qa/rgw: run s3tests against keystone ec2

[cbodley]

allow keystone task's yaml to create ec2 credentials for its users
allow s3test task's yaml to point at keystone users instead of creating a local user with radosgw-admin
add an s3test task to the rgw/tempest suite

Fixes: https://tracker.ceph.com/issues/59424

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test dashboard cephadm
• jenkins test api
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox
• jenkins test windows

[cbodley]

cc @tobias-urdin, thanks for the pointers in #52673 (comment)

[cbodley]

it might make sense to rename this rgw/tempest suite to rgw/keystone, and run tempest and s3test tasks as 2 separate jobs

[cbodley]

will need to see what this output looks like in order to parse it correctly

[cbodley]

this is what the ec2 credentials create command returned:

RESP BODY: {"credential": {"user_id": "d41f3e2a147044eca92fa604951dccd9", "tenant_id": "3b5f6f00a3b84b4bb857c6e456dd2abf", "access": "ab19b2a007d7489fa433db6cc0e30333", "secret": "6e141ec00c5b41468d92cad54e181637", "trust_id": null, "links": {...}}}

[tobias-urdin]

this is great! will check it out next week, thanks

[tobias-urdin]

it might make sense to rename this rgw/tempest suite to rgw/keystone, and run tempest and s3test tasks as 2 separate jobs

LGTM, looking forward to some test results that it works. I think separating them might be a good idea

[cbodley]

making some progress:

2023-08-08T16:12:06.337 INFO:teuthology.orchestra.run.smithi062.stdout:[
2023-08-08T16:12:06.337 INFO:teuthology.orchestra.run.smithi062.stdout:  {
2023-08-08T16:12:06.337 INFO:teuthology.orchestra.run.smithi062.stdout:    "Access": "6351f6d729454264ba27a4a1832c3f8d",
2023-08-08T16:12:06.337 INFO:teuthology.orchestra.run.smithi062.stdout:    "Secret": "651d8ede06934828bb5666b996d22410",
2023-08-08T16:12:06.337 INFO:teuthology.orchestra.run.smithi062.stdout:    "Project ID": "5ce5ea6c00ae47fa9edb966b12b27686",
2023-08-08T16:12:06.338 INFO:teuthology.orchestra.run.smithi062.stdout:    "User ID": "5c692f3ae22a417bac41acab291d81e1"
2023-08-08T16:12:06.338 INFO:teuthology.orchestra.run.smithi062.stdout:  }
2023-08-08T16:12:06.338 INFO:teuthology.orchestra.run.smithi062.stdout:]
2023-08-08T16:12:06.469 ERROR:teuthology.contextutil:Saw exception from nested tasks
Traceback (most recent call last):
  File "/home/teuthworker/src/git.ceph.com_teuthology_7fda95956ac10132c9b74016ba832db907df09fa/teuthology/contextutil.py", line 30, in nested
    vars.append(enter())
  File "/usr/lib/python3.8/contextlib.py", line 113, in __enter__
    return next(self.gen)
  File "/home/teuthworker/src/github.com_cbodley_ceph_91cc18c91d8eafc57e15922762084e7051d083a6/qa/tasks/s3tests.py", line 114, in create_users
    access, secret = ctx.keystone.read_ec2_credentials(ctx, **keystone_user)
  File "/home/teuthworker/src/github.com_cbodley_ceph_91cc18c91d8eafc57e15922762084e7051d083a6/qa/tasks/keystone.py", line 435, in read_ec2_credentials
    response = json.loads(proc.stdout.getvalue())
AttributeError: 'NoneType' object has no attribute 'stdout'

[cbodley]

not sure what it's complaining about now

    response = json.loads(proc.stdout.getvalue())
AttributeError: 'list' object has no attribute 'stdout'

from http://qa-proxy.ceph.com/teuthology/cbodley-2023-08-08_18:09:50-rgw:tempest-main-distro-default-smithi/7363371/teuthology.log

[dang]

Usually, that means the command (credentials list?) didn't have any output. Bad connection or crash, maybe?

