From: Shilpa Jagannath <smanjara@redhat.com>
Date: Tue, 27 Jan 2026 06:53:47 +0000 (-0500)
Subject: rgw/auth: a forwarded CreateBucket request in case of multisite has an empty
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F67083%2Fhead;p=ceph.git

rgw/auth: a forwarded CreateBucket request in case of multisite has an empty
payload hash computed for UNSIGNED-PAYLOAD. use that hash for the header
'x-amz-content-sha256' in AWSSignerV4::prepare()

Signed-off-by: Shilpa Jagannath <smanjara@redhat.com>
---

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 7aef4284ce9..909246c221f 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -6341,10 +6341,17 @@ AWSSignerV4::prepare(const DoutPrefixProvider *dpp,
     content_hash = rgw::auth::s3::calc_v4_payload_hash(opt_content->to_str());
     extra_headers["x-amz-content-sha256"] = content_hash;
   } else {
+    // check if the header was already set (e.g. from a forwarded request)
+    const char* existing_hash = info.env->get("HTTP_X_AMZ_CONTENT_SHA256");
+    if (existing_hash) {
+      // use existing header value
+      extra_headers["x-amz-content-sha256"] = existing_hash;
+    } else {
     /* Some S3-compatible services require x-amz-content-sha256 header to always
      * be present and included in the signature, even for unsigned payload.
      * AWS S3 specification states that this header is required for all requests. */
     extra_headers["x-amz-content-sha256"] = AWS4_UNSIGNED_PAYLOAD_HASH;
+    }
   }
 
   /* craft canonical headers */