Bug #18829
closedRGW S3 v4 authentication issue with X-Amz-Expires
0%
Description
I use ceph-radosgw-10.2.5-0.el7.x86_64 on CentOS 7.3. I has recived RequestTimeTooSkewed affter 15 minutes since i created presigned_url to ceph radosgw and X-Amz-Expires doesn't work. I saw in src/rgw/rgw_rest_s3.cc:
s->aws4_auth->expires = s->info.args.get("X-Amz-Expires");
if (s->aws4_auth->expires.size() != 0) {
/* X-Amz-Expires provides the time period, in seconds, for which
the generated presigned URL is valid. The minimum value
you can set is 1, and the maximum is 604800 (seven days) /
time_t exp = atoll(s->aws4_auth->expires.c_str());
if ((exp < 1) || (exp > 604800)) {
dout(10) << "NOTICE: exp out of range, exp = " << exp << dendl;
return -EPERM;
}
/ handle expiration in epoch time */
now_req = (uint64_t)timegm(&date_t);
if (now >= now_req + exp) {
dout(10) << "NOTICE: now = " << now << ", now_req = " << now_req << ", exp = " << exp << dendl;
return -EPERM;
}
}
if ( (now_req < now - RGW_AUTH_GRACE_MINS * 60) ||
(now_req > now + RGW_AUTH_GRACE_MINS * 60) ) {
dout(10) << "NOTICE: request time skew too big." << dendl;
dout(10) << "now_req = " << now_req << " now = " << now << "; now - RGW_AUTH_GRACE_MINS=" << now - RGW_AUTH_GRACE_MINS * 60 << "; now + RGW_AUTH_GRACE_MINS=" << now + RGW_AUTH_GRACE_MINS * 60 << dendl;
return -ERR_REQUEST_TIME_SKEWED;
}
Updated by Nhật Khang Nguyễn about 7 years ago
s->aws4_auth->expires = s->info.args.get("X-Amz-Expires"); if (s->aws4_auth->expires.size() != 0) { /* X-Amz-Expires provides the time period, in seconds, for which the generated presigned URL is valid. The minimum value you can set is 1, and the maximum is 604800 (seven days) / time_t exp = atoll(s->aws4_auth->expires.c_str()); if ((exp < 1) || (exp > 604800)) { dout(10) << "NOTICE: exp out of range, exp = " << exp << dendl; return -EPERM; } / handle expiration in epoch time */ now_req = (uint64_t)timegm(&date_t); if (now >= now_req + exp) { dout(10) << "NOTICE: now = " << now << ", now_req = " << now_req << ", exp = " << exp << dendl; return -EPERM; } } if ( (now_req < now - RGW_AUTH_GRACE_MINS * 60) || (now_req > now + RGW_AUTH_GRACE_MINS * 60) ) { dout(10) << "NOTICE: request time skew too big." << dendl; dout(10) << "now_req = " << now_req << " now = " << now << "; now - RGW_AUTH_GRACE_MINS=" << now - RGW_AUTH_GRACE_MINS * 60 << "; now + RGW_AUTH_GRACE_MINS=" << now + RGW_AUTH_GRACE_MINS * 60 << dendl; return -ERR_REQUEST_TIME_SKEWED; }
Updated by Chang Liu about 7 years ago
I have verified this bug. it's exists.
I have patch a PR for this: https://github.com/ceph/ceph/pull/13354
Updated by Nathan Cutler about 7 years ago
- Status changed from New to Fix Under Review
Updated by Yehuda Sadeh about 7 years ago
- Status changed from Fix Under Review to 7
Updated by Yehuda Sadeh about 7 years ago
- Status changed from 7 to Pending Backport
Updated by Nathan Cutler about 7 years ago
- Copied to Backport #19476: jewel: RGW S3 v4 authentication issue with X-Amz-Expires added
Updated by Nathan Cutler about 7 years ago
- Copied to Backport #19477: kraken: rgw: S3 v4 authentication issue with X-Amz-Expires added
Updated by Nathan Cutler almost 7 years ago
- Status changed from Pending Backport to Resolved