| Hello Tobias,
Thank you so much for the helpful answer. In the meantime I found the corresponding ticket (https://tracker.ceph.com/issues/64308).So the fix will also be included in the upcoming Reef 18.2.5 release, which is good news as our computing centre is planning to update to this version as soon as it's out.
Best Markus Am 26.02.2025 um 08:12 schrieb Tobias Urdin - Binero IT <tobias.urdin@xxxxxxxxxx>:
Hello Markus,
Try using v17.2.8 that includes this change [1], please note that if you want to upgrade
to Reef (v18.2.x) that same fix [2] is not yet released there, the fixed is released in Squid v19.x
/Tobias
On 25 Feb 2025, at 16:28, Haarländer, Markus <haarlaender@xxxxxxxxxxx> wrote:
[You don't often get email from haarlaender@xxxxxxxxxxx. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
Hi list,
We encountered a problem with presigned URLs for putting objects in connection with CORS and S3 Object tagging in Ceph v17.2.7
It works fine with v 16.2.15 and it works fine if the tagging is disabled.
Here are the steps to reproduce:
1. Create a CORS rule for a bucket called "my-bucket":
{
"CORSRules": [
{
"AllowedOrigins": ["*"],
"AllowedHeaders": ["*"],
"AllowedMethods": ["PUT", "GET"],
"ExposeHeaders": ["ETag", "Accept-Ranges", "Content-Encoding", "Content-Range"]
}
]
}
2. Create a presigned URL to upload data to the key "test.txt". A tag called "test" should be applied to the resulting object.
The following presigned url is returned eg. by the Java SDK. It automatically contains the "x-amz-tagging" in the X-Amz-Signed-Headers parameter.
https://my-bucket.my-s3-server/test.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250225T133859Z&X-Amz-SignedHeaders=host%3Bx-amz-tagging&X-Amz-Credential=36XGCOO29B1THHUWIMU1%2F20250225%2Feu-west3%2Fs3%2Faws4_request&X-Amz-Expires=120&X-Amz-Signature=e4bf3a503e21f5808b7db2c7c611d7d641e1c1bcc3cb83c7346f10e59f9b6db1
3. Simulate a preflight OPTIONS request with Origin and Access-Control-Request-Method headers, as the browser would do when trying to PUT to the presigned URL
curl --request OPTIONS 'https://my-bucket.my-s3-server/test.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250225T133859Z&X-Amz-SignedHeaders=host%3Bx-amz-tagging&X-Amz-Credential=36XGCOO29B1THHUWIMU1%2F20250225%2Feu-west3%2Fs3%2Faws4_request&X-Amz-Expires=120&X-Amz-Signature=e4bf3a503e21f5808b7db2c7c611d7d641e1c1bcc3cb83c7346f10e59f9b6db1'
\
--header 'Origin: https://example.org' \
--header 'Access-Control-Request-Method: PUT'
The server replies with 403, no CORS headers and the following body:
<?xml version="1.0" encoding="UTF-8"?><Error><Code>SignatureDoesNotMatch</Code><RequestId>tx000006b5686df4e08cfcd-0067bdc7f3-218e3740-default</RequestId><HostId>218e3740-default-default</HostId></Error>
Expectation: The server should reply with 200 and with CORS headers
Additional observations:
- The exact same workflow works on Ceph v16.2.15, with tagging
- It works with Ceph v17.2.7 if we do not use the tagging (then no x-amz-tagging is returned in the X-Amz-Signed-Headers parameter)
- It works with Ceph v17.2.7 for non-CORS environments (then no OPTIONS request is done, the PUT request itself works with tagging)
- It works with Ceph v17.2.7 if we add the "x-amz-tagging" header to the OPTIONS request. But this does not lead anywhere, as for CORS, every browser creates the OPTIONS request itself for a preflight request and removes all custom headers. There's no possibility
to change that.
Any ideas or hints are very welcome. Thank you.
Markus
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
