Project

General

Profile

Bug #6760

rgw incompatible with gsutil, authorization signature wrongly computed

Added by Valery Tschopp over 10 years ago. Updated about 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

The Google Cloud Storage tool 'gsutil' sends the 'x-goog-api-version: 2' header to RadosGW. For an unknown reason, rgw read it as 'x-amz-api-version:2' and include it to the authorization signature digest. Therefore the authorization signature can not match, and authorization fails.

gsutil log:
----------
Headers: {'x-goog-api-version': '2'}
Host: valery_test.radosgw.bcc.switch.ch
Port: 443
Params: {}
establishing HTTPS connection: host=valery_test.radosgw.bcc.switch.ch, kwargs={'port': 443, 'timeout': 70}
Token: None
StringToSign:
GET

Wed, 13 Nov 2013 11:16:25 GMT
/valery_test/
Signature:
AWS ************************:NTADby7V/jZvQgg+Dt7MJiHXZbI=
wrapping ssl socket; CA certificate file=/var/folders/cz/glp4_qt57sdg0chm4n57mmt00000xz/T/gsutil-cacertsWWLfXa.txt
validating server certificate: hostname=valery_test.radosgw.bcc.switch.ch, certificate hosts=['*.radosgw.bcc.switch.ch', 'hxs.bcc.switch.ch', 'radosgw.bcc.switch.ch']
send: 'GET /?delimiter=/ HTTP/1.1\r\nHost: valery_test.radosgw.bcc.switch.ch\r\nAccept-Encoding: identity\r\nDate: Wed, 13 Nov 2013 11:16:25 GMT\r\nContent-Length: 0\r\nx-goog-api-version: 2\r\nAuthorization: AWS ********************:NTADby7V/jZvQgg+Dt7MJiHXZbI=\r\nUser-Agent: Boto/2.16.0 Python/2.7.5 Darwin/13.0.2\r\n\r\n'
reply: 'HTTP/1.1 403 \r\n'

rgw log:
-------
2013-11-13 12:16:17.016371 7f5d277ce700 10 get_canon_resource(): dest=
2013-11-13 12:16:17.016377 7f5d277ce700 10 auth_hdr:
GET

Wed, 13 Nov 2013 11:16:25 GMT
x-amz-api-version:2
/valery_test/
2013-11-13 12:16:17.016516 7f5d277ce700 15 calculated digest=1hthgRaH5FyLbBpsUAZQFKN0RSU=
2013-11-13 12:16:17.016521 7f5d277ce700 15 auth_sign=NTADby7V/jZvQgg+Dt7MJiHXZbI=
2013-11-13 12:16:17.016522 7f5d277ce700 15 compare=29
2013-11-13 12:16:17.016528 7f5d277ce700 10 failed to authorize request
2013-11-13 12:16:17.016615 7f5d277ce700 2 req 4:0.000707:s3:GET /:list_bucket:http status=403
2013-11-13 12:16:17.016790 7f5d277ce700 1 ====== req done req=0x12388b0 http_status=403 ======

History

#1 Updated by Valery Tschopp over 10 years ago

There is a related issue here: https://github.com/ceph/ceph/pull/498

#2 Updated by Casey Bodley about 4 years ago

Does this header still break s3 signature calculation?

Also available in: Atom PDF