed! 2016-03-22 11:45:35.415378 7f504c7d0700 10 failed to authorize request 2016-03-22 11:45:35.415380 7f504c7d0700 20 handler->ERRORHANDLER: err_no=-2 new_err_no=-2 2016-03-22 11:45:35.415432 7f504c7d0700 2 req 2001:0.000542:s3:PUT /foobar/:create_bucket:op status=0 2016-03-22 11:45:35.415435 7f504c7d0700 2 req 2001:0.000546:s3:PUT /foobar/:create_bucket:http status=404 2016-03-22 11:45:35.415438 7f504c7d0700 1 ====== req done req=0x7f504c7cd8d0 op status=0 http_status=404 ======
Associated revisions
rgw: return -EACCESS for system requests also
In a multisite scenario, if a user created in a secondary zone tries to
create a bucket, fail with AccessDenied instead of a NoSuchKey, which
doesn't make sense for a create Bucket request for eg.
Fixes: #15234
Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
History
#1 Updated by Abhishek Lekshmanan about 8 years ago
- Status changed from New to In Progress
- Assignee set to Abhishek Lekshmanan
#2 Updated by Abhishek Lekshmanan about 8 years ago
- Status changed from In Progress to Fix Under Review
Master PR: https://github.com/ceph/ceph/pull/8259
#3 Updated by Abhishek Lekshmanan almost 8 years ago
- Affected Versions v10.1.1 added
#4 Updated by Abhishek Lekshmanan over 6 years ago
- Status changed from Fix Under Review to Resolved