suyashj1231 commented on issue #3842: URL: https://github.com/apache/texera/issues/3842#issuecomment-4772532414
@aicam I picked up this issue and spent some time trying to reproduce the `AccessDenied` from the 10/23 notes on a `single-node` deployment. I haven't hit your exact error yet, but I found two things that matter for the new approach, plus a question that might help pin down your case. Things I could reproduce: 1. The LakeFS S3 gateway at `lakefs:8000` ignores `response-content-disposition`. Presigning a GET through the gateway returns 200 but no `Content-Disposition`, so the filename never gets set. Presigning directly against MinIO does set it (`attachment; filename="Iris.csv"`). So for the "presign-url with filename header" plan on the board, the presign has to go against MinIO, not the gateway. 2. The URL has to be signed against the same endpoint the browser hits. SigV4 signs the `Host` header, so: ``` signed texera-minio:9000, fetched localhost:9000 -> 403 SignatureDoesNotMatch signed localhost:9000, fetched localhost:9000 -> 200, Content-Disposition set ``` On your actual error, though, I don't think I've matched it yet. The two failures I can produce are host mismatch (`SignatureDoesNotMatch`) and an expired URL (`AccessDenied` / "Request has expired"). Yours is `AccessDenied` with a plain "Access Denied." and no Key/BucketName in the body, which fits neither. Do you still have the failing request, specifically the URL the browser actually hit (host/port) and roughly how long after the presign it failed? That'd help me tell whether it's an endpoint mismatch, an expiry/clock thing, or a bucket-policy denial. For the fix itself either way: presign directly against MinIO with `response-content-disposition`, signed with the external pre-signed endpoint. `file-service` only knows the internal `STORAGE_S3_ENDPOINT` today, so it'd need the external one too (same idea as LakeFS's `BLOCKSTORE_S3_PRE_SIGNED_ENDPOINT`). Happy to take a shot at that. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
