Bug #55339
closedradosgw rejects some requests without Content-MD5 Header
100%
Description
radosgw server running pacific 16.2.7 on Rocky Linux 8.5 (Green Obsidian).
awscli, running on Rocky Linux 8.5, (Green Obsidian) (different machine than server) This client system is in fips mode. The awscli is 1.22.22 with botocore/1.23.22, the default available with dnf/yum.
The radosgw server is NOT in fips mode
Things like 'aws s3 cp ...' work fine.
However, use of awscli with some s3api calls such as put-bucket-lifecycle-configuration fail with 'InvalidRequest'. If I disable fips mode on the client, then all is well and put-bucket-lifecycle-configuration works fine.
This turns out to be the fact that python's hashlib.md5() is not available when the awscli is running on a fips enabled workstation, and thus awscli doesn't generate a Content-MD5 header. Debug output of awscli shows that Content-MD5: header is not sent when system is in fips mode, but is when fips mode is off.
radosgw seems to need Content-MD5 or it gives 'InvalidRequest'. I have only checked put-bucket-lifecycle-configuration, but I suspect this affects some other s3api calls as well.
In either case (client with fips mode and client without fips mode), header x-amz-content-sha256 header is sent. Perhaps this should be enough for radosgw? (I haven't thought that part through yet). A config option could perhaps be created that disables the need for Content-MD5.
I am aware of https://tracker.ceph.com/issues/53008, but that involves fips mode on the radosgw server itself. The current situation involves use of fips mode on the awscli workstation.