Project

General

Profile

Bug #20671

rgw multisite: objects encrypted with SSE-KMS are stored unencrypted in target zone

Added by Casey Bodley about 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Target version:
-
Start date:
07/18/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
luminous
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

When SSE-KMS encryption is used, multisite sync is able to fetch the decrypted contents of the object. However, it stores the unencrypted object data to rados, along with the original SSE-KMS encryption attributes. So when a client reads that object from the secondary zone, radosgw tries to decrypt the already-unencrypted data and returns garbage data.


Related issues

Related to rgw - Bug #20668: rgw multisite: cannot sync objects encrypted with SSE-C Resolved 07/18/2017
Copied to rgw - Backport #21115: luminous: rgw multisite: objects encrypted with SSE-KMS are stored unencrypted in target zone Resolved

History

#1 Updated by Casey Bodley about 2 years ago

  • Status changed from New to Verified
  • Assignee set to Casey Bodley

#2 Updated by Casey Bodley about 2 years ago

  • Related to Bug #20668: rgw multisite: cannot sync objects encrypted with SSE-C added

#3 Updated by Casey Bodley about 2 years ago

  • Status changed from Verified to Need Test

#4 Updated by Matt Benjamin about 2 years ago

  • Status changed from Need Test to Pending Backport
  • Backport set to luminous

#5 Updated by Nathan Cutler about 2 years ago

  • Copied to Backport #21115: luminous: rgw multisite: objects encrypted with SSE-KMS are stored unencrypted in target zone added

#6 Updated by Nathan Cutler about 2 years ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF