Bug #62822
closed
CORS doesn't work when used with Keystone and implicit tenants scenario.
Added by Pawel Stefanski 8 months ago.
Updated 6 months ago.
Tags:
rgw, s3, keystone, cors
Description
hello!
Our setup is using RGW authentication in Keystone with `rgw_keystone_implicit_tenants = true` setting. We have all our users created with tenant under schema `user$user`.
In this setup CORS checks doesn't work and all (beside setting CORS config on a bucket) s3-tests for CORS are failing. The user doesn't seems to be recognised in this scenario.
Log: https://gist.github.com/pejotes/51c90473dd4fb8ae173c1c5699c756cc
thanks!
- Assignee set to Marcus Watts
thanks for the log. my understanding of 'implicit tenants' is that we use the tenant name from the authenticated user. but this OPTIONS request is unauthenticated, so we have no way to know which tenant to use when looking up the bucket metadata
Thank for chiming in, yes this one uses anonymous and should not check permissions further imho, but others cors related reqs are failing as well, after checking cors policy if goes to check permission and fails, returns -2002 and 404 to the requestor. Will add logs for other methods here as well, it looks more like general issue. It all works perfectly with RGW local users. I do use test from s3test suite.
yes, I was hoping it can help with more canonical approach, but on my Q build with this PR unfortunately it still doesn't work. I will collect more logs now.
- Status changed from New to Need More Info
Pawel Stefanski wrote:
Another weird behaviour here, when the bucket has cors policy set, it's not accessible from radosgw-admin commands as well
does that same 'bi list' command work if you remove the cors policy?
- Status changed from Need More Info to Won't Fix
Also available in: Atom
PDF