Bug #18965: rgw: S3 v4 sign is not working with aws java sdk - rgw - Ceph

Actions

Copy link

Bug #18965

closed

rgw: S3 v4 sign is not working with aws java sdk

Added by okwap okwap about 7 years ago. Updated about 7 years ago.

Status:

Closed

Priority:

High

Assignee:

Matt Benjamin

Target version:

% Done:

Source:

Tags:

Backport:

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

Ceph - v9.2.1

ceph-qa-suite:

Pull request ID:

Crash signature (v1):

Crash signature (v2):

Description

java sdk version: 1.11.91

The following code snippet returns 400 bad request (copy from http://docs.ceph.com/docs/master/radosgw/s3/java/)

package com.chttl.s3;

import com.amazonaws.ClientConfiguration;
import com.amazonaws.Protocol;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3Client;
import com.amazonaws.services.s3.model.Bucket;
import com.amazonaws.util.StringUtils;

import java.util.List;

public class S3Client {

    public static void main(String[] args) {

        AWSCredentials credentials = new BasicAWSCredentials(accessKey, secretKey);

        ClientConfiguration clientConfig = new ClientConfiguration();
        clientConfig.setProtocol(Protocol.HTTP);
        clientConfig.withSignerOverride("S3SignerType");
        AmazonS3 conn = new AmazonS3Client(credentials, clientConfig);
        conn.setEndpoint(endPoint);

        List<Bucket> buckets = conn.listBuckets();
        for (Bucket bucket : buckets) {
            System.out.println(bucket.getName() + "\t" +
                    StringUtils.fromDate(bucket.getCreationDate()));
        }
    }
}

error msg from packet sniffer

T 10.144.225.175:8080 -> 10.0.2.15:57450 [AP]
  HTTP/1.1 400 Bad Request..x-amz-request-id: tx000000000000000003c39-0058a66
  647-64d335-dev..Content-Length: 149..Accept-Ranges: bytes..Content-Type: ap
  plication/xml..Date: Fri, 17 Feb 2017 02:56:07 GMT..Connection: Keep-Alive.
  ...                                                                        
##
T 10.144.225.175:8080 -> 10.0.2.15:57450 [AP]
  <?xml version="1.0" encoding="UTF-8"?><Error><Code>InvalidArgument</Code><R
  equestId>tx000000000000000003c39-0058a66647-64d335-dev</RequestId></Error> 
###

Force the sdk using v2 sign is no problem.

Actions

Copy link

Updated by okwap okwap about 7 years ago

request

##
T 10.0.2.15:57450 -> 10.144.225.175:8080 [AP]
  GET / HTTP/1.1..Host: 10.144.225.175:8080..x-amz-content-sha256: e3b0c44298
  fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855..Authorization: AWS4
  -HMAC-SHA256 Credential=XS3SDAYG61ODT9K4Y6QL/20170217/us-east-1/s3/aws4_req
  uest, SignedHeaders=amz-sdk-invocation-id;amz-sdk-retry;content-type;host;u
  ser-agent;x-amz-content-sha256;x-amz-date, Signature=d1c663a7d41aba4021b857
  3e141f789c92ee7c0acd1bc29726d4f59aa394f890..X-Amz-Date: 20170217T025535Z..U
  ser-Agent: aws-sdk-java/1.11.91 Linux/4.4.0-62-generic Java_HotSpot(TM)_64-
  Bit_Server_VM/25.121-b13/1.8.0_121..amz-sdk-invocation-id: 1522d560-3029-56
  34-aef6-fc6f11b006e0..amz-sdk-retry: 0/0/500..Content-Type: application/oct
  et-stream..Connection: Keep-Alive....                                      
#
T 10.144.225.175:8080 -> 10.0.2.15:57450 [A]
  ......

Actions

Copy link

Updated by Chang Liu about 7 years ago

Please paste rgw's log if you could get. I'm working on this.

