Bug #62989: s3test test_list_buckets_bad_auth fails with Keystone EC2 - rgw - Ceph

Actions

Copy link

Bug #62989

open

s3test test_list_buckets_bad_auth fails with Keystone EC2

Added by Casey Bodley 7 months ago. Updated 7 months ago.

Status:

Pending Backport

Priority:

Normal

Assignee:

Casey Bodley

Target version:

% Done:

Source:

Tags:

keystone ec2 backport_processed

Backport:

pacific quincy reef

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

ceph-qa-suite:

Pull request ID:

53680

Crash signature (v1):

Crash signature (v2):

Description

from teuthology run: http://qa-proxy.ceph.com/teuthology/cbodley-2023-09-25_17:25:06-rgw:tempest-main-distro-default-smithi/7402007/teuthology.log
associated rgw log: http://qa-proxy.ceph.com/teuthology/cbodley-2023-09-25_17:25:06-rgw:tempest-main-distro-default-smithi/7402007/remote/smithi083/log/rgw.ceph.client.0.log.gz

2023-09-25T17:57:58.766+0000 7f19e7847640  0 req 17314085603299168821 0.000000000s s3:list_buckets Secret string does not correctly sign payload, cache miss
2023-09-25T17:57:58.766+0000 7f19e7847640 20 req 17314085603299168821 0.000000000s s3:list_buckets found cached admin token
2023-09-25T17:57:58.766+0000 7f19e7847640 20 sending request to http://smithi083.front.sepia.ceph.com:5000/v3/s3tokens
2023-09-25T17:57:58.766+0000 7f19e7847640 20 register_request mgr=0x55e34cdaf440 req_data->id=1303, curl_handle=0x55e351ad5d20
2023-09-25T17:57:58.766+0000 7f19e7847640 20 WARNING: blocking http request
2023-09-25T17:57:58.766+0000 7f1a9d3c0640 20 link_request req_data=0x55e3517e6f00 req_data->id=1303, curl_handle=0x55e351ad5d20
2023-09-25T17:57:58.850+0000 7f19e7847640  2 req 17314085603299168821 0.083998606s s3:list_buckets s3 keystone: token validation ERROR: {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}
":"172.21.15.83","user":"testx$tenanteduser.client.0","operation":"list_buckets","uri":"GET / HTTP/1.1","http_status":"200","error_code":"","bytes_sent":286,"bytes_received":0,"object_size":0,"total_time":123,"user_agent":"Boto3/1.24.96 Python/3.10.6 Linux/5.15.0-84-generic Botocore/1.27.96","referrer":"","trans_id":"tx000005cad476ef5a5d8be-006511ca25-1074-default","authentication_type":"Local","access_key_id":"NCTNZXHHCHGAZFMMCOEA","temp_url":false}9b8-44d2-87e2-4b0e54ad09d8.4214.229
2023-09-25T17:57:58.850+0000 7f19e7847640 20 req 17314085603299168821 0.083998606s s3:list_buckets rgw::auth::keystone::EC2Engine denied with reason=-1
...
2023-09-25T17:57:58.854+0000 7f19e7847640  5 req 17314085603299168821 0.087998547s s3:list_buckets error reading user info, uid=7f6fb8d9f45a4fdfb0e71907ca2ca1f0 can't authenticate
2023-09-25T17:57:58.854+0000 7f19e7847640 20 req 17314085603299168821 0.087998547s s3:list_buckets rgw::auth::s3::LocalEngine rejected with reason=-2028
2023-09-25T17:57:58.854+0000 7f19e7847640 20 req 17314085603299168821 0.087998547s s3:list_buckets rgw::auth::s3::AWSAuthStrategy rejected with reason=-2028
2023-09-25T17:57:58.854+0000 7f19e7847640  5 req 17314085603299168821 0.087998547s s3:list_buckets Failed the auth strategy, reason=-2028

because EC2Engine returns deny instead of reject, LocalEngine goes on to look for a local user with this access key and fails with ERR_INVALID_ACCESS_KEY

when looking up an access key in keystone's secret cache (https://github.com/ceph/ceph/blame/ad54514/src/rgw/rgw_auth_keystone.cc#L575-L582), we'll only use a cached secret if its signature matches the client's. but the test deliberately signs with the wrong secret key roflmao, so we never get to the point where we'd fail with SignatureDoesNotMatch

Related issues 4 (2 open — 2 closed)