[cbodley]

got this part working:

2023-08-09T16:54:20.630 INFO:tasks.keystone:proc: [RemoteProcess(client=<paramiko.client.SSHClient object at 0x7f931a84b970>, args=['cd', '/home/ubuntu/cephtest/keystone', Raw('&&'), 'source', '.tox/venv/bin/activate', Raw('&&'), 'openstack', 'ec2', 'credentials', 'list', '--user', 's3tests-main', '--format', 'json', '--debug', '--os-username', 'admin', '--os-password', 'ADMIN', '--os-user-domain-id', 'default', '--os-project-name', 'admin', '--os-project-domain-id', 'default', '--os-identity-api-version', '3', '--os-auth-url', 'http://smithi177.front.sepia.ceph.com:5000/v3'], check_status=True, hostname='smithi177')]
2023-08-09T16:54:20.630 INFO:tasks.keystone:response: [{'Access': 'f0fdcaa1f1ac4b58ba6c46ab10885b49', 'Secret': '88f51ec220db44499c0dd6145342f7b9', 'Project ID': 'cf23225fc9af4c54a8a310dec694b53a', 'User ID': '4ee9cbac66ac45fc862a11a7adb5683b'}]
2023-08-09T16:54:20.630 DEBUG:tasks.s3tests:Using keystone user s3tests-main credentials (f0fdcaa1f1ac4b58ba6c46ab10885b49 : 88f51ec220db44499c0dd6145342f7b9) for foo.client.0 on client.0
2023-08-09T16:54:20.631 DEBUG:tasks.s3tests:Creating user bar.client.0 on client.0

[cbodley]

i got the s3tests running, but they all fail with Method Not Allowed - the s3 api isn't exposed due to frontend_prefix: /swift. that seems like a good reason to split the tasks

[cbodley]

last attempt was filled with InvalidAccessKeyId errors instead. hopefully adding rgw s3 auth use keystone: true will resolve those

[cbodley]

with rgw s3 auth use keystone enabled, tests now fail with AccessDenied. rgw log shows:

2023-08-09T21:10:58.836+0000 7f44682da640 2 req 15080010200567462358 0.323997051s s3:list_buckets s3 keystone: token validation ERROR: {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}

[tobias-urdin]

with rgw s3 auth use keystone enabled, tests now fail with AccessDenied. rgw log shows:

2023-08-09T21:10:58.836+0000 7f44682da640 2 req 15080010200567462358 0.323997051s s3:list_buckets s3 keystone: token validation ERROR: {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}

Just a quick guess would be that you need to assign the member role for the s3tests user in Keystone.

The below part, like it's done for rgwcrypt suite since we have rgw keystone accepted roles = admin,member, hopefully that should be it.

- keystone:
    client.0:
...snip...
      roles: [ name: member ]
      role-mappings:
        - name: member
          user: s3tests-main
          project: s3tests

[cbodley]

getting better! http://qa-proxy.ceph.com/teuthology/cbodley-2023-08-10_18:30:57-rgw:tempest-main-distro-default-smithi/7364897/teuthology.log

= 57 failed, 528 passed, 77 skipped, 117 deselected, 1 xfailed, 18 warnings in 687.05s (0:11:27) =

some acl tests failing because they expect the DisplayName to be Mr. foo.client.0 instead of s3tests

some encryption tests failing because they probably need extra config

when the s3tests task cleans up, it fails trying to delete the local user that we didn't create:

radosgw-admin -n client.0 user rm --uid foo.client.0 --purge-data --cluster ceph

[cbodley]

down to a single s3test failure in http://qa-proxy.ceph.com/teuthology/cbodley-2023-09-25_17:25:06-rgw:tempest-main-distro-default-smithi/7402007/teuthology.log: test_list_buckets_bad_auth gets InvalidAccessKeyId where it expects SignatureDoesNotMatch

[tobias-urdin]

test_list_buckets_bad_auth

That's awesome! That error is probably valid as well and the test needs to be changed to accommodate the difference in response when Keystone auth is used per https://github.com/ceph/ceph/blob/main/src/rgw/rgw_auth_keystone.cc#L448-L455

[cbodley]

rgw log from that failing test:

