Project

General

Profile

Actions
Copy link

Bug #74579

open

rgw-multisite: aws v4 signature broken for forwarded requests with UNSIGNED-PAYLOAD

Added by Shilpa MJ about 2 months ago. Updated 25 days ago.

Status:
Pending Backport
Priority:
Normal
Assignee:
Shilpa MJ
Target version:
-
% Done:

0%

Source:
Backport:
squid tentacle
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
67083
Tags (freeform):
backport_processed
Merge Commit:
1633c4b246c0bcefc4395cd7026ad5b6770a3705
Fixed In:
v20.3.0-5664-g1633c4b246
Released In:
Upkeep Timestamp:
2026-02-26T14:44:43+00:00

Description

create bucket request originating from non-master zone fails with 'Access Denied' error. this is due to signature mismatch.

on primary, the canonical request looks like:

PUT /test-bucket/
rgwx-uid=test&rgwx-zonegroup=25dcfb3b-f19e-4c2c-9a94-f35904c4fa8f
date:Tue Jan 27 06:11:02 2026
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ---> unsigned payload hash
x-amz-date:20260127T061102Z

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. ---> unsigned payload hash

on secondary:

PUT /test-bucket/
rgwx-uid=test&rgwx-zonegroup=25dcfb3b-f19e-4c2c-9a94-f35904c4fa8f
date:Tue Jan 27 06:11:02 2026
x-amz-content-sha256:UNSIGNED-PAYLOAD ---> should have been the unsigned payload hash
x-amz-date:20260127T061102Z

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ---> unsigned payload hash

the canonical header values are different on both sites causing client signature and server signature to be different.

this is because when the secondary's AWSSignerV4::prepare() is called while signing the request,
it sets UNSIGNED-PAYLOAD in the canonical headers instead of the hash.
probably a regression from https://github.com/ceph/ceph/pull/65723.
the secondary zone is overriding the header value with UNSIGNED-PAYLOAD for the canonical headers,
but keeping the actual hash for the payload hash line

Related issues 2 (2 open0 closed)

Copied to rgw - Backport #75193: squid: rgw-multisite: aws v4 signature broken for forwarded requests with UNSIGNED-PAYLOADNewShilpa MJActions
Copied to rgw - Backport #75194: tentacle: rgw-multisite: aws v4 signature broken for forwarded requests with UNSIGNED-PAYLOADFix Under ReviewShilpa MJActions
Actions
Copy link
 #1

Updated by Shilpa MJ about 2 months ago

  • Status changed from New to Fix Under Review
  • Pull request ID set to 67083
Actions
Copy link
 #2

Updated by Casey Bodley about 1 month ago

  • Backport set to squid tentacle
Actions
Copy link
 #3

Updated by Casey Bodley 26 days ago

  • Status changed from Fix Under Review to Pending Backport
Actions
Copy link
 #4

Updated by Upkeep Bot 26 days ago

  • Merge Commit set to 1633c4b246c0bcefc4395cd7026ad5b6770a3705
  • Fixed In set to v20.3.0-5664-g1633c4b246
  • Upkeep Timestamp set to 2026-02-26T14:44:43+00:00
Actions
Copy link
 #5

Updated by Upkeep Bot 25 days ago

  • Copied to Backport #75193: squid: rgw-multisite: aws v4 signature broken for forwarded requests with UNSIGNED-PAYLOAD added
Actions
Copy link
 #6

Updated by Upkeep Bot 25 days ago

  • Copied to Backport #75194: tentacle: rgw-multisite: aws v4 signature broken for forwarded requests with UNSIGNED-PAYLOAD added
Actions
Copy link
 #7

Updated by Upkeep Bot 25 days ago

  • Tags (freeform) set to backport_processed
Actions
Copy link

Also available in: Atom PDF