New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw: don't return skew time error in pre-signed url #13354
Conversation
Fixes: http://tracker.ceph.com/issues/18828 Signed-off-by: liuchang0812 <liuchang0812@gmail.com>
@yehudasa do you mind taking a look, thanks |
I have tested it in my radosgw env, I generated a pre-signed URL that its expiry is 90000, more than our skew_time(7min). :
I could download this file by this URL as
And, some logs I added for debug:
so, |
Sorry for compiling error, I will fix it soon |
1b7a534
to
dd8b348
Compare
Fixed |
I would like to add some unittest cases. Which files is proper to add unittest? @yehudasa @mattbenjamin |
@liuchang0812 the right place would be in our s3-tests, I think |
@@ -3587,12 +3591,12 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s, bool force_b | |||
return -EPERM; | |||
|
|||
s->aws4_auth->expires = s->info.args.get("X-Amz-Expires"); | |||
if (s->aws4_auth->expires.size() != 0) { | |||
if (!s->aws4_auth->expires.empty()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, prefer this
/* X-Amz-Expires provides the time period, in seconds, for which | ||
the generated presigned URL is valid. The minimum value | ||
you can set is 1, and the maximum is 604800 (seven days) */ | ||
time_t exp = atoll(s->aws4_auth->expires.c_str()); | ||
if ((exp < 1) || (exp > 604800)) { | ||
if ((exp < 1) || (exp > 7*24*60*60)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is harmless, but not sure if it's preferable as the comment above elucidates the magic value, and so does AWS documentation [1]
[1] http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need i reset this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
quibbles aside (log levels?), this looks good to me
teuthology run was clean (only failures were selinux related) |
@mattbenjamin @cbodley is it ok to be merged, please tell me if need do anything. |
@mattbenjamin I have looked at s3-tests, but if we create a test-case in s3-tests, we must sleep more then 15 minutes and then visit the pre-sign url. is it ok? it makes test time too long. |
is there no way to give a custom Date header to boto to fake it? |
@cbodley thanks for your suggestion. I will have a try. |
@liuchang0812 we'd like to merge this, even though the boto changes are pending. could you open a pull request against https://github.com/ceph/s3-tests that uses that fixed branch of boto? |
@cbodley roger that |
@cbodley could I add a git sub-module in s3-tests to use my boto branch? I tried to fix branch in |
@liuchang0812 i don't think we need to deal with the dependency for now. just push the s3tests part, and we can move forward once the boto change gets in |
@cbodley I pushed a PR to s3-tests ceph/s3-tests#155 |
Noting for posterity that http://tracker.ceph.com/issues/18829 claims that this PR fixes it, although the commit message says it fixes only http://tracker.ceph.com/issues/18828 Thus, the jewel backports of http://tracker.ceph.com/issues/18828 and http://tracker.ceph.com/issues/18829 were resolved by cherry-picking just this one commit. Hopefully that is correct. |
Fixes: http://tracker.ceph.com/issues/18828
Signed-off-by: liuchang0812 liuchang0812@gmail.com