Bug #62105
openSignatureDoesNotMatch for certain RGW Admin Ops endpoints when using v4 auth
0%
Description
I'm not sure if this should be treated as a bug in the RGW auth code, or a bug in the RGW Admin Ops API spec, but attempting to perform certain actions fails with SignatureDoesNotMatch
. This came to my attention when I upgraded the python rgwadmin package from 2.3.3 to latest. During that time, the library switched from using awsauth
(which I think was doing v2) to requests-aws4auth
which does v4:
Some endpoints in the RGW Admin Ops API use duplicate query params. For example, Create Subuser:
Defines the endpoint as:
PUT /{admin}/user?subuser&format=json
But one of the required params is subuser
, resulting in something like this:
PUT /{admin}/user?subuser&format=json&uid=bob&subuser=sub1
Which results in SignatureDoesNotMatch
. If instead I make the request omitting the initial subuser
param, then everything works fine (but this isn't the documented API spec):
PUT /{admin}/user?format=json&uid=bob&subuser=sub1
I haven't exhaustively looked through the entire API, but at a glance at least these actions are affected:
- create subuser
- modify subuser
- remove subuser
- remove object
My best guess is this is happening because we're using a map in the logic that parses and sorts the query params, thereby only preserving one of them (but I'm not that great at C++):
While I don't think there's a spec that forbids it, sending non-unique query params seems like a significant foot gun to me.
I tested this on 17.2.5-8-g7aafe175b8
but I believe it probably affects all versions.
Updated by Joshua Haas 10 months ago
Forgot to explicitly mention the documented API spec (with the double query param) works fine when using v2 auth.
Updated by Casey Bodley 10 months ago
- Assignee set to Ali Maredia
- Tags set to adminapi subuser sigv4
- Backport set to pacific quincy reef
Updated by Casey Bodley 6 months ago
- Status changed from New to Pending Backport
Updated by Backport Bot 6 months ago
- Copied to Backport #63624: pacific: SignatureDoesNotMatch for certain RGW Admin Ops endpoints when using v4 auth added
Updated by Backport Bot 6 months ago
- Copied to Backport #63625: quincy: SignatureDoesNotMatch for certain RGW Admin Ops endpoints when using v4 auth added
Updated by Backport Bot 6 months ago
- Copied to Backport #63626: reef: SignatureDoesNotMatch for certain RGW Admin Ops endpoints when using v4 auth added
Updated by Backport Bot 6 months ago
- Tags changed from adminapi subuser sigv4 to adminapi subuser sigv4 backport_processed
Updated by Konstantin Shalygin 6 months ago
- Assignee deleted (
Ali Maredia) - Pull request ID set to 53504