Bug #62033
openhttp options cors request on a presigned url does not work on multi-tenant keystone buckets
0%
Description
If I create a presigned url for a test.txt object in a bucket named demo-preflight that I get an URL like:
https://rgw/demo-preflight/test.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=censored&X-Amz-Date=20230716T114238Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=censored
I can curl -X GET this url and get the content, but if I curl -X OPTIONS with proper "Origin: rgw" and "Access-Control-Request-Method: GET" headers I get an NoSuchBucket error because
rgw does not expand the demo-preflight bucket to be the 42a1f5eb42635e3d81cc8b3c0b81a567/demo-preflight bucket for a multi-tenant keystone setup.
If I curl -X OPTIONS but with the bucket part of the URL like 42a1f5eb42635e3d81cc8b3c0b81a567:demo-preflight the HTTP OPTIONS call returns HTTP 200 OK but the HTTP GET call for the same URL gives a 403 forbidden
expected result: we should be able to do http options call without the full-path bucket name as "42a1f5eb42635e3d81cc8b3c0b81a567:demo-preflight" as we have the credentials for the presigned url we should expand that ourselves
we can see in the logs
2023-07-16T13:20:52.385+0200 7f61db188700 20 req 10002870918102420338 0.001000088s get_handler handler=22RGWHandler_REST_Obj_S3
2023-07-16T13:20:52.385+0200 7f61db188700 10 req 10002870918102420338 0.001000088s handler=22RGWHandler_REST_Obj_S3
2023-07-16T13:20:52.385+0200 7f61db188700 2 req 10002870918102420338 0.001000088s getting op 6
2023-07-16T13:20:52.385+0200 7f61db188700 10 req 10002870918102420338 0.001000088s s3:options_cors op=26RGWOptionsCORS_ObjStore_S3
2023-07-16T13:20:52.385+0200 7f61db188700 2 req 10002870918102420338 0.001000088s s3:options_cors verifying requester
2023-07-16T13:20:52.385+0200 7f61db188700 20 req 10002870918102420338 0.001000088s s3:options_cors rgw::auth::StrategyRegistry::s3_main_strategy_t: trying rgw::auth::s3::AWSAuthStrategy
2023-07-16T13:20:52.385+0200 7f61db188700 20 req 10002870918102420338 0.001000088s s3:options_cors rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::S3AnonymousEngine
2023-07-16T13:20:52.385+0200 7f61db188700 20 req 10002870918102420338 0.001000088s s3:options_cors rgw::auth::s3::S3AnonymousEngine granted access
2023-07-16T13:20:52.385+0200 7f61db188700 20 req 10002870918102420338 0.001000088s s3:options_cors rgw::auth::s3::AWSAuthStrategy granted access
2023-07-16T13:20:52.385+0200 7f61db188700 2 req 10002870918102420338 0.001000088s s3:options_cors normalizing buckets and tenants
2023-07-16T13:20:52.385+0200 7f61db188700 10 req 10002870918102420338 0.001000088s s->object=test.txt->bucket=demo-preflight
2023-07-16T13:20:52.385+0200 7f61db188700 2 req 10002870918102420338 0.001000088s s3:options_cors init permissions
2023-07-16T13:20:52.385+0200 7f61db188700 20 req 10002870918102420338 0.001000088s s3:options_cors get_system_obj_state: rctx=0x7f61db17e660 obj=rgw.meta:root:demo state=0x5576b20ce9a0 s->prefetch_data=0
2023-07-16T13:20:52.385+0200 7f61db188700 10 req 10002870918102420338 0.001000088s s3:options_cors cache get: name=rgw.meta+root+demo : hit (negative entry)
2023-07-16T13:20:52.385+0200 7f61db188700 10 req 10002870918102420338 0.001000088s s3:options_cors init_permissions on <NULL> failed, ret=-2002
2023-07-16T13:20:52.385+0200 7f61db188700 1 req 10002870918102420338 0.001000088s op->ERRORHANDLER: err_no=-2002 new_err_no=-2002
when we change the bucket part of the url to 42a1f5eb42635e3d81cc8b3c0b81a567:demo-preflight we get below which makes the HTTP OPTIONS cors request pass
2023-07-16T13:20:52.385+0200 7f61db188700 10 req 10002870918102420338 0.001000088s s->object=test.txt->bucket=42a1f5eb42635e3d81cc8b3c0b81a567/demo-preflight
Updated by Tobias Urdin 10 months ago
I have a feeling this https://github.com/ceph/ceph/blob/82ddbb6cd1fbf3c9f827fcc4c5470c8412b813c0/src/rgw/rgw_rest_s3.cc#L6424 line should be moved below the discover_aws_flavour() call, untested so I will see if I can test that later but I assume based on analyzing the code path that when the anonymous auth is applicable it wouldn’t parse bucket tenant from credentials
AwsVersion version;
AwsRoute route;
std::tie(version, route) = discover_aws_flavour(s->info);
if (s->op == OP_OPTIONS && version == AwsVersion::UNKNOWN) {
return true;
}
Updated by Casey Bodley 10 months ago
- Status changed from New to Triaged
- Tags set to keystone cors
Updated by Tobias Urdin 10 months ago
something that can be tested https://github.com/ceph/ceph/pull/52673
Updated by Casey Bodley 10 months ago
- Status changed from Triaged to Fix Under Review
- Pull request ID set to 52673
Updated by Tobias Urdin 10 months ago
if we could get this s3-tests https://github.com/ceph/s3-tests/pull/523 patch executed against a keystone rgw setup
Updated by Casey Bodley 9 months ago
- Status changed from Fix Under Review to Resolved
Updated by Casey Bodley 9 months ago
- Status changed from Resolved to Pending Backport
- Backport set to pacific quincy reef
Updated by Backport Bot 9 months ago
- Copied to Backport #62505: pacific: http options cors request on a presigned url does not work on multi-tenant keystone buckets added
Updated by Backport Bot 9 months ago
- Copied to Backport #62506: reef: http options cors request on a presigned url does not work on multi-tenant keystone buckets added
Updated by Backport Bot 9 months ago
- Copied to Backport #62507: quincy: http options cors request on a presigned url does not work on multi-tenant keystone buckets added
Updated by Backport Bot 9 months ago
- Tags changed from keystone cors to keystone cors backport_processed