Actions
Bug #71998
openmultisite: bucket full sync gets stuck at keys containing % due to 403 SignatureDoesNotMatch
% Done:
0%
Source:
Backport:
squid tentacle
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Tags (freeform):
multisite sigv4 backport_processed
Merge Commit:
Fixed In:
v20.3.0-2069-ge13a23c760
Released In:
Upkeep Timestamp:
2025-08-13T14:03:10+00:00
Description
bucket full sync uses RGWListRemoteBucketCR to send a bucket listing request with a query param key-marker as the position to resume listing
the client-side v4 signing logic appears to be calculating a signature based on un-encoded query parameters, but gen_v4_canonical_qs() relies on aws4_uri_recode() when expects them to be url-encoded already. aws4_uri_recode() first calls uri_decode() on the input, which returns an empty string if the input isn't a valid url-encoding (such as normal object names that contain a % character)
when that happens, the client would calculate a signature based on an empty value for key-marker, while the server would handle it correctly
Updated by Upkeep Bot 8 months ago
- Merge Commit set to e13a23c760c812d1d95b059568bf3bde599d2078
- Fixed In set to v20.3.0-2069-ge13a23c760
- Upkeep Timestamp set to 2025-08-05T05:02:07+00:00
Updated by Upkeep Bot 7 months ago
- Status changed from Fix Under Review to Pending Backport
- Upkeep Timestamp changed from 2025-08-05T05:02:07+00:00 to 2025-08-13T14:03:10+00:00
Updated by Upkeep Bot 7 months ago
- Copied to Backport #72570: tentacle: multisite: bucket full sync gets stuck at keys containing % due to 403 SignatureDoesNotMatch added
Updated by Upkeep Bot 7 months ago
- Copied to Backport #72571: squid: multisite: bucket full sync gets stuck at keys containing % due to 403 SignatureDoesNotMatch added
Updated by Upkeep Bot 7 months ago
- Tags (freeform) changed from multisite sigv4 to multisite sigv4 backport_processed
Actions