2023-09-25T17:57:58.766+0000 7f19e7847640  0 req 17314085603299168821 0.000000000s s3:list_buckets Secret string does not correctly sign payload, cache miss
2023-09-25T17:57:58.766+0000 7f19e7847640 20 req 17314085603299168821 0.000000000s s3:list_buckets found cached admin token
2023-09-25T17:57:58.766+0000 7f19e7847640 20 sending request to http://smithi083.front.sepia.ceph.com:5000/v3/s3tokens
2023-09-25T17:57:58.766+0000 7f19e7847640 20 register_request mgr=0x55e34cdaf440 req_data->id=1303, curl_handle=0x55e351ad5d20
2023-09-25T17:57:58.766+0000 7f19e7847640 20 WARNING: blocking http request
2023-09-25T17:57:58.766+0000 7f1a9d3c0640 20 link_request req_data=0x55e3517e6f00 req_data->id=1303, curl_handle=0x55e351ad5d20
2023-09-25T17:57:58.850+0000 7f19e7847640  2 req 17314085603299168821 0.083998606s s3:list_buckets s3 keystone: token validation ERROR: {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}
":"172.21.15.83","user":"testx$tenanteduser.client.0","operation":"list_buckets","uri":"GET / HTTP/1.1","http_status":"200","error_code":"","bytes_sent":286,"bytes_received":0,"object_size":0,"total_time":123,"user_agent":"Boto3/1.24.96 Python/3.10.6 Linux/5.15.0-84-generic Botocore/1.27.96","referrer":"","trans_id":"tx000005cad476ef5a5d8be-006511ca25-1074-default","authentication_type":"Local","access_key_id":"NCTNZXHHCHGAZFMMCOEA","temp_url":false}9b8-44d2-87e2-4b0e54ad09d8.4214.229
2023-09-25T17:57:58.850+0000 7f19e7847640 20 req 17314085603299168821 0.083998606s s3:list_buckets rgw::auth::keystone::EC2Engine denied with reason=-1
...
2023-09-25T17:57:58.854+0000 7f19e7847640  5 req 17314085603299168821 0.087998547s s3:list_buckets error reading user info, uid=7f6fb8d9f45a4fdfb0e71907ca2ca1f0 can't authenticate
2023-09-25T17:57:58.854+0000 7f19e7847640 20 req 17314085603299168821 0.087998547s s3:list_buckets rgw::auth::s3::LocalEngine rejected with reason=-2028
2023-09-25T17:57:58.854+0000 7f19e7847640 20 req 17314085603299168821 0.087998547s s3:list_buckets rgw::auth::s3::AWSAuthStrategy rejected with reason=-2028
2023-09-25T17:57:58.854+0000 7f19e7847640  5 req 17314085603299168821 0.087998547s s3:list_buckets Failed the auth strategy, reason=-2028

because EC2Engine returns deny instead of reject, LocalEngine goes on to look for a local user with this access key and fails with ERR_INVALID_ACCESS_KEY

when looking up an access key in keystone's secret cache (https://github.com/ceph/ceph/blame/ad54514/src/rgw/rgw_auth_keystone.cc#L575-L582), we'll only use a cached secret if its signature matches the client's. but the test deliberately signs with the wrong secret key roflmao, so we never get to the point where we'd fail with SignatureDoesNotMatch

[cbodley]

because EC2Engine returns deny instead of reject, LocalEngine goes on to look for a local user with this access key and fails with ERR_INVALID_ACCESS_KEY

i opened #53680 with a proposed fix, and created https://tracker.ceph.com/issues/62989 to track the backports

[cbodley]

bundled with the fix from #53846, this passed qa in https://pulpito.ceph.com/cbodley-2023-10-06_14:43:00-rgw-wip-62989-again-distro-default-smithi/. we'll need to merge the fix first

[cbodley]

we'll need to merge the fix first

everything's passing now, this is ready for review

[cbodley]

passed qa after rerun in https://pulpito.ceph.com/cbodley-2023-11-03_18:34:54-rgw-wip-cbodley-testing-distro-default-smithi/

[cbodley]

@dang @alimaredia may i kindly request a final review/approval?

[mdw-at-linuxbox]

If I understand this right, the reason to bundle s3tests+ec2 & tempest together is because the tempest test sets up keystone. But - setting up keystone is fast, running s3tests or tempest is slow. I'd rather see this as 2 separate tests because that makes it easy to run just the s3 or tempest part alone.

[cbodley]

If I understand this right, the reason to bundle s3tests+ec2 & tempest together is because the tempest test sets up keystone. But - setting up keystone is fast, running s3tests or tempest is slow. I'd rather see this as 2 separate tests because that makes it easy to run just the s3 or tempest part alone.

thanks @mdw-at-linuxbox. it does run the s3tests as a separate job, because that requires radosgw to be configured for s3-at-root while tempest requires swift-at-root. you can use --filter to select one or the other