Ceph » rgw

I'm not sure if this should be treated as a bug in the RGW auth code, or a bug in the RGW Admin Ops API spec, but attempting to perform certain actions fails with SignatureDoesNotMatch. This came to my attention when I upgraded the python rgwadmin package from 2.3.3 to latest. During that time, the library switched from using awsauth (which I think was doing v2) to requests-aws4auth which does v4:

• https://github.com/UMIACS/rgwadmin/pull/59

Some endpoints in the RGW Admin Ops API use duplicate query params. For example, Create Subuser:

• https://docs.ceph.com/en/latest/radosgw/adminops/#create-subuser

Defines the endpoint as:

PUT /{admin}/user?subuser&format=json

But one of the required params is subuser, resulting in something like this:

PUT /{admin}/user?subuser&format=json&uid=bob&subuser=sub1

Which results in SignatureDoesNotMatch. If instead I make the request omitting the initial subuser param, then everything works fine (but this isn't the documented API spec):

PUT /{admin}/user?format=json&uid=bob&subuser=sub1

I haven't exhaustively looked through the entire API, but at a glance at least these actions are affected:

• create subuser
• modify subuser
• remove subuser
• remove object

My best guess is this is happening because we're using a map in the logic that parses and sorts the query params, thereby only preserving one of them (but I'm not that great at C++):

• https://github.com/ceph/ceph/blob/5a86a314f4d28fb27bf3b273212b04cd7ffb3bd8/src/rgw/rgw_auth_s3.cc#L577

While I don't think there's a spec that forbids it, sending non-unique query params seems like a significant foot gun to me.

I tested this on 17.2.5-8-g7aafe175b8 but I believe it probably affects all versions.