Hello all, I'm having problems with authentication AWS4 when using HTTPS (my cluster running on Ceph Jewel 10.2.1 and platform CentOS 7). I used boto3 create presigned_url, here's my example:
s3 = boto3.client(service_name='s3', region_name='', use_ssl=False, endpoint_url='https://rgw.x.x', aws_access_key_id= <access_key>, aws_secret_access_key= <secret_key>, config=Config(signature_version='s3v4', region_name='') ) url = s3.generate_presigned_url(ClientMethod='list_buckets', HttpMethod='GET', ExpiresIn=3600) rsp = requests.get(url, proxies={'http': '', 'https': ''}, headers={'': ''}) Then I received error 403 SignatureDoesNotMatch. And this is my rgw.log: .... SERVER_PORT = 0 SERVER_PORT_SECURE = 443 HTTP_HOST: rgw.x.x format = canonical host headers: rgw.x.x: 0 .. failed to authorize the request req 1: 0.007245: s3: GET /: list_buckets: http status = 403 .. I've seen this in https://github.com/ceph/ceph/blob/master/src/rgw/rgw_rest_s3.cc: int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s){ .. string port = s->info.env->get("SERVER_PORT", ""); string secure_port = s->info.env->get("SERVER_PORT_SECURE", ""); ... if (using_qs && (token == "host")) { if (!port.empty() && port != "80") { token_value = token_value + ":" + port; } else if (!secure_port.empty() && secure_port != "443") { token_value = token_value + ":" + secure_port; } } ..... So if SERVER_PORT = 0 then host:rgw.x.x: 0 and it leads to an error SignatureDoesNotMatch ? I do not know how to make civetweb in RGW listen on port 80, 443s to ignore this error.
_______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
