Swift3

signature v4 doesn't work with official tools

Bug #1611754 reported by Andrey Pavlov
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Swift3
New
Undecided
Unassigned

Bug Description

request with signature v4 is failed.

0) list and create credentials if needed
openstack ec2 credentials list
openstack ec2 credentials create

steps to reproduce 1:

1) set credentials to awscli profile and run it
aws --endpoint-url http://192.168.137.21:8080 --region RegionOne --profile admin s3 ls

A client error (InvalidRequest) occurred when calling the ListBuckets operation: Missing required header for this request: x-amz-content-sha256

steps to reproduce 2:

1) download cirros image
wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img

2) download and unzip OFFICIAL tools
wget http://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip
unzip ec2-ami-tools.zip
export TOOLS_DIR="ec2-ami-tools-1.5.7/bin"

3) source cloud credentials and download certificates
nova x509-get-root-cert
nova x509-create-cert

4) prepare bundle
mkdir images
$TOOLS_DIR/ec2-bundle-image --cert cert.pem --privatekey pk.pem --ec2cert cacert.pem --image cirros-0.3.4-x86_64-disk.img --user 424242424242 --destination images --arch x86_64

5) get s3 url
openstack endpoint list --service s3 --interface public --os-identity-api-version=3 -c URL -f value

6) try to upload bundle and get error
$TOOLS_DIR/ec2-upload-bundle --url http://192.168.137.21:8080 --access-key a8f020880d4f4f2db370383bdcb8ddf1 --secret-key 37387e4e29c54588875610b67c0f6a02 --bucket "tmp.bucket" --manifest images/cirros-0.3.4-x86_64-disk.img.manifest.xml --acl "public-read"

response:
<?xml version='1.0' encoding='UTF-8'?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><RequestId>txdf5c8c2b39584ef08b7ed-0057ab2024</RequestId></Error>Response-Code: 403

logs:
proxy-server: Connecting to Keystone sending this JSON: {"credentials": {"access": "a8f020880d4f4f2db370383bdcb8ddf1", "token": "QVdTNC1ITUFDLVNIQTI1NgoyMDE2MDgxMFQxMjI5MjRaCjIwMTYwODEwL1JlZ2lvbk9uZS
9zMy9hd3M0X3JlcXVlc3QKN2YyM2RjOTA0MzdiNTJiYWU2ZGViMGU3ZDNlNmU2YTVmZDljZTNlM2RhNWNmY2Q4OGUyYmM1ZjRhMWQzZmYyZA==", "signature": "17012d67e01903e69d4ea7fc119520286755cf9e1df32d90c58ce2f59f030356"}}
proxy-server: Keystone reply error: status=401 reason=Unauthorized
proxy-server: Received error, exiting middleware with error: 401

7) with additional key '--sigv2' this tool works.

Revision history for this message
Charles Hsu (charles0126) wrote :

what's your swift3 middleware config? maybe just `location` mismatch between server and client?

Revision history for this message
Andrey Pavlov (apavlov-e) wrote :

I forgot to specify my env: it's a latest devstack.

And I made this for devstack a year ago - https://review.openstack.org/#/c/215325/

So the first scenario has RegionOne in request and RegionOne in config.

For second scenario I don't forget where I specified a region. Next time I'll check it.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.