Bug #20671
rgw multisite: objects encrypted with SSE-KMS are stored unencrypted in target zone
% Done:
0%
Source:
Tags:
Backport:
luminous
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
When SSE-KMS encryption is used, multisite sync is able to fetch the decrypted contents of the object. However, it stores the unencrypted object data to rados, along with the original SSE-KMS encryption attributes. So when a client reads that object from the secondary zone, radosgw tries to decrypt the already-unencrypted data and returns garbage data.
Related issues
History
#1 Updated by Casey Bodley over 6 years ago
- Status changed from New to 12
- Assignee set to Casey Bodley
#2 Updated by Casey Bodley over 6 years ago
- Related to Bug #20668: rgw multisite: cannot sync objects encrypted with SSE-C added
#3 Updated by Casey Bodley over 6 years ago
- Status changed from 12 to 17
#4 Updated by Matt Benjamin over 6 years ago
- Status changed from 17 to Pending Backport
- Backport set to luminous
#5 Updated by Nathan Cutler over 6 years ago
- Copied to Backport #21115: luminous: rgw multisite: objects encrypted with SSE-KMS are stored unencrypted in target zone added
#6 Updated by Nathan Cutler over 6 years ago
- Status changed from Pending Backport to Resolved