Project

General

Profile

Bug #18829

RGW S3 v4 authentication issue with X-Amz-Expires

Added by Nhật Khang Nguyễn 8 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
High
Assignee:
-
Target version:
-
Start date:
02/06/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
jewel, kraken
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
rgw
Release:
jewel
Needs Doc:
No

Description

I use ceph-radosgw-10.2.5-0.el7.x86_64 on CentOS 7.3. I has recived RequestTimeTooSkewed affter 15 minutes since i created presigned_url to ceph radosgw and X-Amz-Expires doesn't work. I saw in src/rgw/rgw_rest_s3.cc:
s->aws4_auth->expires = s->info.args.get("X-Amz-Expires");
if (s->aws4_auth->expires.size() != 0) {
/* X-Amz-Expires provides the time period, in seconds, for which
the generated presigned URL is valid. The minimum value
you can set is 1, and the maximum is 604800 (seven days) /
time_t exp = atoll(s->aws4_auth->expires.c_str());
if ((exp < 1) || (exp > 604800)) {
dout(10) << "NOTICE: exp out of range, exp = " << exp << dendl;
return -EPERM;
}
/
handle expiration in epoch time */
now_req = (uint64_t)timegm(&date_t);
if (now >= now_req + exp) {
dout(10) << "NOTICE: now = " << now << ", now_req = " << now_req << ", exp = " << exp << dendl;
return -EPERM;
}
}

if ( (now_req < now - RGW_AUTH_GRACE_MINS * 60) ||
(now_req > now + RGW_AUTH_GRACE_MINS * 60) ) {
dout(10) << "NOTICE: request time skew too big." << dendl;
dout(10) << "now_req = " << now_req << " now = " << now << "; now - RGW_AUTH_GRACE_MINS=" << now - RGW_AUTH_GRACE_MINS * 60 << "; now + RGW_AUTH_GRACE_MINS=" << now + RGW_AUTH_GRACE_MINS * 60 << dendl;
return -ERR_REQUEST_TIME_SKEWED;
}

Related issues

Copied to rgw - Backport #19476: jewel: RGW S3 v4 authentication issue with X-Amz-Expires Resolved
Copied to rgw - Backport #19477: kraken: rgw: S3 v4 authentication issue with X-Amz-Expires Resolved

History

#1 Updated by Nhật Khang Nguyễn 8 months ago

s->aws4_auth->expires = s->info.args.get("X-Amz-Expires");
if (s->aws4_auth->expires.size() != 0) {
/* X-Amz-Expires provides the time period, in seconds, for which
the generated presigned URL is valid. The minimum value
you can set is 1, and the maximum is 604800 (seven days) /
time_t exp = atoll(s->aws4_auth->expires.c_str());
if ((exp < 1) || (exp > 604800)) {
dout(10) << "NOTICE: exp out of range, exp = " << exp << dendl;
return -EPERM;
}
/ handle expiration in epoch time */
now_req = (uint64_t)timegm(&date_t);
if (now >= now_req + exp) {
dout(10) << "NOTICE: now = " << now << ", now_req = " << now_req << ", exp = " << exp << dendl;
return -EPERM;
}
}

if ( (now_req < now - RGW_AUTH_GRACE_MINS * 60) ||
         (now_req > now + RGW_AUTH_GRACE_MINS * 60) ) {
      dout(10) << "NOTICE: request time skew too big." << dendl;
      dout(10) << "now_req = " << now_req << " now = " << now << "; now - RGW_AUTH_GRACE_MINS=" << now - RGW_AUTH_GRACE_MINS * 60 << "; now + RGW_AUTH_GRACE_MINS=" << now + RGW_AUTH_GRACE_MINS * 60 << dendl;
      return -ERR_REQUEST_TIME_SKEWED;
    }

#2 Updated by Orit Wasserman 8 months ago

  • Project changed from Ceph to rgw

#3 Updated by Yehuda Sadeh 7 months ago

  • Priority changed from Normal to High

#4 Updated by Yehuda Sadeh 7 months ago

  • Backport set to jewel, kraken

#5 Updated by Chang Liu 7 months ago

I have verified this bug. it's exists.

I have patch a PR for this: https://github.com/ceph/ceph/pull/13354

#6 Updated by Nathan Cutler 7 months ago

  • Status changed from New to Need Review

#7 Updated by Yehuda Sadeh 7 months ago

  • Status changed from Need Review to Testing

#8 Updated by Yehuda Sadeh 6 months ago

  • Status changed from Testing to Pending Backport

#9 Updated by Nathan Cutler 6 months ago

  • Copied to Backport #19476: jewel: RGW S3 v4 authentication issue with X-Amz-Expires added

#10 Updated by Nathan Cutler 6 months ago

  • Copied to Backport #19477: kraken: rgw: S3 v4 authentication issue with X-Amz-Expires added

#11 Updated by Nathan Cutler 3 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF