s3 token authentication doesn't support v4 protocol

Bug #1473042 reported by Andrey Pavlov on 2015-07-09
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Andrey Pavlov
keystonemiddleware
Wishlist
Unassigned

Bug Description

Amazon has several versions of signature for requests.
Now s3_token middleware supports only first s3 signature version.

It will be good if s3_token middleware will support v4 version.
http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
http://docs.aws.amazon.com/AmazonS3/latest/API/bucket-policy-s3-sigv4-conditions.html
openstack/nova and stackforge/ec2-api projects don't have authenticatoin, so these projects can use keystone middleware if it will has v4 auth.

Also stackforge/swift3 now uses keystone middleware and has a bug https://bugs.launchpad.net/swift3/+bug/1411078

Dolph Mathews (dolph) wrote :

Related to bug 1473039.

Changed in keystonemiddleware:
importance: Undecided → Wishlist
status: New → Triaged
Changed in keystonemiddleware:
assignee: nobody → Andrey Pavlov (apavlov-e)
Changed in keystonemiddleware:
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/215481

Changed in keystone:
assignee: nobody → Andrey Pavlov (apavlov-e)
status: New → In Progress
Dolph Mathews (dolph) on 2015-08-21
Changed in keystone:
importance: Undecided → Wishlist

Reviewed: https://review.openstack.org/215481
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f11d396546dfe8fa66143d3aaddf5873268eda9d
Submitter: Jenkins
Branch: master

commit f11d396546dfe8fa66143d3aaddf5873268eda9d
Author: Andrey Pavlov <email address hidden>
Date: Fri Aug 21 09:53:40 2015 +0300

    Add S3 signature v4 checking

    Keystone can check signature v1 for s3,
    but many new tools uses new v4 signature protocol.
    This patchset adds checking of v4 signature.
    Architecture of implementation is the same as
    v1 implementated.

    Change-Id: I14121b4df2cae1407102335671c3f6878d46fc35
    Closes-Bug: #1473042

Changed in keystone:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/246844
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bce8575c2027fc9f9cd2c2a7ad0cfc286df83c58
Submitter: Jenkins
Branch: master

commit bce8575c2027fc9f9cd2c2a7ad0cfc286df83c58
Author: Andrey Pavlov <email address hidden>
Date: Wed Nov 18 13:08:08 2015 +0300

    Fix string conversion in s3 handler for python 2

    creds_ref['secret'] in s3/ec2 controller has type unicode.
    and result type of six.b('AWS4' + secret) is an unicode.
    but hmac.new decoder can't work with unicode strings - it
    needs 'str' type in python 2.
    So here simple change is needed - encode result string as 'utf-8'.
    Same conversion we have in signature v1 checking.

    Also two comments from previous review was fixed.

    Change-Id: I80d862956eace35753f00459d49150a62f07101a
    Related-Bug: #1473042

Changed in keystone:
milestone: none → mitaka-1

This issue was fixed in the openstack/keystone 9.0.0.0b1 development milestone.

Changed in keystone:
status: Fix Committed → Fix Released
Steve Martinelli (stevemar) wrote :

Automatically unassigning due to inactivity.

Changed in keystonemiddleware:
assignee: Andrey Pavlov (apavlov-e) → nobody
status: In Progress → Triaged
Tim Burke (1-tim-z) wrote :

I believe this only required changes in swift3 and keystone; keystonemiddleware just passed everything on to the server. At any rate, if there's more work to be done, it's Swift's problem now; see https://github.com/openstack/swift3/commit/b626a3c and https://github.com/openstack/swift/commit/636b922

Changed in keystonemiddleware:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers