Project

General

Profile

Bug #21832

boto3 v4 SignatureDoesNotMatch failure due to sorting of sse-kms headers

Added by Casey Bodley about 1 year ago. Updated 10 months ago.

Status:
Resolved
Priority:
High
Assignee:
Target version:
-
Start date:
10/18/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
jewel
Regression:
Yes
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

The following boto3 request fails against rgw with SignatureDoesNotMatch:

s3.put_object(Bucket='bucket',Key='myobject',Body=open('a.txt'),ServerSideEncryption='aws:kms',SSEKMSKeyId='testkey')

boto3 debug logs show it sorting the server side encryption headers as:

x-amz-server-side-encryption:aws:kms
x-amz-server-side-encryption-aws-kms-key-id:testkey

while radosgw logs show the opposite sort:

x-amz-server-side-encryption-aws-kms-key-id:testkey
x-amz-server-side-encryption:aws:kms

Amazon docs for v2 and v4 auth both make it clear that the headers should be sorted by name before appending the : and header values:

This sorting behavior in radosgw was changed recently in https://github.com/ceph/ceph/pull/18046 for http://tracker.ceph.com/issues/21607, because of v4 signature failures observed against boto2 in s3tests. But boto2's behavior has been reported as a defect in https://github.com/boto/boto/pull/3032.


Related issues

Related to Ceph - Bug #21607: rgw: s3 v4 auth fails teuthology s3-tests: test_object_header_acl_grants test_bucket_header_acl_grants Pending Upstream 09/29/2017
Copied to rgw - Backport #22028: jewel: boto3 v4 SignatureDoesNotMatch failure due to sorting of sse-kms headers Resolved

History

#2 Updated by Casey Bodley about 1 year ago

  • Related to Bug #21607: rgw: s3 v4 auth fails teuthology s3-tests: test_object_header_acl_grants test_bucket_header_acl_grants added

#3 Updated by Casey Bodley about 1 year ago

  • Status changed from New to Need Review

#4 Updated by Casey Bodley about 1 year ago

  • Project changed from Ceph to rgw

#5 Updated by Matt Benjamin about 1 year ago

  • Status changed from Need Review to Pending Backport

#6 Updated by Abhishek Lekshmanan about 1 year ago

  • Status changed from Pending Backport to Resolved

the other PR wasn't backported so no need to backport the revert

#7 Updated by Nathan Cutler about 1 year ago

  • Status changed from Resolved to Pending Backport
  • Backport set to jewel

https://github.com/ceph/ceph/pull/18080 was merged by mistake, so we'll need to backport the revert after all.

#8 Updated by Nathan Cutler about 1 year ago

  • Copied to Backport #22028: jewel: boto3 v4 SignatureDoesNotMatch failure due to sorting of sse-kms headers added

#9 Updated by Nathan Cutler 10 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF