rgw: don't return skew time error in pre-signed url

[liuchang0812]

Fixes: http://tracker.ceph.com/issues/18828

Signed-off-by: liuchang0812 liuchang0812@gmail.com

[liuchang0812]

@yehudasa do you mind taking a look, thanks

[liuchang0812]

I have tested it in my radosgw env, I generated a pre-signed URL that its expiry is 90000, more than our skew_time(7min). :

http://rgw-test.us-east-1.s3.amazonaws.com:8000/5m.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=9000&X-Amz-SignedHeaders=host&X-Amz-Signature=4abed2f1622cdb5d9528f4392e8315cbb998c5c84aca81b50f60467ed87abd03&X-Amz-Date=20170210T121602Z&X-Amz-Credential=0343ADSQIMU3FIGK4LLT%2F20170210%2Fus-east-1%2Fs3%2Faws4_request`

I could download this file by this URL as

➜  build git:(wip-18828) ✗ wget "http://rgw-test.us-east-1.s3.amazonaws.com:8000/5m.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=9000&X-Amz-SignedHeaders=host&X-Amz-Signature=4abed2f1622cdb5d9528f4392e8315cbb998c5c84aca81b50f60467ed87abd03&X-Amz-Date=20170210T121602Z&X-Amz-Credential=0343ADSQIMU3FIGK4LLT%2F20170210%2Fus-east-1%2Fs3%2Faws4_request" -O 1.txt
--2017-02-10 20:58:31--  http://rgw-test.us-east-1.s3.amazonaws.com:8000/5m.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=9000&X-Amz-SignedHeaders=host&X-Amz-Signature=4abed2f1622cdb5d9528f4392e8315cbb998c5c84aca81b50f60467ed87abd03&X-Amz-Date=20170210T121602Z&X-Amz-Credential=0343ADSQIMU3FIGK4LLT%2F20170210%2Fus-east-1%2Fs3%2Faws4_request
Resolving rgw-test.us-east-1.s3.amazonaws.com (rgw-test.us-east-1.s3.amazonaws.com)... 127.0.0.1
Connecting to rgw-test.us-east-1.s3.amazonaws.com (rgw-test.us-east-1.s3.amazonaws.com)|127.0.0.1|:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5242880 (5.0M) [application/octet-stream]
Saving to: ‘1.txt’

1.txt                                              100%[================================================================================================================>]   5.00M  --.-KB/s    in 0.01s   

2017-02-10 20:58:32 (395 MB/s) - ‘1.txt’ saved [5242880/5242880]

And, some logs I added for debug:

2017-02-10 20:58:31.994389 7fb475067700 20 get authorization from request params 
2017-02-10 20:58:31.994536 7fb475067700 20 NOTICE: now = 1486731511, now_req = 1486728962, exp = 9000
2017-02-10 20:58:31.994543 7fb475067700 20 request time is not skew.             

so, 1486731511 - 1486728962 = 42min, 42min > RGW_AUTH_GRACE_MINS(15min). it works.

[liuchang0812]

Sorry for compiling error, I will fix it soon

[liuchang0812]

Fixed

[liuchang0812]

I would like to add some unittest cases. Which files is proper to add unittest? @yehudasa @mattbenjamin

[mattbenjamin]

@liuchang0812 the right place would be in our s3-tests, I think

[mattbenjamin]

yeah, prefer this

[mattbenjamin]

this is harmless, but not sure if it's preferable as the comment above elucidates the magic value, and so does AWS documentation [1]

[1] http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

[liuchang0812]

need i reset this change?

[mattbenjamin]

quibbles aside (log levels?), this looks good to me

[cbodley]

teuthology run was clean (only failures were selinux related)

[liuchang0812]

@mattbenjamin @cbodley is it ok to be merged, please tell me if need do anything.

[liuchang0812]

@mattbenjamin I have looked at s3-tests, but if we create a test-case in s3-tests, we must sleep more then 15 minutes and then visit the pre-sign url. is it ok? it makes test time too long.

[cbodley]

is there no way to give a custom Date header to boto to fake it?

[liuchang0812]

@cbodley thanks for your suggestion. I will have a try.

[liuchang0812]

@cbodley boto/boto#3686

[cbodley]

@liuchang0812 we'd like to merge this, even though the boto changes are pending. could you open a pull request against https://github.com/ceph/s3-tests that uses that fixed branch of boto?

[liuchang0812]

@cbodley roger that

[liuchang0812]

@cbodley could I add a git sub-module in s3-tests to use my boto branch? I tried to fix branch in requirements.txt, but it seems doesn't work.

[cbodley]

@liuchang0812 i don't think we need to deal with the dependency for now. just push the s3tests part, and we can move forward once the boto change gets in

[liuchang0812]

@cbodley I pushed a PR to s3-tests ceph/s3-tests#155

[smithfarm]

Noting for posterity that http://tracker.ceph.com/issues/18829 claims that this PR fixes it, although the commit message says it fixes only http://tracker.ceph.com/issues/18828

Thus, the jewel backports of http://tracker.ceph.com/issues/18828 and http://tracker.ceph.com/issues/18829 were resolved by cherry-picking just this one commit. Hopefully that is correct.