Hello all,
I'm having problems with authentication AWS4 when using HTTPS (my cluster running on Ceph Jewel 10.2.1 and platform CentOS 7). I used boto3 create presigned_url, here's my example:
s3 = boto3.client(service_name='s3', region_name='', use_ssl=False, endpoint_url='https://rgw.x.x',
aws_access_key_id= <access_key>,
aws_secret_access_key= <secret_key>,
config=Config(signature_version='s3v4', region_name='')
)
url = "" HttpMethod='GET', ExpiresIn=3600)
rsp = requests.get(url, proxies={'http': '', 'https': ''}, headers={'': ''})
Then I received error 403 SignatureDoesNotMatch. And this is my rgw.log:
....
SERVER_PORT = 0
SERVER_PORT_SECURE = 443
HTTP_HOST: rgw.x.x
format = canonical host headers: rgw.x.x: 0
..
failed to authorize the request
req 1: 0.007245: s3: GET /: list_buckets: http status = 403
..
I've seen this in https://github.com/ceph/ceph/blob/master/src/rgw/rgw_rest_s3.cc:
int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s){
..
string port = s->info.env->get("SERVER_PORT", "");
string secure_port = s->info.env->get("SERVER_PORT_SECURE", "");
...
if (using_qs && (token == "host")) {
if (!port.empty() && port != "80") {
token_value = token_value + ":" + port;
} else if (!secure_port.empty() && secure_port != "443") {
token_value = token_value + ":" + secure_port;
}
}
.....
So if SERVER_PORT = 0 then host:rgw.x.x: 0 and it leads to an error SignatureDoesNotMatch ?
I do not know how to make civetweb in RGW listen on port 80, 443s to ignore this error.
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
