New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw/keystone: use secret key from EC2 for sigv4 streaming mode #50550
Conversation
when the EC2Engine has a secret key from keystone, pass it to the Completer so it's available to AWSv4ComplMulti for STREAMING-AWS4-HMAC-SHA256-PAYLOAD support Fixes: https://tracker.ceph.com/issues/58908 Signed-off-by: Casey Bodley <cbodley@redhat.com>
this was tested and verified by the reporterin https://tracker.ceph.com/issues/58908#note-10 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2 thoughts:
/1/ this definitely needs a teuthology test (and not just tempest)
/2/ needs documentation -- on the ec2 key sharing at least
thanks @mdw-at-linuxbox
how easy would it be to run s3tests with this keystone/ec2 stuff enabled? would we expect everything to pass? if you can offer some guidance on setup, i'd be willing to work on that. i just hope that isn't a blocker for getting this bug fix merged
documentation about the keystone caching feature itself? or is there something specific about this bug fix? |
@mdw-at-linuxbox a reminder that you had some followup work in #27170 that never merged. however, i'm not sure i understand your concern about the rgw side of this:
rgw is just reading this information from a keystone API, right? if an admin really wanted to avoid exposing these secrets, could they not disable that API in keystone instead? |
For the teutholog end - I think a more targetted test of just this feature would be more useful. Setting up keystone/ec2 should be easy - the tempest test already does that, as well as barbican - so that should be pretty much plug & play. Setting up ec2 requires issuing some rest calls -- the api is simple enough it can be done with shell scripting + curl, but in this case you'd probably either want pure python code doing it, or you could just use the openstack python api. |
jenkins test make check |
when the
EC2Engine
has a secret key from keystone, pass it to theCompleter
so it's available toAWSv4ComplMulti
forSTREAMING-AWS4-HMAC-SHA256-PAYLOAD
supportFixes: https://tracker.ceph.com/issues/58908
Show available Jenkins commands
jenkins retest this please
jenkins test classic perf
jenkins test crimson perf
jenkins test signed
jenkins test make check
jenkins test make check arm64
jenkins test submodules
jenkins test dashboard
jenkins test dashboard cephadm
jenkins test api
jenkins test docs
jenkins render docs
jenkins test ceph-volume all
jenkins test ceph-volume tox
jenkins test windows