rgw/keystone: use secret key from EC2 for sigv4 streaming mode

[cbodley]

when the EC2Engine has a secret key from keystone, pass it to the Completer so it's available to AWSv4ComplMulti for STREAMING-AWS4-HMAC-SHA256-PAYLOAD support

Fixes: https://tracker.ceph.com/issues/58908

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test dashboard cephadm
• jenkins test api
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox
• jenkins test windows

[cbodley]

cc @jamesba @jrosser since this relates to #26095

[cbodley]

this was tested and verified by the reporterin https://tracker.ceph.com/issues/58908#note-10

[mdw-at-linuxbox]

2 thoughts:
/1/ this definitely needs a teuthology test (and not just tempest)
/2/ needs documentation -- on the ec2 key sharing at least

[cbodley]

thanks @mdw-at-linuxbox

2 thoughts:
/1/ this definitely needs a teuthology test (and not just tempest)

how easy would it be to run s3tests with this keystone/ec2 stuff enabled? would we expect everything to pass?

if you can offer some guidance on setup, i'd be willing to work on that. i just hope that isn't a blocker for getting this bug fix merged

/2/ needs documentation -- on the ec2 key sharing at least

documentation about the keystone caching feature itself? or is there something specific about this bug fix?

[cbodley]

@mdw-at-linuxbox a reminder that you had some followup work in #27170 that never merged. however, i'm not sure i understand your concern about the rgw side of this:

Sites that are particularly security conscious may require this mode of operation.

rgw is just reading this information from a keystone API, right? if an admin really wanted to avoid exposing these secrets, could they not disable that API in keystone instead?

[mdw-at-linuxbox]

For the teutholog end - I think a more targetted test of just this feature would be more useful. Setting up keystone/ec2 should be easy - the tempest test already does that, as well as barbican - so that should be pretty much plug & play. Setting up ec2 requires issuing some rest calls -- the api is simple enough it can be done with shell scripting + curl, but in this case you'd probably either want pure python code doing it, or you could just use the openstack python api.

[ivancich]

jenkins test make check

[cbodley]

passed qa https://pulpito.ceph.com/cbodley-2023-04-01_01:23:10-rgw-wip-cbodley-testing-distro-default-smithi/
rerun https://pulpito.ceph.com/cbodley-2023-04-03_13:05:03-rgw-wip-cbodley-testing-distro-default-smithi/