Project

General

Profile

Bug #22826

"x-amz-content-sha256: STREAMING-AWS4-HMAC-SHA256-PAYLOAD" is not support by V4 auth through LDAPEngine

Added by liu boy over 3 years ago. Updated over 3 years ago.

Status:
In Progress
Priority:
Normal
Assignee:
Target version:
% Done:

0%

Source:
Community (user)
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
rgw
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

request & response:

PUT /bucket1/test.pdf?uploadId=2%7ELJHM5ZQxPXBzDDK5cG4RG_j9bcKXvI5&partNumber=1 HTTP/1.1
Host: 10.1.xx.xx:8080
x-amz-content-sha256: STREAMING-AWS4-HMAC-SHA256-PAYLOAD
Authorization: AWS4-HMAC-SHA256 Credential=ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogImhhZG9vcCIsCiAgICAgICAgImtleSI6ICJoYWRvb3AiCiAgICB9Cn0K/20180129/us-east-1/s3/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-retry;content-length;content-type;host;user-agent;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length, Signature=0e7fadce0f236427ae9cb921b86f90dc79cd2478243d647375165b88117b1cdb
X-Amz-Date: 20180129T131151Z
User-Agent: aws-sdk-java/1.11.255 Mac_OS_X/10.13.3 Java_HotSpot(TM)_64-Bit_Server_VM/25.111-b14 java/1.8.0_111
amz-sdk-invocation-id: f8dc10c5-364a-5cfe-425e-eb804f9fe368
x-amz-decoded-content-length: 10485760
amz-sdk-retry: 0/0/500
Content-Type: application/octet-stream
Content-Length: 10493046
Connection: Keep-Alive
Expect: 100-continue

HTTP/1.1 501 Not Implemented
Content-Length: 187
x-amz-request-id: tx0000000000000000006fa-005a6f1d97-10cb-default
Accept-Ranges: bytes
Content-Type: application/xml
Date: Mon, 29 Jan 2018 13:11:51 GMT
Connection: Keep-Alive

<Error><Code>NotImplemented</Code><RequestId>tx0000000000000000006fa-005a6f1d97-10cb-default</RequestId><HostId>10cb-default-default</HostId></Error>

ceph rgw log:

2018-01-29 21:11:51.569279 7f70972ec700 5 error reading user info, uid=ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogImhhZG9vcCIsCiAgICAgICAgImtleSI6ICJoYWRvb3AiCiAgICB9Cn0K can't authenticate
2018-01-29 21:11:51.569285 7f70972ec700 5 Failed the auth strategy, reason=-2201
2018-01-29 21:11:51.569288 7f70972ec700 10 failed to authorize request
2018-01-29 21:11:51.569367 7f70972ec700 2 req 1786:0.009527:s3:PUT /bucket1/test.pdf:put_obj:op status=0
2018-01-29 21:11:51.569376 7f70972ec700 2 req 1786:0.009537:s3:PUT /bucket1/test.pdf:put_obj:http status=501
2018-01-29 21:11:51.569392 7f70972ec700 1 ====== req done req=0x7f70972e6190 op status=0 http_status=501 ======

History

#1 Updated by John Spray over 3 years ago

  • Project changed from Ceph to rgw

#2 Updated by liu boy over 3 years ago

Can anyone help me?

#3 Updated by Yehuda Sadeh over 3 years ago

  • Assignee set to Matt Benjamin

#4 Updated by Matt Benjamin over 3 years ago

  • Status changed from New to In Progress

@liu, we have a plan to address this via a general cryptographic token facility that can provide temporary, strong S3 credentials for all the relevant auth mechanisms (e.g., internal, ldap, keystone).

Marcus Watts is working on a design and prototype implementation for this. We plan to describe it in an upcoming Ceph CDN.

regards,

Matt

Also available in: Atom PDF