rgw: aws4: add rgw_s3_auth_aws4_force_boto2_compat conf option

author Javier M. Mellid <jmunhoz@igalia.com>

Mon, 1 Aug 2016 19:00:28 +0000 (21:00 +0200)

committer Javier M. Mellid <jmunhoz@igalia.com>

Thu, 15 Dec 2016 23:59:49 +0000 (00:59 +0100)
author Javier M. Mellid <jmunhoz@igalia.com>
Mon, 1 Aug 2016 19:00:28 +0000 (21:00 +0200)
committer Javier M. Mellid <jmunhoz@igalia.com>
Thu, 15 Dec 2016 23:59:49 +0000 (00:59 +0100)
diff --git a/src/common/config_opts.h b/src/common/config_opts.h

index 41a109875df0b6ba9613f66fdf38e33098aebfaa..e8ef9b3b8aae5c7b2d6a79a62bdd87254f9dbdfd 100644 (file)
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -1331,6 +1331,7 @@ OPTION(rgw_keystone_verify_ssl, OPT_BOOL, true) // should we try to verify keyst
  OPTION(rgw_keystone_implicit_tenants, OPT_BOOL, false)  // create new users in their own tenants of the same name
  OPTION(rgw_s3_auth_use_rados, OPT_BOOL, true)  // should we try to use the internal credentials for s3?
  OPTION(rgw_s3_auth_use_keystone, OPT_BOOL, false)  // should we try to use keystone for s3?
+OPTION(rgw_s3_auth_aws4_force_boto2_compat, OPT_BOOL, true) // force aws4 auth boto2 compatibility
  
  /* OpenLDAP-style LDAP parameter strings */
  /* rgw_ldap_uri  space-separated list of LDAP servers in URI format */
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc

index dfd8ae1dd1fa7dade38cab2e7accab18bbedc423..e01d61145508bcaa437fdd4328967f98666e70cc 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -3307,7 +3307,14 @@ int RGW_Auth_S3::authorize(RGWRados *store, struct req_state *s)
        if (algorithm != "AWS4-HMAC-SHA256") {
          return -EPERM;
        }
-      return authorize_v4(store, s);
+      /* compute first aws4 signature (stick to the boto2 implementation) */
+      int err = authorize_v4(store, s);
+      if ((err==-ERR_SIGNATURE_NO_MATCH) && !store->ctx()->_conf->rgw_s3_auth_aws4_force_boto2_compat) {
+        /* compute second aws4 signature (no bugs supported) */
+        ldout(s->cct, 10) << "computing second aws4 signature..." << dendl;
+        return authorize_v4(store, s, false);
+      }
+      return err;
      }
  
      /* AWS2 */
@@ -3461,7 +3468,7 @@ static std::array<string, 3> aws4_presigned_required_keys = { "Credential", "Sig
  /*
   * handle v4 signatures (rados auth only)
   */
-int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s)
+int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s, bool force_boto2_compat /* = true */)
  {
    string::size_type pos;
    bool using_qs;
@@ -3736,7 +3743,7 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s)
        }
      }
      string token_value = string(t);
-    if (using_qs && (token == "host")) {
+    if (force_boto2_compat && using_qs && (token == "host")) {
        if (!port.empty() && port != "80" && port != "0") {
          token_value = token_value + ":" + port;
        } else if (!secure_port.empty() && secure_port != "443") {
diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h

index c48b2eb1f6987fd06a768a5421a4564376870a38..b7f49306d56174940cf6bf254cb61aac2b01be5b 100644 (file)
--- a/src/rgw/rgw_rest_s3.h
+++ b/src/rgw/rgw_rest_s3.h
@@ -449,7 +449,7 @@ private:
    static rgw::LDAPHelper* ldh;
  
    static int authorize_v2(RGWRados *store, struct req_state *s);
-  static int authorize_v4(RGWRados *store, struct req_state *s);
+  static int authorize_v4(RGWRados *store, struct req_state *s, bool force_boto2_compat = true);
    static int authorize_v4_complete(RGWRados *store, struct req_state *s,
                                   const string& request_payload,
                                   bool unsigned_payload);
author	Javier M. Mellid <jmunhoz@igalia.com>
	Mon, 1 Aug 2016 19:00:28 +0000 (21:00 +0200)
committer	Javier M. Mellid <jmunhoz@igalia.com>
	Thu, 15 Dec 2016 23:59:49 +0000 (00:59 +0100)
src/common/config_opts.h		patch \| blob \| history
src/rgw/rgw_rest_s3.cc		patch \| blob \| history
src/rgw/rgw_rest_s3.h		patch \| blob \| history