Bug #62822
closedCORS doesn't work when used with Keystone and implicit tenants scenario.
0%
Description
hello!
Our setup is using RGW authentication in Keystone with `rgw_keystone_implicit_tenants = true` setting. We have all our users created with tenant under schema `user$user`.
In this setup CORS checks doesn't work and all (beside setting CORS config on a bucket) s3-tests for CORS are failing. The user doesn't seems to be recognised in this scenario.
Log: https://gist.github.com/pejotes/51c90473dd4fb8ae173c1c5699c756cc
thanks!
Updated by Casey Bodley 8 months ago
thanks for the log. my understanding of 'implicit tenants' is that we use the tenant name from the authenticated user. but this OPTIONS request is unauthenticated, so we have no way to know which tenant to use when looking up the bucket metadata
Updated by Pawel Stefanski 8 months ago
Thank for chiming in, yes this one uses anonymous and should not check permissions further imho, but others cors related reqs are failing as well, after checking cors policy if goes to check permission and fails, returns -2002 and 404 to the requestor. Will add logs for other methods here as well, it looks more like general issue. It all works perfectly with RGW local users. I do use test from s3test suite.
Updated by Casey Bodley 8 months ago
thanks Pawel. there was another CORS-related fix in https://tracker.ceph.com/issues/62033 that might be relevant there
Updated by Pawel Stefanski 8 months ago
yes, I was hoping it can help with more canonical approach, but on my Q build with this PR unfortunately it still doesn't work. I will collect more logs now.
Updated by Pawel Stefanski 7 months ago
Another weird behaviour here, when the bucket has cors policy set, it's not accessible from radosgw-admin commands as well, so there is maybe something messed with finding correect bucket entity, and not in permissions at all ?
https://gist.github.com/pejotes/298fce125901f3f64d90e67dbeb31f6b - debug_rgw 20.
Updated by Casey Bodley 7 months ago
Pawel Stefanski wrote:
Another weird behaviour here, when the bucket has cors policy set, it's not accessible from radosgw-admin commands as well
does that same 'bi list' command work if you remove the cors policy?
Updated by Casey Bodley 6 months ago
- Status changed from Need More Info to Won't Fix