From dc02c755b1ca2ba2d281052c77dd9e53d57f6cc3 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Tue, 26 Sep 2023 12:16:52 -0400 Subject: [PATCH] rgw/keystone: EC2Engine uses reject() for ERR_SIGNATURE_NO_MATCH ERR_SIGNATURE_NO_MATCH means that we found the given access key in keystone, so we should use reject() instead of deny() to prevent other engines like LocalEngine from looking up the access key again this change causes us to return the SignatureDoesNotMatch error expected by s3test case test_list_buckets_bad_auth() Fixes: https://tracker.ceph.com/issues/62989 Signed-off-by: Casey Bodley (cherry picked from commit 71b2070b744455ddd94d6a19dc3faf9c938c71ad) --- src/rgw/rgw_auth_keystone.cc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc index 10d8d8273886..ee16e38dda52 100644 --- a/src/rgw/rgw_auth_keystone.cc +++ b/src/rgw/rgw_auth_keystone.cc @@ -563,6 +563,12 @@ rgw::auth::Engine::result_t EC2Engine::authenticate( std::tie(t, failure_reason) = \ get_access_token(dpp, access_key_id, string_to_sign, signature, signature_factory); if (! t) { + if (failure_reason == -ERR_SIGNATURE_NO_MATCH) { + // we looked up a secret but it didn't generate the same signature as + // the client. since we found this access key in keystone, we should + // reject the request instead of trying other engines + return result_t::reject(failure_reason); + } return result_t::deny(failure_reason); } -- 2.47.3