Project

General

Profile

Bug #17779

rgw: s3 API does not honor rgw_keystone_implicit_tenants when keystone integration is configured

Added by Yiu Chung Lee about 2 years ago. Updated about 1 month ago.

Status:
Resolved
Priority:
High
Target version:
-
Start date:
11/02/2016
Due date:
% Done:

0%

Source:
other
Tags:
Backport:
kraken, jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

When I tried to access rgw configured with keystone integration using S3 API with a new user , It appears that the new user is still access with legacy tenant (i.e. global). Swift API works as intended.

Here is the relevant command output:

root@ceph-radosgw:~# radosgw-admin metadata list user
[
"1b614dca7b8e4582aba67581d92e8aa8",
"9c40f84284fa4bddb7ca381fd32054c3$9c40f84284fa4bddb7ca381fd32054c3",
"1b614dca7b8e4582aba67581d92e8aa8$1b614dca7b8e4582aba67581d92e8aa8"
]

"1b614dca7b8e4582aba67581d92e8aa8$1b614dca7b8e4582aba67581d92e8aa8" is the user auto-created using Swift API
"1b614dca7b8e4582aba67581d92e8aa8" is the user auto-created using S3 API

Note that you need to access rgw using swift API before using S3 API, otherwise the user "1b614dca7b8e4582aba67581d92e8aa8$1b614dca7b8e4582aba67581d92e8aa8" will not be created.


root@ceph-radosgw:~# radosgw-admin bucket list
[
"s3-bucket",
"1b614dca7b8e4582aba67581d92e8aa8\/swift-bucket"
]

You can also see the "s3-bucket" (created using S3 API) is in global tenant, while swift-bucket is in user tenant. S3 API cannot access buckets created using Swift API and vice versa.

s3.py View (503 Bytes) Yiu Chung Lee, 11/02/2016 09:23 AM


Related issues

Copied to rgw - Backport #20482: kraken: rgw: s3 API does not honor rgw_keystone_implicit_tenants when keystone integration is configured Rejected
Copied to rgw - Backport #20483: jewel: rgw: s3 API does not honor rgw_keystone_implicit_tenants when keystone integration is configured Rejected

History

#1 Updated by Yiu Chung Lee about 2 years ago

attached the code I used to create buckets using S3 API. For Swift API the standard openstack swift command is used (swift post swift-bucket)

#2 Updated by Yiu Chung Lee about 2 years ago

The problem here seems to be the user auto-created by S3 API seems does not honour rgw_keystone_implicit_tenants ceph configuration, the user is created using legacy tenant format instead of tenent$user format.

#3 Updated by Yiu Chung Lee about 2 years ago

Note that you need to create the EC2 credentials in openstack (openstack ec2 credentials create) to replicate this behaviour. Do not generate EC2 credentials in radowsgw-admin (radosgw-admin key create)

#4 Updated by Yiu Chung Lee about 2 years ago

Just realized that S3 bucket namespace is supposed to be global. I think this ticket can be closed....

#5 Updated by Yiu Chung Lee about 2 years ago

http://docs.ceph.com/docs/master/radosgw/multitenancy/

Well, I read the doc again, and it says "When a client application accesses buckets, it always operates with credentials of a particular user. As mentioned above, every user belongs to a tenant. Therefore, every operation has an implicit tenant in its context", so it seems still to be a bug...

#6 Updated by Orit Wasserman about 2 years ago

  • Assignee set to Matt Benjamin

#7 Updated by Yehuda Sadeh almost 2 years ago

@rzarzynski can you take a look at this one?

#8 Updated by Orit Wasserman over 1 year ago

  • Assignee changed from Matt Benjamin to Radoslaw Zarzynski

#9 Updated by Yehuda Sadeh over 1 year ago

  • Subject changed from rgw s3 API does not honor rgw_keystone_implicit_tenants when keystone integration is configured to rgw: s3 API does not honor rgw_keystone_implicit_tenants when keystone integration is configured

#10 Updated by Radoslaw Zarzynski over 1 year ago

  • Status changed from New to Need Review

#11 Updated by Matt Benjamin over 1 year ago

approved, merging

#12 Updated by Yehuda Sadeh over 1 year ago

  • Status changed from Need Review to Pending Backport
  • Backport set to kraken, jewel

Backport is not trivial

#13 Updated by Nathan Cutler over 1 year ago

  • Copied to Backport #20482: kraken: rgw: s3 API does not honor rgw_keystone_implicit_tenants when keystone integration is configured added

#14 Updated by Nathan Cutler over 1 year ago

  • Copied to Backport #20483: jewel: rgw: s3 API does not honor rgw_keystone_implicit_tenants when keystone integration is configured added

#15 Updated by Nathan Cutler about 1 year ago

  • Status changed from Pending Backport to Need More Info

In order to backport this bugfix to jewel, it appears we would need to backport https://github.com/ceph/ceph/pull/12893 first - a non-trivial task. RGW developers please advise.

#16 Updated by Radoslaw Zarzynski about 1 year ago

It looks we would need a separate fix for Jewel that doesn't depend on the auth rework. Most likely only the Keystone auth backend should be addressed.

#17 Updated by Abhishek Lekshmanan about 1 year ago

  • Status changed from Need More Info to Pending Backport
  • Backport changed from kraken, jewel to jewel

kraken

#18 Updated by Nathan Cutler about 1 year ago

  • Backport changed from jewel to kraken, jewel

kraken backport was rejected, but it needs to be in the Backport field to keep the backport scripting happy

#19 Updated by Nathan Cutler about 1 month ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF