Hello Markus, Try using v17.2.8 that includes this change [1], please note that if you want to upgrade to Reef (v18.2.x) that same fix [2] is not yet released there, the fixed is released in Squid v19.x /Tobias [1] https://github.com/ceph/ceph/pull/60458 [2] https://github.com/ceph/ceph/commit/65523c2ba35d4a2f3b3091d5b2ed0e6395e31ffb On 25 Feb 2025, at 16:28, Haarländer, Markus <haarlaender@xxxxxxxxxxx> wrote: [You don't often get email from haarlaender@xxxxxxxxxxx. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Hi list, We encountered a problem with presigned URLs for putting objects in connection with CORS and S3 Object tagging in Ceph v17.2.7 It works fine with v 16.2.15 and it works fine if the tagging is disabled. Here are the steps to reproduce: 1. Create a CORS rule for a bucket called "my-bucket": { "CORSRules": [ { "AllowedOrigins": ["*"], "AllowedHeaders": ["*"], "AllowedMethods": ["PUT", "GET"], "ExposeHeaders": ["ETag", "Accept-Ranges", "Content-Encoding", "Content-Range"] } ] } 2. Create a presigned URL to upload data to the key "test.txt". A tag called "test" should be applied to the resulting object. The following presigned url is returned eg. by the Java SDK. It automatically contains the "x-amz-tagging" in the X-Amz-Signed-Headers parameter. https://my-bucket.my-s3-server/test.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250225T133859Z&X-Amz-SignedHeaders=host%3Bx-amz-tagging&X-Amz-Credential=36XGCOO29B1THHUWIMU1%2F20250225%2Feu-west3%2Fs3%2Faws4_request&X-Amz-Expires=120&X-Amz-Signature=e4bf3a503e21f5808b7db2c7c611d7d641e1c1bcc3cb83c7346f10e59f9b6db1 3. Simulate a preflight OPTIONS request with Origin and Access-Control-Request-Method headers, as the browser would do when trying to PUT to the presigned URL curl --request OPTIONS 'https://my-bucket.my-s3-server/test.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250225T133859Z&X-Amz-SignedHeaders=host%3Bx-amz-tagging&X-Amz-Credential=36XGCOO29B1THHUWIMU1%2F20250225%2Feu-west3%2Fs3%2Faws4_request&X-Amz-Expires=120&X-Amz-Signature=e4bf3a503e21f5808b7db2c7c611d7d641e1c1bcc3cb83c7346f10e59f9b6db1' \ --header 'Origin: https://example.org' \ --header 'Access-Control-Request-Method: PUT' The server replies with 403, no CORS headers and the following body: <?xml version="1.0" encoding="UTF-8"?><Error><Code>SignatureDoesNotMatch</Code><RequestId>tx000006b5686df4e08cfcd-0067bdc7f3-218e3740-default</RequestId><HostId>218e3740-default-default</HostId></Error> Expectation: The server should reply with 200 and with CORS headers Additional observations: - The exact same workflow works on Ceph v16.2.15, with tagging - It works with Ceph v17.2.7 if we do not use the tagging (then no x-amz-tagging is returned in the X-Amz-Signed-Headers parameter) - It works with Ceph v17.2.7 for non-CORS environments (then no OPTIONS request is done, the PUT request itself works with tagging) - It works with Ceph v17.2.7 if we add the "x-amz-tagging" header to the OPTIONS request. But this does not lead anywhere, as for CORS, every browser creates the OPTIONS request itself for a preflight request and removes all custom headers. There's no possibility to change that. Any ideas or hints are very welcome. Thank you. Markus _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |