Bug #62989
opens3test test_list_buckets_bad_auth fails with Keystone EC2
0%
Description
from teuthology run: http://qa-proxy.ceph.com/teuthology/cbodley-2023-09-25_17:25:06-rgw:tempest-main-distro-default-smithi/7402007/teuthology.log
associated rgw log: http://qa-proxy.ceph.com/teuthology/cbodley-2023-09-25_17:25:06-rgw:tempest-main-distro-default-smithi/7402007/remote/smithi083/log/rgw.ceph.client.0.log.gz
2023-09-25T17:57:58.766+0000 7f19e7847640 0 req 17314085603299168821 0.000000000s s3:list_buckets Secret string does not correctly sign payload, cache miss 2023-09-25T17:57:58.766+0000 7f19e7847640 20 req 17314085603299168821 0.000000000s s3:list_buckets found cached admin token 2023-09-25T17:57:58.766+0000 7f19e7847640 20 sending request to http://smithi083.front.sepia.ceph.com:5000/v3/s3tokens 2023-09-25T17:57:58.766+0000 7f19e7847640 20 register_request mgr=0x55e34cdaf440 req_data->id=1303, curl_handle=0x55e351ad5d20 2023-09-25T17:57:58.766+0000 7f19e7847640 20 WARNING: blocking http request 2023-09-25T17:57:58.766+0000 7f1a9d3c0640 20 link_request req_data=0x55e3517e6f00 req_data->id=1303, curl_handle=0x55e351ad5d20 2023-09-25T17:57:58.850+0000 7f19e7847640 2 req 17314085603299168821 0.083998606s s3:list_buckets s3 keystone: token validation ERROR: {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}} ":"172.21.15.83","user":"testx$tenanteduser.client.0","operation":"list_buckets","uri":"GET / HTTP/1.1","http_status":"200","error_code":"","bytes_sent":286,"bytes_received":0,"object_size":0,"total_time":123,"user_agent":"Boto3/1.24.96 Python/3.10.6 Linux/5.15.0-84-generic Botocore/1.27.96","referrer":"","trans_id":"tx000005cad476ef5a5d8be-006511ca25-1074-default","authentication_type":"Local","access_key_id":"NCTNZXHHCHGAZFMMCOEA","temp_url":false}9b8-44d2-87e2-4b0e54ad09d8.4214.229 2023-09-25T17:57:58.850+0000 7f19e7847640 20 req 17314085603299168821 0.083998606s s3:list_buckets rgw::auth::keystone::EC2Engine denied with reason=-1 ... 2023-09-25T17:57:58.854+0000 7f19e7847640 5 req 17314085603299168821 0.087998547s s3:list_buckets error reading user info, uid=7f6fb8d9f45a4fdfb0e71907ca2ca1f0 can't authenticate 2023-09-25T17:57:58.854+0000 7f19e7847640 20 req 17314085603299168821 0.087998547s s3:list_buckets rgw::auth::s3::LocalEngine rejected with reason=-2028 2023-09-25T17:57:58.854+0000 7f19e7847640 20 req 17314085603299168821 0.087998547s s3:list_buckets rgw::auth::s3::AWSAuthStrategy rejected with reason=-2028 2023-09-25T17:57:58.854+0000 7f19e7847640 5 req 17314085603299168821 0.087998547s s3:list_buckets Failed the auth strategy, reason=-2028
because EC2Engine
returns deny instead of reject, LocalEngine
goes on to look for a local user with this access key and fails with ERR_INVALID_ACCESS_KEY
when looking up an access key in keystone's secret cache (https://github.com/ceph/ceph/blame/ad54514/src/rgw/rgw_auth_keystone.cc#L575-L582), we'll only use a cached secret if its signature matches the client's. but the test deliberately signs with the wrong secret key roflmao
, so we never get to the point where we'd fail with SignatureDoesNotMatch
Updated by Casey Bodley 7 months ago
- Status changed from New to Fix Under Review
- Assignee set to Casey Bodley
- Pull request ID set to 53680
Updated by Casey Bodley 7 months ago
- Blocks Bug #59424: run s3tests against keystone EC2 added
Updated by Casey Bodley 7 months ago
- Status changed from Fix Under Review to Pending Backport
Updated by Backport Bot 7 months ago
- Copied to Backport #63043: pacific: s3test test_list_buckets_bad_auth fails with Keystone EC2 added
Updated by Backport Bot 7 months ago
- Copied to Backport #63044: quincy: s3test test_list_buckets_bad_auth fails with Keystone EC2 added
Updated by Backport Bot 7 months ago
- Copied to Backport #63045: reef: s3test test_list_buckets_bad_auth fails with Keystone EC2 added
Updated by Backport Bot 7 months ago
- Tags changed from keystone ec2 to keystone ec2 backport_processed
Updated by Casey Bodley 7 months ago
additional fix merged in https://github.com/ceph/ceph/pull/53846, will include in backports