Feature #18800
closedrgw: support AWS4 authentication for S3 Post Object API
0%
Description
S3 Post Object API requires different form data for v4 authentication than v2.
http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-authentication-HTTPPOST.html
Current code expects form data for v2 authentication:
int RGWPostObj_ObjStore_S3::get_policy()
{
bufferlist encoded_policy;
if (part_bl("policy", &encoded_policy)) {
// check that the signature matches the encoded policy
string s3_access_key;
if (!part_str("AWSAccessKeyId", &s3_access_key)) {
ldout(s->cct, 0) << "No S3 access key found!" << dendl;
err_msg = "Missing access key";
return -EINVAL;
}
string received_signature_str;
if (!part_str("signature", &received_signature_str)) {
ldout(s->cct, 0) << "No signature found!" << dendl;
err_msg = "Missing signature";
return -EINVAL;
}
...
}
Files
Updated by Javier M. Mellid about 7 years ago
Yes, I am having a look in this bug.
Updated by Javier M. Mellid about 7 years ago
- File rgw-s3-aws4-form.py rgw-s3-aws4-form.py added
PR available at:
https://github.com/ceph/ceph/pull/13916
To test the feature with some browser, boto3 and aws cli run the following commands:
1) Create a new bucket
$ aws s3 mb s3://test-1-2-1-bucket --region eu-central-1 --endpoint-url http://s3.eu-central-1.amazonaws.com:8000
make_bucket: test-1-2-1-bucket
2) Generate some test html code with the minimal and required data form fields to auth under aws4, proper policy encoding, etc.
$ ./rgw-s3-aws4-form.py
test-rgw-s3-aws4-form.html created.
3) Load test-rgw-s3-aws4-form.html in some browser and upload a test file. You should receive a 204 message.
4) Verify the object is in place and the content is good
$ md5sum test-1-2-1-key
aaf3b5e3b7505131a6baf9fb6ec1f9dc test-1-2-1-key
$ aws s3 cp s3://test-1-2-1-bucket/test-1-2-1-key --region eu-central-1 --endpoint-url http://s3.eu-central-1.amazonaws.com:8000 - | md5sum
aaf3b5e3b7505131a6baf9fb6ec1f9dc -
Updated by Javier M. Mellid about 7 years ago
- Status changed from New to Fix Under Review
Updated by Javier M. Mellid about 7 years ago
The new PR for this bug is:
https://github.com/ceph/ceph/pull/14432
This feature is being rebased on top of:
- the recently merged auth rework (https://github.com/ceph/ceph/pull/12893),
- the FormPost of Swift API which also significantly changes the RGWPostObj (https://github.com/ceph/ceph/pull/11179).
Updated by Javier M. Mellid over 6 years ago
- Status changed from Fix Under Review to Resolved
Merged as a part of
https://github.com/ceph/ceph/pull/14885