adoroszlai commented on PR #6896: URL: https://github.com/apache/ozone/pull/6896#issuecomment-2210458817
Thanks @ivandika3 for the questions, I also learn by trying to answer them. In addition to providing access to buckets and keys via S3 API, S3 Gateway also provides some servlets common in all Ozone components: - `/conf`: configuration in XML format - `/logs`: log files - `/prom`: metrics for Prometheus - etc. as well as some static content (homepage and docs). `RootPageDisplayFilter` is responsible for redirecting `GET /` requests to the homepage, which is at `/static/index.html`, to make it accessible by opening `http://s3g:9878/` in a browser . However, the same root path is also hit by S3 `list-buckets` requests, which should not be redirected. Currently the two kinds of requests are distinguished by checking for the presence of the `Authorization` header, regardless of content. If Kerberos is enabled, servlets and static content can be accessed by authenticated users only, there are no public paths. We use Hadoop's common `AuthenticationFilter` for protecting these resources, . This kind of authentication also involves the `Authorization` header, as seen in the examples. `AuthorizationFilter` is Ozone's I don't think there is any regression, the change in `curl` seems to be an improvement. It just invalidates the assumption that `GET /` with any `Authorization` header must be coming from S3 client. The reason I would like to tweak this assumption is to be able to update `ozone-runner` docker image, since new OS versions come with newer `curl`. In #6898 I propose a bigger change that makes `RootPageDisplayFilter` completely unnecessary. But that one may not be accepted for some time. It's also OK to wait with this PR for other reviewers. ---- [RFC 9110](https://www.rfc-editor.org/rfc/rfc9110#section-11.6.2): > The "Authorization" header field allows a user agent to authenticate itself with an origin server -- usually, but not necessarily, after receiving a 401 (Unauthorized) response. [RFC 4559](https://www.rfc-editor.org/rfc/rfc4559#section-4.2) (`SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows`, which seems to have introduced `Authorization: Negotiate`): > A client may initiate a connection to the server with an "Authorization" header containing the initial token for the server. This form will bypass the initial 401 error from the server when the client knows that the server will accept the Negotiate HTTP authentication type. Python's `requests-kerberos` library also supports [preemptive authentication](https://github.com/requests/requests-kerberos#preemptive-authentication). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
