Merge pull request #53680 from cbodley/wip-62989

author Casey Bodley <cbodley@users.noreply.github.com>

Mon, 2 Oct 2023 14:35:47 +0000 (15:35 +0100)

committer GitHub <noreply@github.com>

Mon, 2 Oct 2023 14:35:47 +0000 (15:35 +0100)
author Casey Bodley <cbodley@users.noreply.github.com>
Mon, 2 Oct 2023 14:35:47 +0000 (15:35 +0100)
committer GitHub <noreply@github.com>
Mon, 2 Oct 2023 14:35:47 +0000 (15:35 +0100)
diff --cc src/rgw/rgw_auth_keystone.cc

index 0e411f7ca4e506245e19ed9b16b82a9c2f20c279,1d810ca6856f0c911bd6b1ca5de2e093fce14265..c414e3627e419634828f07fa92a032f13f2ba90b
--- 1/src/rgw/rgw_auth_keystone.cc
--- 2/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@@ -679,9 -671,14 +679,15 @@@ rgw::auth::Engine::result_t EC2Engine::
     } accepted_roles(cct);
   
     auto [t, secret_key, failure_reason] =
- -    get_access_token(dpp, access_key_id, string_to_sign, signature, signature_factory);
+ +    get_access_token(dpp, access_key_id, string_to_sign,
+ +                     signature, signature_factory, y);
     if (! t) {
+     if (failure_reason == -ERR_SIGNATURE_NO_MATCH) {
+       // we looked up a secret but it didn't generate the same signature as
+       // the client. since we found this access key in keystone, we should
+       // reject the request instead of trying other engines
+       return result_t::reject(failure_reason);
+     }
       return result_t::deny(failure_reason);
     }
author	Casey Bodley <cbodley@users.noreply.github.com>
	Mon, 2 Oct 2023 14:35:47 +0000 (15:35 +0100)
committer	GitHub <noreply@github.com>
	Mon, 2 Oct 2023 14:35:47 +0000 (15:35 +0100)