Actions

Copy link

Updated by okwap okwap about 7 years ago

2017-02-17 07:11:11.515232 7f0e6e7fc700  1 ====== starting new request req=0x7f0e5c004fa0 =====
2017-02-17 07:11:11.515268 7f0e6e7fc700  2 req 15733:0.000037::PUT /tests3clientbk/::initializing for trans_id = tx000000000000000003d75-0058a6a20f-64d335-dev
2017-02-17 07:11:11.515357 7f0e6e7fc700  2 req 15733:0.000125:s3:PUT /tests3clientbk/::getting op
2017-02-17 07:11:11.515367 7f0e6e7fc700  2 req 15733:0.000135:s3:PUT /tests3clientbk/:create_bucket:authorizing
2017-02-17 07:11:11.515526 7f0e6e7fc700  2 req 15733:0.000294:s3:PUT /tests3clientbk/:create_bucket:http status=400
2017-02-17 07:11:11.515542 7f0e6e7fc700  1 ====== req done req=0x7f0e5c004fa0 http_status=400 ======
2017-02-17 07:11:11.515623 7f0e6e7fc700  1 civetweb: 0x7f0e5c0008c0: 10.144.171.155 - - [17/Feb/2017:07:11:11 +0000] "PUT /tests3clientbk/ HTTP/1.1" 400 0 - aws-sdk-java/1.11.91 Linux/4.4.0-62-generic Java_HotSpot(TM)_64-Bit_Server_VM/25.121-b13/1.8.0_121

Actions

Copy link

Updated by Chang Liu about 7 years ago

thanks. It would be better to change RGW logging level to 20. You could do it as following:

1. add "debug rgw = 20" in your ceph.conf.
2. restart your RGW process.

What's your ceph version? you could get it by `ceph --version`

Actions

Copy link

Updated by Chang Liu about 7 years ago

Hi, okwap

I have tried this with Ceph master code. It's ok to pass AWS v4 authorization. as:

2017-02-20 14:10:05.183629 7f3842d9a700 10 date_k = bfe2a3d5ad5113153ca5e45f04a61c9623651eb8302e0106536d406ddbfe63dc
2017-02-20 14:10:05.183643 7f3842d9a700 10 region_k = 513c9f76f07564f8a8b9a2a094c983f6d727a68056a8512e506a842426cddeab
2017-02-20 14:10:05.183653 7f3842d9a700 10 service_k = 68283473a9ac33887d56d4f47a9169669f06450658c42e24d1ee6ccf36735684
2017-02-20 14:10:05.183665 7f3842d9a700 10 signing_k = cdeb023e877782050d2d931246c203bb6955cde13d7b685270b706f8af134f69
2017-02-20 14:10:05.183674 7f3842d9a700 10 signature_k = e95c47625a302ad516c5be8ea37783a722d8c5b60b7dadc0e965395837550d1e
2017-02-20 14:10:05.183677 7f3842d9a700 10 new signature = e95c47625a302ad516c5be8ea37783a722d8c5b60b7dadc0e965395837550d1e
2017-02-20 14:10:05.183678 7f3842d9a700 10 ----------------------------- Verifying signatures
2017-02-20 14:10:05.183679 7f3842d9a700 10 Signature = e95c47625a302ad516c5be8ea37783a722d8c5b60b7dadc0e965395837550d1e
2017-02-20 14:10:05.183679 7f3842d9a700 10 New Signature = e95c47625a302ad516c5be8ea37783a722d8c5b60b7dadc0e965395837550d1e
2017-02-20 14:10:05.183680 7f3842d9a700 10 -----------------------------
2017-02-20 14:10:05.183681 7f3842d9a700 10 v4 auth ok
2017-02-20 14:10:05.183692 7f3842d9a700 2 req 1:0.002978:s3:GET /:list_buckets:normalizing buckets and tenants
2017-02-20 14:10:05.183695 7f3842d9a700 10 s->object=<NULL> s->bucket=
2017-02-20 14:10:05.183697 7f3842d9a700 2 req 1:0.002983:s3:GET /:list_buckets:init permissions
2017-02-20 14:10:05.183702 7f3842d9a700 2 req 1:0.002988:s3:GET /:list_buckets:recalculating target
2017-02-20 14:10:05.183703 7f3842d9a700 2 req 1:0.002989:s3:GET /:list_buckets:reading permissions
2017-02-20 14:10:05.183705 7f3842d9a700 2 req 1:0.002990:s3:GET /:list_buckets:init op
2017-02-20 14:10:05.183707 7f3842d9a700 2 req 1:0.002993:s3:GET /:list_buckets:verifying op mask
2017-02-20 14:10:05.183708 7f3842d9a700 20 required_mask= 1 user.op_mask=7
2017-02-20 14:10:05.183708 7f3842d9a700 2 req 1:0.002994:s3:GET /:list_buckets:verifying op permissions
2017-02-20 14:10:05.183709 7f3842d9a700 2 req 1:0.002995:s3:GET /:list_buckets:verifying op params
2017-02-20 14:10:05.183710 7f3842d9a700 2 req 1:0.002996:s3:GET /:list_buckets:pre-executing
2017-02-20 14:10:05.183710 7f3842d9a700 2 req 1:0.002996:s3:GET /:list_buckets:executing
2017-02-20 14:10:05.183741 7f3842d9a700 1 -- 127.0.0.1:0/2922847053 --> 127.0.0.1:6800/708 -- osd_op(unknown.0.0:734 9.5 9:bee2c682:::liuchang0812@gmail.com.buckets:head [call user.list_buckets] snapc 0=[] ondisk+read+known_if_redirected e44) v8 -- 0x5647fde3ba80 con 0
2017-02-20 14:10:05.183996 7f38625d9700 1 -- 127.0.0.1:0/2922847053 <== osd.0 127.0.0.1:6800/708 202 ==== osd_op_reply(734 liuchang0812@gmail.com.buckets [call] v0'0 uv0 ondisk = -2 ((2) No such file or directory)) v7 ==== 150+0+0 (3287003251 0 0) 0x5647fde3ba80 con 0x5647fda6d800
2017-02-20 14:10:05.184175 7f3842d9a700 2 req 1:0.003461:s3:GET /:list_buckets:completing
2017-02-20 14:10:05.184212 7f3842d9a700 2 req 1:0.003498:s3:GET /:list_buckets:op status=0
2017-02-20 14:10:05.184216 7f3842d9a700 2 req 1:0.003502:s3:GET /:list_buckets:http status=200

Actions

Copy link

Updated by Matt Benjamin about 7 years ago

Status changed from New to Need More Info
Assignee set to Matt Benjamin
Priority changed from Normal to High

Actions

Copy link

Updated by Matt Benjamin about 7 years ago

Will retest on Jewel (no plans to backport to Infernalis).

Actions

Copy link

Updated by okwap okwap about 7 years ago

Sorry the snippet is in v2 signing, clientConfig.withSignerOverride("S3SignerType"); should be comment out.

Correct V4 code:

package com.chttl.s3;

import com.amazonaws.ClientConfiguration;
import com.amazonaws.Protocol;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3Client;
import com.amazonaws.services.s3.model.Bucket;
import com.amazonaws.util.StringUtils;

import java.util.List;

public class S3Client {

    public static void main(String[] args) {

        AWSCredentials credentials = new BasicAWSCredentials(accessKey, secretKey);

        ClientConfiguration clientConfig = new ClientConfiguration();
        clientConfig.setProtocol(Protocol.HTTP);
        AmazonS3 conn = new AmazonS3Client(credentials, clientConfig);
        conn.setEndpoint(endPoint);

        List<Bucket> buckets = conn.listBuckets();
        for (Bucket bucket : buckets) {
            System.out.println(bucket.getName() + "\t" +
                    StringUtils.fromDate(bucket.getCreationDate()));
        }
    }
}

Actions

Copy link