Actions
Bug #21832
closedboto3 v4 SignatureDoesNotMatch failure due to sorting of sse-kms headers
% Done:
0%
Source:
Tags:
Backport:
jewel
Regression:
Yes
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
The following boto3 request fails against rgw with SignatureDoesNotMatch:
s3.put_object(Bucket='bucket',Key='myobject',Body=open('a.txt'),ServerSideEncryption='aws:kms',SSEKMSKeyId='testkey')
boto3 debug logs show it sorting the server side encryption headers as:
x-amz-server-side-encryption:aws:kms x-amz-server-side-encryption-aws-kms-key-id:testkey
while radosgw logs show the opposite sort:
x-amz-server-side-encryption-aws-kms-key-id:testkey x-amz-server-side-encryption:aws:kmsAmazon docs for v2 and v4 auth both make it clear that the headers should be sorted by name before appending the : and header values:
- http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html#canonical-request
- http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationConstructingCanonicalizedAmzHeaders
This sorting behavior in radosgw was changed recently in https://github.com/ceph/ceph/pull/18046 for http://tracker.ceph.com/issues/21607, because of v4 signature failures observed against boto2 in s3tests. But boto2's behavior has been reported as a defect in https://github.com/boto/boto/pull/3032.
Actions