New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HDDS-7035. Generate strToSign before applying virtual host style filter. #5123
Conversation
cc @tanvipenumudy for review |
Thanks @SaketaChalamchala for the patch! Minor NIT: Would it be helpful to have a test where virtual-host style addressing is not used to verify if the canonical URI remains unchanged? |
Thanks for the review @tanvipenumudy, there are existing tests in TestStringToSignProducer.java#test and TestVirtualHostStyleFilter.java#testPathStyle that cover path style addressing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this @SaketaChalamchala. I'm not very familiar with this area of the code or the AWS virtual/path style specs, but I did a pass cross-referencing with the AWS documentation.
@@ -269,4 +271,60 @@ public void testValidateCanonicalHeaders( | |||
|
|||
Assert.assertEquals(expectedResult, actualResult); | |||
} | |||
|
|||
@Test | |||
public void testVirtualStyleAddressURI() throws Exception { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we rename the other test in this class to testPathStyleAddressURI
to clarify the difference?
public static final String ENDPOINT_STYLE_PARAM = "endpoint-style"; | ||
|
||
public static final String ENDPOINT_STYLE_PATH = "path"; | ||
|
||
public static final String ENDPOINT_STYLE_VIRTUAL = "virtual"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where did these values come from? I can't find them documented by AWS anywhere, for example at https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added these internally to identify when virtual host style addressing is used.
"/mybucket/myfile?" + S3Consts.ENDPOINT_STYLE_PARAM + "=" + | ||
S3Consts.ENDPOINT_STYLE_VIRTUAL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to examples in s3 docs, no extra query parameters are required. The tests should run the same way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review @errose28 I added the extra parameters are added internally in VirtualHostStyleFilter.java so that when we do signature validation late we know to use the original request URI sent by the client and not the URI with bucket name that is appended in VirtualHostStyleFilter.java.
Also, why did our existing secure S3 acceptance tests not catch this? Since path style is deprecated, I would assume the s3 client we are using in those tests is calling s3 gateway with virtual style. Can you provide an acceptance test that passes only after the fix is applied? |
Even though path style is deprecated, most on prem deployments still use it. It is rare to find clients using virtual host style bucket addressing due to the complexity of bucket creation and DNS updates needed. |
@errose28 & @kerneltime, |
Looks like there are some acceptance test failures. Working on them. |
hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/AuthorizationFilter.java
Show resolved
Hide resolved
cf23ecc
to
96cf320
Compare
What changes were proposed in this pull request?
When using Virtual-Host Style addressing using AWS CLI the client uses
/
as the canonical URI when generating the S3 request. At the server side,VirtualHostStyleFilter.java
extracts bucket name from the host value and appends it to the URI. This causes the signature validation to fail because the canonical URI used to generating string to sign is/bucketname
. But, this is also necessary to resource match the request to the correct endpoint.Proposed change introduces an
AuthorizationFilter.java
and moves the string to sign generation function fromOzoneClientProducer.java
toAuthorizationFilter.java
. The filter runs before theVirtualHostStyleFilter.java
where the URI is changed.SignatureInfo
object to store String to Sign information.VirtualHostStyleFilter.java
: URIs with keynames were generated as/bucketnamekeyname
instead of/bucketname/keyname
What is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-7035
How was this patch tested?