[
https://issues.apache.org/jira/browse/HDDS-12935?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ivan Andika updated HDDS-12935:
-------------------------------
Description:
HDDS-12488 fixes the issue where the AWS checksum trailer data is silently
appended to the final payload. This works for http endpoint which will by
default provide with signed payload (i.e. x-amz-content-sha256 is set to the
payload signature).
When the request is sent against https endpoint, the x-amz-content-sha256 is
set to STREAMING-UNSIGNED-PAYLOAD-TRAILER. HDDS-12488 handled it by using
string "UNSIGNED-PAYLOAD: when building the canonical request
(StringToSignProducer#buildCanonicalRequest) as specified in
https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html.
However, this causes the mismatch between the AWS SDK canonical request and the
calculated canonical request which results in signature mismatch and all
PutObject requests for the newer AWS SDK version to fail. The correct behavior
seems to use the "STREAMING-UNSIGNED-PAYLOAD-TRAILER" instead of
"UNSIGNED-PAYLOAD" when building the canonical request.
Ref:
https://github.com/aws/aws-sdk-java-v2/blob/f6adeaa5b24a4c203106d122647537f83a5ecfbc/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAwsS3V4Signer.java#L206
was:
HDDS-12488 fixes the issue where the AWS checksum trailer data is silently
appended to the final payload. This works for http endpoint which will by
default provide with signed payload (i.e. x-amz-content-sha256 is set to the
payload signature).
When the request is sent against https endpoint, the x-amz-content-sha256 is
set to STREAMING-UNSIGNED-PAYLOAD-TRAILER. HDDS-12488 handled it by using
string "UNSIGNED-PAYLOAD: when building the canonical request
(StringToSignProducer#buildCanonicalRequest) as specified in
https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html.
However, this causes the mismatch between the AWS SDK canonical request and the
calculated canonical request which results in signature mismatch and all
PutObject requests for the newer AWS SDK version to fail. The correct behavior
seems to use the "STREAMING-UNSIGNED-PAYLOAD-TRAILER" instead of
"UNSIGNED-PAYLOAD" when building the canonical request.
> Fix S3G signature mismatch for STREAMING-UNSIGNED-PAYLOAD-TRAILER
> -----------------------------------------------------------------
>
> Key: HDDS-12935
> URL: https://issues.apache.org/jira/browse/HDDS-12935
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: Ivan Andika
> Assignee: Ivan Andika
> Priority: Major
>
> HDDS-12488 fixes the issue where the AWS checksum trailer data is silently
> appended to the final payload. This works for http endpoint which will by
> default provide with signed payload (i.e. x-amz-content-sha256 is set to the
> payload signature).
> When the request is sent against https endpoint, the x-amz-content-sha256 is
> set to STREAMING-UNSIGNED-PAYLOAD-TRAILER. HDDS-12488 handled it by using
> string "UNSIGNED-PAYLOAD: when building the canonical request
> (StringToSignProducer#buildCanonicalRequest) as specified in
> https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html.
> However, this causes the mismatch between the AWS SDK canonical request and
> the calculated canonical request which results in signature mismatch and all
> PutObject requests for the newer AWS SDK version to fail. The correct
> behavior seems to use the "STREAMING-UNSIGNED-PAYLOAD-TRAILER" instead of
> "UNSIGNED-PAYLOAD" when building the canonical request.
> Ref:
> https://github.com/aws/aws-sdk-java-v2/blob/f6adeaa5b24a4c203106d122647537f83a5ecfbc/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAwsS3V4Signer.java#L206
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
