Actions
Bug #64308
openCORS Preflight Failure After Upgrading to 17.2.7
Status:
Pending Backport
Priority:
Normal
Assignee:
-
Target version:
-
% Done:
0%
Source:
Community (user)
Tags:
sigv4 presigned backport_processed
Backport:
pacific quincy reef
Regression:
Yes
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
After upgrading to 17.2.7 we have some users complaining that they can no longer do PUTs with presigned URLs. They are receiving messages like "Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."
I think it is caused by the change in https://tracker.ceph.com/issues/62033 which is only in 17.2.7 and 18.2.1. 16.2.15 will have it when released.
I was able to reproduce an error in an OPTIONS call to RGW using the attached script.
Create bucket. Apply CORS rules. Set AWS credentials. Run attached script.
In 17.2.7 most of the tests result in 403.
Region us-east-1 Without ACL https://endpoint/bucket/foo.png?AWSAccessKeyId=UFK4WVCRL8XHSMQERIGJ&Signature=tvGiXAca%2B6m8y5YDbDSPY1akqlI%3D&Expires=1706902836 403 With ACL https://endpoint/bucket/foo.png?AWSAccessKeyId=UFK4WVCRL8XHSMQERIGJ&Signature=3pYkXrAajuOFYbTqhq3TY7YcioE%3D&x-amz-acl=private&Expires=1706902837 403 Region us-east-2 Without ACL https://endpoint/bucket/foo.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UFK4WVCRL8XHSMQERIGJ%2F20240202%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20240202T193037Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=a1e723930c116fc45244adf9f2e629b2c5b989480a37eb31b0be38c980dbfc1e 200 With ACL https://endpoint/bucket/foo.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UFK4WVCRL8XHSMQERIGJ%2F20240202%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20240202T193037Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host%3Bx-amz-acl&X-Amz-Signature=cd514a13b7e0327679ec0d3a53e122f8125f3b8c6a35b3851c40b4f0b65058e5 403
In 17.2.5 all of the tests result in 200.
Region us-east-1 Without ACL https://endpoint/bucket/foo.png?AWSAccessKeyId=F5S36GRYN612SREULGN1&Signature=JsLqb4yl%2F3KC8%2B7gcaQ%2BXclHwOA%3D&Expires=1706904230 200 With ACL https://endpoint/bucket/foo.png?AWSAccessKeyId=F5S36GRYN612SREULGN1&Signature=cGAbmXGV0Y29%2BfhLzy4qJdl98XY%3D&x-amz-acl=private&Expires=1706904230 200 Region us-east-2 Without ACL https://endpoint/bucket/foo.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=F5S36GRYN612SREULGN1%2F20240202%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20240202T195351Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=4376b79a1fabb7747c1022208967c18907240e9d162f2a173508d7152e3effa0 200 With ACL https://endpoint/bucket/foo.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=F5S36GRYN612SREULGN1%2F20240202%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20240202T195352Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host%3Bx-amz-acl&X-Amz-Signature=3aba88be6ceb30d4de3ebaf97529185105156ae005af53aac1e9b377fa6d68ed 200
Files
Actions