rgw: aws4: add rgw_s3_auth_aws4_force_boto2_compat conf option

author Javier M. Mellid <jmunhoz@igalia.com>

Mon, 1 Aug 2016 19:00:28 +0000 (21:00 +0200)

committer Robin H. Johnson <robin.johnson@dreamhost.com>

Sun, 13 Aug 2017 15:50:58 +0000 (08:50 -0700)
author Javier M. Mellid <jmunhoz@igalia.com>
Mon, 1 Aug 2016 19:00:28 +0000 (21:00 +0200)
committer Robin H. Johnson <robin.johnson@dreamhost.com>
Sun, 13 Aug 2017 15:50:58 +0000 (08:50 -0700)
diff --git a/src/common/config_opts.h b/src/common/config_opts.h

index 60ff9772e53929ee7d55c705874e395016c9d152..e3582f5f87fbb2cee5f30a0785a2d3abf6506d7b 100644 (file)
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -1304,6 +1304,7 @@ OPTION(rgw_cross_domain_policy, OPT_STR, "<allow-access-from domain=\"*\" secure
  OPTION(rgw_healthcheck_disabling_path, OPT_STR, "") // path that existence causes the healthcheck to respond 503
  OPTION(rgw_s3_auth_use_rados, OPT_BOOL, true)  // should we try to use the internal credentials for s3?
  OPTION(rgw_s3_auth_use_keystone, OPT_BOOL, false)  // should we try to use keystone for s3?
+OPTION(rgw_s3_auth_aws4_force_boto2_compat, OPT_BOOL, true) // force aws4 auth boto2 compatibility
  
  /* OpenLDAP-style LDAP parameter strings */
  /* rgw_ldap_uri  space-separated list of LDAP servers in URI format */
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc

index e99c3866a5168fbcc424eb3cab49ae3e42f29085..3398678e1ab49566d26181f0034d1fa8166c4031 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -3379,7 +3379,14 @@ int RGW_Auth_S3::authorize(RGWRados *store, struct req_state *s)
        if (algorithm != "AWS4-HMAC-SHA256") {
          return -EPERM;
        }
-      return authorize_v4(store, s);
+      /* compute first aws4 signature (stick to the boto2 implementation) */
+      int err = authorize_v4(store, s);
+      if ((err==-ERR_SIGNATURE_NO_MATCH) && !store->ctx()->_conf->rgw_s3_auth_aws4_force_boto2_compat) {
+        /* compute second aws4 signature (no bugs supported) */
+        ldout(s->cct, 10) << "computing second aws4 signature..." << dendl;
+        return authorize_v4(store, s, false);
+      }
+      return err;
      }
  
      /* AWS2 */
@@ -3534,7 +3541,7 @@ static std::array<string, 3> aws4_presigned_required_keys = { "Credential", "Sig
  /*
   * handle v4 signatures (rados auth only)
   */
-int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s)
+int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s, bool force_boto2_compat /* = true */)
  {
    string::size_type pos;
    bool using_qs;
@@ -3819,7 +3826,7 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s)
        }
      }
      string token_value = string(t);
-    if (using_qs && (token == "host")) {
+    if (force_boto2_compat && using_qs && (token == "host")) {
        if (!secure_port.empty()) {
         if (secure_port != "443")
           token_value = token_value + ":" + secure_port;
diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h

index 712998238fa5fabc8e57d49d1bccd8bd4d8e2ef6..1ce609ef5ffbf0b5fc6512975e9a0576b4832b62 100644 (file)
--- a/src/rgw/rgw_rest_s3.h
+++ b/src/rgw/rgw_rest_s3.h
@@ -430,7 +430,7 @@ private:
    static rgw::LDAPHelper* ldh;
  
    static int authorize_v2(RGWRados *store, struct req_state *s);
-  static int authorize_v4(RGWRados *store, struct req_state *s);
+  static int authorize_v4(RGWRados *store, struct req_state *s, bool force_boto2_compat = true);
    static int authorize_v4_complete(RGWRados *store, struct req_state *s,
                                   const string& request_payload,
                                   bool unsigned_payload);
author	Javier M. Mellid <jmunhoz@igalia.com>
	Mon, 1 Aug 2016 19:00:28 +0000 (21:00 +0200)
committer	Robin H. Johnson <robin.johnson@dreamhost.com>
	Sun, 13 Aug 2017 15:50:58 +0000 (08:50 -0700)
src/common/config_opts.h		patch \| blob \| history
src/rgw/rgw_rest_s3.cc		patch \| blob \| history
src/rgw/rgw_rest_s3.h		patch \| blob \| history