Project

General

Profile

Bug #18828

RGW S3 v4 authentication issue with X-Amz-Expires

Added by Nhật Khang Nguyễn 8 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
02/06/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
jewel, kraken
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
rgw
Release:
jewel
Needs Doc:
No

Description

I use ceph-radosgw-10.2.5-0.el7.x86_64 on CentOS 7.3. I has recived RequestTimeTooSkewed affter 15 minutes since i created presigned_url to ceph radosgw and X-Amz-Expires doesn't work. I saw in src/rgw/rgw_rest_s3.cc:
s->aws4_auth->expires = s->info.args.get("X-Amz-Expires");
if (s->aws4_auth->expires.size() != 0) {
/* X-Amz-Expires provides the time period, in seconds, for which
the generated presigned URL is valid. The minimum value
you can set is 1, and the maximum is 604800 (seven days) /
time_t exp = atoll(s->aws4_auth->expires.c_str());
if ((exp < 1) || (exp > 604800)) {
dout(10) << "NOTICE: exp out of range, exp = " << exp << dendl;
return -EPERM;
}
/
handle expiration in epoch time */
now_req = (uint64_t)timegm(&date_t);
if (now >= now_req + exp) {
dout(10) << "NOTICE: now = " << now << ", now_req = " << now_req << ", exp = " << exp << dendl;
return -EPERM;
}
}

if ( (now_req < now - RGW_AUTH_GRACE_MINS * 60) ||
(now_req > now + RGW_AUTH_GRACE_MINS * 60) ) {
dout(10) << "NOTICE: request time skew too big." << dendl;
dout(10) << "now_req = " << now_req << " now = " << now << "; now - RGW_AUTH_GRACE_MINS=" << now - RGW_AUTH_GRACE_MINS * 60 << "; now + RGW_AUTH_GRACE_MINS=" << now + RGW_AUTH_GRACE_MINS * 60 << dendl;
return -ERR_REQUEST_TIME_SKEWED;
}

Related issues

Copied to rgw - Backport #19724: jewel: RGW S3 v4 authentication issue with X-Amz-Expires Resolved
Copied to rgw - Backport #19725: kraken: RGW S3 v4 authentication issue with X-Amz-Expires Resolved

History

#1 Updated by Chang Liu 8 months ago

Hi, what's your X-Amz-Expires?

#2 Updated by Chang Liu 8 months ago

I'm testing it and try to fix it. assign this issue to me, please

#4 Updated by Nhật Khang Nguyễn 7 months ago

Hi Chang Liu,
Thank you fixed this error. You can tell me RGW_AUTH_GRACE_MINS use what purposes? Thank

#5 Updated by Chang Liu 6 months ago

RGW_AUTH_GRACE_MINS use for request safety. HMAC is not very complicated hash method, people could brute force signature within a long time. So AWS limits signature validity.

#6 Updated by Josh Durgin 5 months ago

  • Project changed from Ceph to rgw

#7 Updated by Yehuda Sadeh 5 months ago

  • Status changed from New to Pending Backport
  • Backport set to jewel, kraken

#8 Updated by Nathan Cutler 5 months ago

  • Copied to Backport #19724: jewel: RGW S3 v4 authentication issue with X-Amz-Expires added

#9 Updated by Nathan Cutler 5 months ago

  • Copied to Backport #19725: kraken: RGW S3 v4 authentication issue with X-Amz-Expires added

#10 Updated by Nathan Cutler 2 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF