Feature #18800

rgw: support AWS4 authentication for S3 Post Object API

Added by Osamu KIMURA over 2 years ago. Updated over 1 year ago.

Target version:
Start date:
Due date:
% Done:


Affected Versions:
Pull request ID:


S3 Post Object API requires different form data for v4 authentication than v2.

Current code expects form data for v2 authentication:

int RGWPostObj_ObjStore_S3::get_policy()
  bufferlist encoded_policy;

  if (part_bl("policy", &encoded_policy)) {

    // check that the signature matches the encoded policy
    string s3_access_key;
    if (!part_str("AWSAccessKeyId", &s3_access_key)) {
      ldout(s->cct, 0) << "No S3 access key found!" << dendl;
      err_msg = "Missing access key";
      return -EINVAL;
    string received_signature_str;
    if (!part_str("signature", &received_signature_str)) {
      ldout(s->cct, 0) << "No signature found!" << dendl;
      err_msg = "Missing signature";
      return -EINVAL;
} View (1.21 KB) Javier M. Mellid, 03/10/2017 01:13 PM


#1 Updated by Chang Liu over 2 years ago

hi, anyone working on this?

#2 Updated by Javier M. Mellid over 2 years ago

Yes, I am having a look in this bug.

#3 Updated by Javier M. Mellid over 2 years ago

  • Assignee set to Javier M. Mellid

#4 Updated by Javier M. Mellid over 2 years ago

PR available at:

To test the feature with some browser, boto3 and aws cli run the following commands:

1) Create a new bucket

$ aws s3 mb s3://test-1-2-1-bucket --region eu-central-1 --endpoint-url
make_bucket: test-1-2-1-bucket

2) Generate some test html code with the minimal and required data form fields to auth under aws4, proper policy encoding, etc.

$ ./
test-rgw-s3-aws4-form.html created.

3) Load test-rgw-s3-aws4-form.html in some browser and upload a test file. You should receive a 204 message.

4) Verify the object is in place and the content is good

$ md5sum test-1-2-1-key
aaf3b5e3b7505131a6baf9fb6ec1f9dc test-1-2-1-key

$ aws s3 cp s3://test-1-2-1-bucket/test-1-2-1-key --region eu-central-1 --endpoint-url - | md5sum
aaf3b5e3b7505131a6baf9fb6ec1f9dc -

#5 Updated by Javier M. Mellid over 2 years ago

  • Status changed from New to Need Review

#6 Updated by Javier M. Mellid about 2 years ago

The new PR for this bug is:

This feature is being rebased on top of:

- the recently merged auth rework (,
- the FormPost of Swift API which also significantly changes the RGWPostObj (

#7 Updated by Javier M. Mellid over 1 year ago

  • Status changed from Need Review to Resolved

Also available in: Atom PDF