Project

General

Profile

Actions
Copy link

Bug #21832

closed

boto3 v4 SignatureDoesNotMatch failure due to sorting of sse-kms headers

Added by Casey Bodley over 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
High
Assignee:
Casey Bodley
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
jewel
Regression:
Yes
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

The following boto3 request fails against rgw with SignatureDoesNotMatch:

s3.put_object(Bucket='bucket',Key='myobject',Body=open('a.txt'),ServerSideEncryption='aws:kms',SSEKMSKeyId='testkey')

boto3 debug logs show it sorting the server side encryption headers as:

x-amz-server-side-encryption:aws:kms
x-amz-server-side-encryption-aws-kms-key-id:testkey

while radosgw logs show the opposite sort:

x-amz-server-side-encryption-aws-kms-key-id:testkey
x-amz-server-side-encryption:aws:kms

Amazon docs for v2 and v4 auth both make it clear that the headers should be sorted by name before appending the : and header values:

This sorting behavior in radosgw was changed recently in https://github.com/ceph/ceph/pull/18046 for http://tracker.ceph.com/issues/21607, because of v4 signature failures observed against boto2 in s3tests. But boto2's behavior has been reported as a defect in https://github.com/boto/boto/pull/3032.

Related issues 2 (1 open1 closed)

Related to rgw - Bug #21607: rgw: s3 v4 auth fails teuthology s3-tests: test_object_header_acl_grants test_bucket_header_acl_grantsFix Under Review

Actions
Copied to rgw - Backport #22028: jewel: boto3 v4 SignatureDoesNotMatch failure due to sorting of sse-kms headersResolvedNathan CutlerActions
Actions
Copy link

Also available in: Atom PDF