Actions
Bug #21832
closedboto3 v4 SignatureDoesNotMatch failure due to sorting of sse-kms headers
% Done:
0%
Source:
Tags:
Backport:
jewel
Regression:
Yes
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
The following boto3 request fails against rgw with SignatureDoesNotMatch:
s3.put_object(Bucket='bucket',Key='myobject',Body=open('a.txt'),ServerSideEncryption='aws:kms',SSEKMSKeyId='testkey')
boto3 debug logs show it sorting the server side encryption headers as:
x-amz-server-side-encryption:aws:kms x-amz-server-side-encryption-aws-kms-key-id:testkey
while radosgw logs show the opposite sort:
x-amz-server-side-encryption-aws-kms-key-id:testkey x-amz-server-side-encryption:aws:kmsAmazon docs for v2 and v4 auth both make it clear that the headers should be sorted by name before appending the : and header values:
- http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html#canonical-request
- http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationConstructingCanonicalizedAmzHeaders
This sorting behavior in radosgw was changed recently in https://github.com/ceph/ceph/pull/18046 for http://tracker.ceph.com/issues/21607, because of v4 signature failures observed against boto2 in s3tests. But boto2's behavior has been reported as a defect in https://github.com/boto/boto/pull/3032.
Updated by Casey Bodley over 6 years ago
Updated by Casey Bodley over 6 years ago
- Related to Bug #21607: rgw: s3 v4 auth fails teuthology s3-tests: test_object_header_acl_grants test_bucket_header_acl_grants added
Updated by Casey Bodley over 6 years ago
- Status changed from New to Fix Under Review
Updated by Matt Benjamin over 6 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Abhishek Lekshmanan over 6 years ago
- Status changed from Pending Backport to Resolved
the other PR wasn't backported so no need to backport the revert
Updated by Nathan Cutler over 6 years ago
- Status changed from Resolved to Pending Backport
- Backport set to jewel
https://github.com/ceph/ceph/pull/18080 was merged by mistake, so we'll need to backport the revert after all.
Updated by Nathan Cutler over 6 years ago
- Copied to Backport #22028: jewel: boto3 v4 SignatureDoesNotMatch failure due to sorting of sse-kms headers added
Updated by Nathan Cutler about 6 years ago
- Status changed from Pending Backport to Resolved
Actions