Skip to content

rgw/keystone: EC2Engine uses reject() for ERR_SIGNATURE_NO_MATCH#53680

Merged
cbodley merged 1 commit intoceph:mainfrom
cbodley:wip-62989
Oct 2, 2023
Merged

rgw/keystone: EC2Engine uses reject() for ERR_SIGNATURE_NO_MATCH#53680
cbodley merged 1 commit intoceph:mainfrom
cbodley:wip-62989

Conversation

@cbodley
Copy link
Contributor

@cbodley cbodley commented Sep 26, 2023

ERR_SIGNATURE_NO_MATCH means that we found the given access key in keystone, so we should use reject() instead of deny() to prevent other engines like LocalEngine from looking up the access key again

this change causes us to return the SignatureDoesNotMatch error expected by s3test case test_list_buckets_bad_auth()

Fixes: https://tracker.ceph.com/issues/62989

Show available Jenkins commands
  • jenkins retest this please
  • jenkins test classic perf
  • jenkins test crimson perf
  • jenkins test signed
  • jenkins test make check
  • jenkins test make check arm64
  • jenkins test submodules
  • jenkins test dashboard
  • jenkins test dashboard cephadm
  • jenkins test api
  • jenkins test docs
  • jenkins render docs
  • jenkins test ceph-volume all
  • jenkins test ceph-volume tox
  • jenkins test windows

@cbodley
rgw/keystone: EC2Engine uses reject() for ERR_SIGNATURE_NO_MATCH
71b2070 
ERR_SIGNATURE_NO_MATCH means that we found the given access key in
keystone, so we should use reject() instead of deny() to prevent
other engines like LocalEngine from looking up the access key again

this change causes us to return the SignatureDoesNotMatch error expected
by s3test case test_list_buckets_bad_auth()

Fixes: https://tracker.ceph.com/issues/62989

Signed-off-by: Casey Bodley <cbodley@redhat.com>
@cbodley cbodley requested a review from a team as a code owner September 26, 2023 16:21
@github-actions github-actions bot added the rgw label Sep 26, 2023
@cbodley cbodley mentioned this pull request Sep 26, 2023
Merged
@cbodley
Copy link
Contributor Author

cbodley commented Sep 26, 2023

discovered this while testing #52813

@cbodley
Copy link
Contributor Author

cbodley commented Sep 27, 2023

jenkins test api

@cbodley
Copy link
Contributor Author

cbodley commented Oct 2, 2023

passed qa in https://pulpito.ceph.com/cbodley-2023-09-29_14:54:02-rgw-wip-cbodley-testing-distro-default-smithi

@cbodley cbodley merged commit 98cdc09 into ceph:main Oct 2, 2023
This was referenced Oct 2, 2023
Merged
Merged
Merged
@cbodley
Copy link
Contributor Author

cbodley commented Oct 3, 2023

oops! i didn't test this against keystone ec2 until now, and the test case is still failing:

req 6293283477976524732 0.107998163s s3:post_obj s3 keystone: token validation ERROR: {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}

that error message shows that EC2Engine::get_from_keystone() is throwing the error from validate.process() before it has a chance to check for HTTP_STATUS_UNAUTHORIZED/HTTP_STATUS_NOTFOUND:
https://github.com/ceph/ceph/blob/c743568a/src/rgw/rgw_auth_keystone.cc#L446-L459

i'll open another pr to fix the error handling here. but several other users of RGWHTTPClient appear to have the same issue (rgw_auth_keystone.cc, rgw_keystone.cc, rgw_kms.cc)

@cbodley
Copy link
Contributor Author

cbodley commented Oct 5, 2023

^ followup in #53846

@cbodley cbodley mentioned this pull request Oct 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dang dang dang approved these changes

@pritha-srivastava pritha-srivastava Awaiting requested review from pritha-srivastava

Assignees

No one assigned

Labels

needs-qa rgw wip-cbodley-testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cbodley @dang