Bug #53119
openRadosGW sends X-Auth-Token instead of Authorization header to Open Policy Agent
0%
Description
The token defined in `rgw_opa_token` is being passed to Open Policy Agent in
the `X-Auth-Token` header, but it expects a bearer token in the `Authorization`
header (https://www.openpolicyagent.org/docs/latest/rest-api/#bearer-tokens).
Updated by Benoît Knecht over 2 years ago
Updated by Casey Bodley over 2 years ago
- Assignee set to Matt Benjamin
- Tags set to opa
- Pull request ID set to 43755
Updated by Matt Benjamin over 2 years ago
The behavior must have changed since Styra contributed the original OPA integration, seemingly. Casey wondered in bug scrub, could older setups be relying on the old behavior?
Updated by Benoît Knecht over 2 years ago
I'm not sure about that. The commit that introduced OPA integration is https://github.com/ceph/ceph/commit/631a036a6b02d30d12d0a1c6cae25c9aa0c38af1, dating back to 2018, and OPA v0.9.0 would have been current. And even there, I don't see any mention of `X-Auth-Token`, but the `Authorization` header is documented instead: https://github.com/open-policy-agent/opa/blob/v0.9.0/docs/book/security.md?plain=1#L171-L184.
Updated by Benoît Knecht over 2 years ago
Hi Matt! Could you take another look at this?
As mentioned, I doubt this feature ever worked given that OPA doesn't seem to have supported the `X-Auth-Token` in the past.
Let me know how you wish to proceed.
Updated by Matt Benjamin over 2 years ago
Ok, I'll try to have an update shortly. I don't think we have proper test automation for OPA. Do you have the ability to construct a minimal reproducer?
Matt