Project

General

Profile

Actions
Copy link

Bug #69001

closed

rgw/sts s3test failures when rgw_s3_auth_order puts local before sts

Added by Casey Bodley over 1 year ago. Updated over 1 year ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Tags (freeform):
sts s3
Merge Commit:
Fixed In:
Released In:
Upkeep Timestamp:

Description

from http://qa-proxy.ceph.com/teuthology/cbodley-2024-11-20_14:25:57-rgw-wip-rgw-revert-auth-code-distro-default-smithi/8001375/teuthology.log

=================================== FAILURES ===================================
________________ test_get_session_token_permanent_creds_denied _________________

...
        try:
            s3bucket = s3_client.create_bucket(Bucket=bucket_name)
        except ClientError as e:
            s3bucket_error = e.response.get("Error", {}).get("Code")
>       assert s3bucket_error == 'AccessDenied'
E       AssertionError: assert None == 'AccessDenied'

after that, several errors during teardown of other tests:

:==================================== ERRORS ====================================
______ ERROR at teardown of test_get_session_token_permanent_creds_denied ______

configfile = <class 'munch.Munch'>

    @pytest.fixture(autouse=True)
    def setup_teardown(configfile):
        setup()
        yield
>       teardown()
...
s3tests_boto3/functional/__init__.py:297: in setup
    nuke_prefixed_buckets(prefix=prefix, client=alt_client)
s3tests_boto3/functional/__init__.py:145: in nuke_prefixed_buckets
    buckets = get_buckets_list(client, prefix)
s3tests_boto3/functional/__init__.py:56: in get_buckets_list
    response = client.list_buckets()
...
E           botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the ListBuckets operation: None

Related issues 1 (0 open1 closed)

Is duplicate of rgw - Bug #68393: s3 with keystone ec2 auth fails when rgw_s3_auth_order puts local before externalResolvedPritha Srivastava

Actions
Actions
Copy link
 #1

Updated by Casey Bodley over 1 year ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Casey Bodley over 1 year ago

the reason that test_get_session_token_permanent_creds_denied isn't getting AccessDenied from s3_client.create_bucket() is that we're passing valid access/secret keys that are accepted by the local engine:

    s3_client=boto3.client('s3',
                aws_access_key_id = s3_main_access_key,
                aws_secret_access_key = s3_main_secret_key,
                aws_session_token = response['Credentials']['SessionToken'],
                endpoint_url=default_endpoint,
                region_name='',
                )

whereas the session token is associated with the alt_client with a user policy meant to Deny

can we omit the aws_access_key_id/aws_secret_access_key arguments here? i'm testing this in https://github.com/ceph/s3-tests/pull/604

Actions
Copy link
 #3

Updated by Casey Bodley over 1 year ago

a separate question: with default rgw_s3_auth_order (sts before local), why didn't we fall back to the local engine and accept this request?

Actions
Copy link
 #4

Updated by J. Eric Ivancich over 1 year ago

  • Status changed from New to Duplicate
Actions
Copy link
 #5

Updated by J. Eric Ivancich over 1 year ago

  • Is duplicate of Bug #68393: s3 with keystone ec2 auth fails when rgw_s3_auth_order puts local before external added
Actions
Copy link

Also available in: Atom PDF