rgw/auth: a forwarded CreateBucket request in case of multisite has an empty

author Shilpa Jagannath <smanjara@redhat.com>

Tue, 27 Jan 2026 06:53:47 +0000 (01:53 -0500)

committer Matthew N. Heler <matthew.heler@hotmail.com>

Fri, 17 Apr 2026 19:50:41 +0000 (14:50 -0500)
author Shilpa Jagannath <smanjara@redhat.com>
Tue, 27 Jan 2026 06:53:47 +0000 (01:53 -0500)
committer Matthew N. Heler <matthew.heler@hotmail.com>
Fri, 17 Apr 2026 19:50:41 +0000 (14:50 -0500)
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc

index 06ba8a07079b0924c1b8965344f1216d5ceab9d9..c00d439bff4a247d9b9e443194caa2e1e7dbde81 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -6244,10 +6244,17 @@ AWSSignerV4::prepare(const DoutPrefixProvider *dpp,
      content_hash = rgw::auth::s3::calc_v4_payload_hash(opt_content->to_str());
      extra_headers["x-amz-content-sha256"] = content_hash;
    } else {
+    // check if the header was already set (e.g. from a forwarded request)
+    const char* existing_hash = info.env->get("HTTP_X_AMZ_CONTENT_SHA256");
+    if (existing_hash) {
+      // use existing header value
+      extra_headers["x-amz-content-sha256"] = existing_hash;
+    } else {
      /* Some S3-compatible services require x-amz-content-sha256 header to always
       * be present and included in the signature, even for unsigned payload.
       * AWS S3 specification states that this header is required for all requests. */
      extra_headers["x-amz-content-sha256"] = AWS4_UNSIGNED_PAYLOAD_HASH;
+    }
    }
  
    /* craft canonical headers */
author	Shilpa Jagannath <smanjara@redhat.com>
	Tue, 27 Jan 2026 06:53:47 +0000 (01:53 -0500)
committer	Matthew N. Heler <matthew.heler@hotmail.com>
	Fri, 17 Apr 2026 19:50:41 +0000 (14:50 -0500)