https://tracker.ceph.com/https://tracker.ceph.com/favicon.ico2020-04-02T14:17:43ZCeph rgw - Bug #44804: Signed Url generated with metadata alway return SignatureNotMatch https://tracker.ceph.com/issues/44804?journal_id=1624252020-04-02T14:17:43ZCasey Bodleycbodley@redhat.com
<ul><li><strong>Assignee</strong> set to <i>Or Friedmann</i></li></ul> rgw - Bug #44804: Signed Url generated with metadata alway return SignatureNotMatch https://tracker.ceph.com/issues/44804?journal_id=1633452020-04-16T13:36:18ZOr Friedmann
<ul></ul><p>Hi Hoan,</p>
<p>I ran this script:</p>
<p>import boto3<br />import botocore</p>
<p>s3client = boto3.client(service_name='s3',<br /> aws_access_key_id='0555b35654ad1656d804',<br /> aws_secret_access_key='h7GhxuBLTrlhVUyxSPUKUV8r/2EI4ngqJxD7iBdBYLhwluN30JaT3Q==',<br /> endpoint_url='http://127.0.0.1:8000', use_ssl=False, verify=False,<br /> config=botocore.config.Config(signature_version='s3v4')<br /> )<br />bucket_name = 'hello'<br />url = s3client.generate_presigned_url('put_object', Params={'Bucket':bucket_name, 'Key':'1.jpg', 'ContentType': 'image/jpeg' , 'ACL': 'public-read'}, ExpiresIn=3600, HttpMethod='PUT')<br />print(url)</p>
<p>then run:</p>
<p>curl <strong>-H "content-type: image/jpeg" -H "x-amz-acl: public-read"</strong> --request PUT --upload-file /etc/hosts "<the url from the python3 sccript>"</p>
<p>It works</p>
<p>Well RGW is not able to add the headers as the presigned url is being created by boto3 and not by the RGW (you can see in the logs that not request has sent to the RGW after running the python script)</p> rgw - Bug #44804: Signed Url generated with metadata alway return SignatureNotMatch https://tracker.ceph.com/issues/44804?journal_id=1633472020-04-16T13:47:01Zhoan nv
<ul></ul><p>Or Friedmann wrote:</p>
<blockquote>
<p>Hi Hoan,</p>
<p>I ran this script:</p>
<p>import boto3<br />import botocore</p>
<p>s3client = boto3.client(service_name='s3',<br />aws_access_key_id='0555b35654ad1656d804',<br />aws_secret_access_key='h7GhxuBLTrlhVUyxSPUKUV8r/2EI4ngqJxD7iBdBYLhwluN30JaT3Q==',<br />endpoint_url='http://127.0.0.1:8000', use_ssl=False, verify=False,<br />config=botocore.config.Config(signature_version='s3v4')<br />)<br />bucket_name = 'hello'<br />url = s3client.generate_presigned_url('put_object', Params={'Bucket':bucket_name, 'Key':'1.jpg', 'ContentType': 'image/jpeg' , 'ACL': 'public-read'}, ExpiresIn=3600, HttpMethod='PUT')<br />print(url)</p>
<p>then run:</p>
<p>curl <strong>-H "content-type: image/jpeg" -H "x-amz-acl: public-read"</strong> --request PUT --upload-file /etc/hosts "<the url from the python3 sccript>"</p>
<p>It works</p>
<p>Well RGW is not able to add the headers as the presigned url is being created by boto3 and not by the RGW (you can see in the logs that not request has sent to the RGW after running the python script)</p>
</blockquote>
<p>I was tested this script with Amazon S3, it wwork. Curl command don't need add content-type and x-amz-acl headers to curl request. I think rgw should work same as Amazon S3.</p> rgw - Bug #44804: Signed Url generated with metadata alway return SignatureNotMatch https://tracker.ceph.com/issues/44804?journal_id=1646062020-04-30T09:22:39ZOr Friedmann
<ul></ul><p>curl --request PUT --upload-file 1.jpg "https://s3.amazonaws.com/testsignedurls/1.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<access_key>%2F20200430%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200430T090739Z&X-Amz-Expires=300&X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-acl&X-Amz-Signature=<signature>"</p>
<p><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message></p>
<p>curl -H "Content-Type: image/jpeg" -H "x-amz-acl: private" --request PUT --upload-file 1.jpg "https://s3.amazonaws.com/testsignedurls/1.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<access_key>%2F20200430%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200430T090739Z&X-Amz-Expires=300&X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-acl&X-Amz-Signature=<signature>"</p>
<p>worked</p>
<p>It looks like it is mandatory in AWS too to send the signed headers.</p> rgw - Bug #44804: Signed Url generated with metadata alway return SignatureNotMatch https://tracker.ceph.com/issues/44804?journal_id=1646072020-04-30T09:23:20ZOr Friedmann
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul>