Bug #17779
closedrgw: s3 API does not honor rgw_keystone_implicit_tenants when keystone integration is configured
0%
Description
When I tried to access rgw configured with keystone integration using S3 API with a new user , It appears that the new user is still access with legacy tenant (i.e. global). Swift API works as intended.
Here is the relevant command output:
root@ceph-radosgw:~# radosgw-admin metadata list user
[
"1b614dca7b8e4582aba67581d92e8aa8",
"9c40f84284fa4bddb7ca381fd32054c3$9c40f84284fa4bddb7ca381fd32054c3",
"1b614dca7b8e4582aba67581d92e8aa8$1b614dca7b8e4582aba67581d92e8aa8"
]
"1b614dca7b8e4582aba67581d92e8aa8$1b614dca7b8e4582aba67581d92e8aa8" is the user auto-created using Swift API
"1b614dca7b8e4582aba67581d92e8aa8" is the user auto-created using S3 API
Note that you need to access rgw using swift API before using S3 API, otherwise the user "1b614dca7b8e4582aba67581d92e8aa8$1b614dca7b8e4582aba67581d92e8aa8" will not be created.
root@ceph-radosgw:~# radosgw-admin bucket list
[
"s3-bucket",
"1b614dca7b8e4582aba67581d92e8aa8\/swift-bucket"
]
You can also see the "s3-bucket" (created using S3 API) is in global tenant, while swift-bucket is in user tenant. S3 API cannot access buckets created using Swift API and vice versa.
Files
Updated by Yiu Chung Lee over 7 years ago
attached the code I used to create buckets using S3 API. For Swift API the standard openstack swift command is used (swift post swift-bucket)
Updated by Yiu Chung Lee over 7 years ago
The problem here seems to be the user auto-created by S3 API seems does not honour rgw_keystone_implicit_tenants ceph configuration, the user is created using legacy tenant format instead of tenent$user format.
Updated by Yiu Chung Lee over 7 years ago
Note that you need to create the EC2 credentials in openstack (openstack ec2 credentials create) to replicate this behaviour. Do not generate EC2 credentials in radowsgw-admin (radosgw-admin key create)
Updated by Yiu Chung Lee over 7 years ago
Just realized that S3 bucket namespace is supposed to be global. I think this ticket can be closed....
Updated by Yiu Chung Lee over 7 years ago
http://docs.ceph.com/docs/master/radosgw/multitenancy/
Well, I read the doc again, and it says "When a client application accesses buckets, it always operates with credentials of a particular user. As mentioned above, every user belongs to a tenant. Therefore, every operation has an implicit tenant in its context", so it seems still to be a bug...
Updated by Yehuda Sadeh about 7 years ago
@Radoslaw Zarzynski can you take a look at this one?
Updated by Orit Wasserman almost 7 years ago
- Assignee changed from Matt Benjamin to Radoslaw Zarzynski
Updated by Yehuda Sadeh almost 7 years ago
- Subject changed from rgw s3 API does not honor rgw_keystone_implicit_tenants when keystone integration is configured to rgw: s3 API does not honor rgw_keystone_implicit_tenants when keystone integration is configured
Updated by Radoslaw Zarzynski almost 7 years ago
- Status changed from New to Fix Under Review
Updated by Yehuda Sadeh almost 7 years ago
- Status changed from Fix Under Review to Pending Backport
- Backport set to kraken, jewel
Backport is not trivial
Updated by Nathan Cutler almost 7 years ago
- Copied to Backport #20482: kraken: rgw: s3 API does not honor rgw_keystone_implicit_tenants when keystone integration is configured added
Updated by Nathan Cutler almost 7 years ago
- Copied to Backport #20483: jewel: rgw: s3 API does not honor rgw_keystone_implicit_tenants when keystone integration is configured added
Updated by Nathan Cutler over 6 years ago
- Status changed from Pending Backport to Need More Info
In order to backport this bugfix to jewel, it appears we would need to backport https://github.com/ceph/ceph/pull/12893 first - a non-trivial task. RGW developers please advise.
Updated by Radoslaw Zarzynski over 6 years ago
It looks we would need a separate fix for Jewel that doesn't depend on the auth rework. Most likely only the Keystone auth backend should be addressed.
Updated by Abhishek Lekshmanan over 6 years ago
- Status changed from Need More Info to Pending Backport
- Backport changed from kraken, jewel to jewel
kraken
Updated by Nathan Cutler over 6 years ago
- Backport changed from jewel to kraken, jewel
kraken backport was rejected, but it needs to be in the Backport field to keep the backport scripting happy
Updated by Nathan Cutler over 5 years ago
- Status changed from Pending Backport to Resolved