Project

General

Profile

Actions
Copy link

Bug #70607

closed

FAILED test_encryption_sse_c_deny_algo_with_bucket_policy

Added by Casey Bodley about 1 year ago. Updated 11 months ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Casey Bodley
Target version:
-
% Done:

0%

Source:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Tags (freeform):
100-continue
Merge Commit:
Fixed In:
Released In:
Upkeep Timestamp:

Description

from the test case:

        client.put_bucket_policy(Bucket=bucket_name, Policy=policy_document)

        check_access_denied(client.put_object, Bucket=bucket_name, Key='foo', Body='bar', SSECustomerAlgorithm='AES192')

>       client.put_object(
            Bucket=bucket_name, Key='foo', Body='bar',
            SSECustomerAlgorithm='AES256',
            SSECustomerKey='pO3upElrwuEXSoFwCfnZPdSsmt/xWeFa0N9KgDijwVs=',
            SSECustomerKeyMD5='DWygnHRtgiJ77HCm+1rvHw=='
        )
...
>           raise error_class(parsed_response, operation_name)
E           botocore.exceptions.ClientError: An error occurred (400) when calling the PutObject operation: Bad Request

the rgw log shows the 403 response expected by check_access_denied(), but fails to parse the next put_object() request:

2025-03-21T04:32:21.335+0000 45855640 16 req 12792652476892950764 0.017999625s s3:put_obj verify_bucket_permission: policy: { Version: 2012-10-17, Statements: [ { Principal: { * }, Effect: Deny, Action: [ s3:PutObject ], Resource: [ arn:aws:s3:::test-ugwzc4ee3zbeyr5tfypvr54d-449/* ], Condition: { StringNotEquals: { s3:x-amz-server-side-encryption-customer-algorithm[ AES256 ] } } } ],  } resource: arn:aws:s3:::test-ugwzc4ee3zbeyr5tfypvr54d-449/foo
2025-03-21T04:32:21.336+0000 45855640 10 req 12792652476892950764 0.018999605s s3:put_obj evaluate_iam_policies: explicit deny from resource-based policy
2025-03-21T04:32:21.336+0000 45855640 20 req 12792652476892950764 0.018999605s op->ERRORHANDLER: err_no=-13 new_err_no=-13
2025-03-21T04:32:21.341+0000 45855640 10 req 12792652476892950764 0.023999499s cache get: name=default.rgw.log++script.postrequest. : hit (negative entry)
2025-03-21T04:32:21.343+0000 45855640  2 req 12792652476892950764 0.025999457s s3:put_obj op status=0
2025-03-21T04:32:21.343+0000 45855640  2 req 12792652476892950764 0.025999457s s3:put_obj http status=403
2025-03-21T04:32:21.343+0000 45855640  1 ====== req done req=0x57d1a4a0 op=put_obj bucket=test-ugwzc4ee3zbeyr5tfypvr54d-449 status=0 http_status=403 latency=0.025999457s request_id=tx00000b188a1a63c39b0ec-0067dcebd5-4644-default ======
2025-03-21T04:32:21.343+0000 45855640  1 beast: 0x57d1a4a0: 172.21.15.5 - foo.client.0 [21/Mar/2025:04:32:21.316 +0000] "PUT /test-ugwzc4ee3zbeyr5tfypvr54d-449/foo HTTP/1.1" 403 262 - "Boto3/1.37.17 md/Botocore#1.37.17 ua/2.1 os/linux#5.14.0-572.el9.x86_64 md/arch#x86_64 lang/python#3.9.21 md/pyimpl#CPython m/N cfg/retry-mode#legacy Botocore/1.37.17" - latency=0.025999457s
2025-03-21T04:32:21.344+0000 45855640  1 failed to read header: bad method
2025-03-21T04:32:21.345+0000 844f3640  1 ====== req done http_status=400 ======

"bad method" errors are reminiscent of https://tracker.ceph.com/issues/58286 and https://tracker.ceph.com/issues/64841 (unresolved), both of which relate to 100-continue. this s3:put_obj request that fails with 403 does contain header HTTP_EXPECT=100-continue

Actions
Copy link
 #1

Updated by J. Eric Ivancich about 1 year ago

  • Assignee set to Casey Bodley
Actions
Copy link
 #2

Updated by J. Eric Ivancich about 1 year ago

  • Backport set to reef squid tentacle
Actions
Copy link
 #3

Updated by Casey Bodley 12 months ago

  • Status changed from New to Fix Under Review

prepared https://github.com/ceph/s3-tests/pull/654 to work around the 100-continue issue in this test case

Actions
Copy link
 #4

Updated by Casey Bodley 11 months ago

  • Status changed from Fix Under Review to Resolved
  • Backport deleted (reef squid tentacle)
Actions
Copy link

Also available in: Atom PDF