Actions
Bug #20671
closedrgw multisite: objects encrypted with SSE-KMS are stored unencrypted in target zone
% Done:
0%
Source:
Tags:
Backport:
luminous
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
When SSE-KMS encryption is used, multisite sync is able to fetch the decrypted contents of the object. However, it stores the unencrypted object data to rados, along with the original SSE-KMS encryption attributes. So when a client reads that object from the secondary zone, radosgw tries to decrypt the already-unencrypted data and returns garbage data.
Actions