Project

General

Profile

Feature #18800

rgw: support AWS4 authentication for S3 Post Object API

Added by Osamu KIMURA almost 2 years ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Target version:
-
Start date:
02/03/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

S3 Post Object API requires different form data for v4 authentication than v2.
http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-authentication-HTTPPOST.html

Current code expects form data for v2 authentication:

int RGWPostObj_ObjStore_S3::get_policy()
{
  bufferlist encoded_policy;

  if (part_bl("policy", &encoded_policy)) {

    // check that the signature matches the encoded policy
    string s3_access_key;
    if (!part_str("AWSAccessKeyId", &s3_access_key)) {
      ldout(s->cct, 0) << "No S3 access key found!" << dendl;
      err_msg = "Missing access key";
      return -EINVAL;
    }
    string received_signature_str;
    if (!part_str("signature", &received_signature_str)) {
      ldout(s->cct, 0) << "No signature found!" << dendl;
      err_msg = "Missing signature";
      return -EINVAL;
    }
...
}

rgw-s3-aws4-form.py View (1.21 KB) Javier M. Mellid, 03/10/2017 01:13 PM

History

#1 Updated by Chang Liu over 1 year ago

hi, anyone working on this?

#2 Updated by Javier M. Mellid over 1 year ago

Yes, I am having a look in this bug.

#3 Updated by Javier M. Mellid over 1 year ago

  • Assignee set to Javier M. Mellid

#4 Updated by Javier M. Mellid over 1 year ago

PR available at:

https://github.com/ceph/ceph/pull/13916

To test the feature with some browser, boto3 and aws cli run the following commands:

1) Create a new bucket

$ aws s3 mb s3://test-1-2-1-bucket --region eu-central-1 --endpoint-url http://s3.eu-central-1.amazonaws.com:8000
make_bucket: test-1-2-1-bucket

2) Generate some test html code with the minimal and required data form fields to auth under aws4, proper policy encoding, etc.

$ ./rgw-s3-aws4-form.py
test-rgw-s3-aws4-form.html created.

3) Load test-rgw-s3-aws4-form.html in some browser and upload a test file. You should receive a 204 message.

4) Verify the object is in place and the content is good

$ md5sum test-1-2-1-key
aaf3b5e3b7505131a6baf9fb6ec1f9dc test-1-2-1-key

$ aws s3 cp s3://test-1-2-1-bucket/test-1-2-1-key --region eu-central-1 --endpoint-url http://s3.eu-central-1.amazonaws.com:8000 - | md5sum
aaf3b5e3b7505131a6baf9fb6ec1f9dc -

#5 Updated by Javier M. Mellid over 1 year ago

  • Status changed from New to Need Review

#6 Updated by Javier M. Mellid over 1 year ago

The new PR for this bug is:

https://github.com/ceph/ceph/pull/14432

This feature is being rebased on top of:

- the recently merged auth rework (https://github.com/ceph/ceph/pull/12893),
- the FormPost of Swift API which also significantly changes the RGWPostObj (https://github.com/ceph/ceph/pull/11179).

#7 Updated by Javier M. Mellid 10 months ago

  • Status changed from Need Review to Resolved

Also available in: Atom PDF