Project

General

Profile

Actions
Copy link

Bug #18828

closed

RGW S3 v4 authentication issue with X-Amz-Expires

Added by Nhật Khang Nguyễn about 7 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
jewel, kraken
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v10.2.5
ceph-qa-suite:
rgw
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

I use ceph-radosgw-10.2.5-0.el7.x86_64 on CentOS 7.3. I has recived RequestTimeTooSkewed affter 15 minutes since i created presigned_url to ceph radosgw and X-Amz-Expires doesn't work. I saw in src/rgw/rgw_rest_s3.cc:
s->aws4_auth->expires = s->info.args.get("X-Amz-Expires");
if (s->aws4_auth->expires.size() != 0) {
/* X-Amz-Expires provides the time period, in seconds, for which
the generated presigned URL is valid. The minimum value
you can set is 1, and the maximum is 604800 (seven days) /
time_t exp = atoll(s->aws4_auth->expires.c_str());
if ((exp < 1) || (exp > 604800)) {
dout(10) << "NOTICE: exp out of range, exp = " << exp << dendl;
return -EPERM;
}
/ handle expiration in epoch time */
now_req = (uint64_t)timegm(&date_t);
if (now >= now_req + exp) {
dout(10) << "NOTICE: now = " << now << ", now_req = " << now_req << ", exp = " << exp << dendl;
return -EPERM;
}
}

if ( (now_req < now - RGW_AUTH_GRACE_MINS * 60) ||
         (now_req > now + RGW_AUTH_GRACE_MINS * 60) ) {
      dout(10) << "NOTICE: request time skew too big." << dendl;
      dout(10) << "now_req = " << now_req << " now = " << now << "; now - RGW_AUTH_GRACE_MINS=" << now - RGW_AUTH_GRACE_MINS * 60 << "; now + RGW_AUTH_GRACE_MINS=" << now + RGW_AUTH_GRACE_MINS * 60 << dendl;
      return -ERR_REQUEST_TIME_SKEWED;
    }

Related issues 2 (0 open2 closed)

Copied to rgw - Backport #19724: jewel: RGW S3 v4 authentication issue with X-Amz-ExpiresResolvedAlexey SheplyakovActions
Copied to rgw - Backport #19725: kraken: RGW S3 v4 authentication issue with X-Amz-ExpiresResolvedNathan CutlerActions
Actions
Copy link
 #1

Updated by Chang Liu about 7 years ago

Hi, what's your X-Amz-Expires?

Actions
Copy link
 #2

Updated by Chang Liu about 7 years ago

I'm testing it and try to fix it. assign this issue to me, please

Actions
Copy link
 #4

Updated by Nhật Khang Nguyễn about 7 years ago 

Hi Chang Liu,
Thank you fixed this error. You can tell me RGW_AUTH_GRACE_MINS use what purposes? Thank
Actions
Copy link
 #5

Updated by Chang Liu about 7 years ago

RGW_AUTH_GRACE_MINS use for request safety. HMAC is not very complicated hash method, people could brute force signature within a long time. So AWS limits signature validity.

Actions
Copy link
 #6

Updated by Josh Durgin about 7 years ago

  • Project changed from Ceph to rgw
Actions
Copy link
 #7

Updated by Yehuda Sadeh about 7 years ago

  • Status changed from New to Pending Backport
  • Backport set to jewel, kraken
Actions
Copy link
 #8

Updated by Nathan Cutler about 7 years ago

  • Copied to Backport #19724: jewel: RGW S3 v4 authentication issue with X-Amz-Expires added
Actions
Copy link
 #9

Updated by Nathan Cutler about 7 years ago

  • Copied to Backport #19725: kraken: RGW S3 v4 authentication issue with X-Amz-Expires added
Actions
Copy link
 #10

Updated by Nathan Cutler almost 7 years ago

  • Status changed from Pending Backport to Resolved
Actions
Copy link

Also available in: Atom PDF