preserve x-amz-content-sha256 if specified in presign_v4 #870
Conversation
|
hey maintainers! It looks like this is some kind of race condition? Or at least the failed RUN is failing because it's reporting a bucket is not empty. Let me know if there is something I can do on my end - my changes to the function should not have led to any functional changes in the code as the default for my parameter is None, and it gets set to exactly what it was before. |
Don't worry about it we need to fix the Windows CI build |
vsoch
force-pushed
the
add/api-presign_v4-content-hash
branch
from
36a6a33
to
dc8070b
Compare
@harshavardhana I noticed that and tried supplying the same content hash via the headers variable, this resulted in the invalid signature still. I haven't looked closely at |
The reason is that the code should look for |
vsoch
force-pushed
the
add/api-presign_v4-content-hash
branch
from
dc8070b
to
8d6f770
Compare
In the case that the user wants to use the minio-py client to generate a presigned url, also in the case that a server is making a request on behalf of a command line client (where the object to be uploaded lives) this means that the command line client will need to send the sha256sum to the server (which is not able to calculate it). In practice I was attempting this workflow (singularity/sregistry PR minio#298) and getting an invalid signature every time. I figured out that the sha256sum was important because it was being sent to the server from the Singularity command line tool, and the trick was getting it into the function preload_v4 so that it would be included in the signature calculation. Once I was able to do this, my pre-signed urls for multipart upload worked like a charm! While I think it would be great for minio-py to have a fully supported function to generate these URLS more easily, in the meantime this small change to allow specifying the content_hash_hex will be useful to users that have similar use case to me Signed-off-by: vsoch <vsochat@stanford.edu>
vsoch
force-pushed
the
add/api-presign_v4-content-hash
branch
from
8d6f770
to
2bfb52c
Compare
|
The one last bit I'd want to ask about is where we can document this? If it's included in this repository I can add it here, otherwise you can point me to where a user would want to find this detail. |
Just add it as a comment, we don't really want to encourage this as most of our users are not aware of AWS S3 behavior and we would like to keep that abstracted. |
|
okay, I'll add a comment to before the loop. One second! |
The update to this function for presign_v4 will allow for the function
to work on behalf of a client call that wants to generate a pre-signed
url for another server, where the other server has sent the sha256sum
to the client generating the URL, and it needs to be added to the signature.
Without exposing this content_hash_hex via the headers{} dictionary,
it will not be included in the signature, and the signature calculated
by the receiving minio server (that does include it) will report
a signature mismatch. This means that if you need to include the sha256sum
in the signature, just add it to the headers dictionary.
Signed-off-by: vsoch <vsochat@stanford.edu>
|
okay I added a comment, and I also added a very detailed commit message so it's present in the git history too (and unexpected source of goodness sometimes!) |
harshavardhana
changed the title
|
ping @vadmeste |
I have the following use case:
The reason for this PR comes down to when Singularity uses the signed URL. I was using the signed url generated by the s3 client, that resulted in a signature mismatch. I next used the same flow that I saw for my working (single) PUT object request (also a signed URL from the Singularity client) that generates a URL and then uses signers.presign_v4. This continually failed. I tried about 1000 things, but the trick was that I needed to give the sha256 sum provided by the Singularity client to be included in the signature generation. Since I wasn't able to specify it for presign_v4, I essentially reproduced the function and used it as a variable. The error disappeared and my chunks sped through my localhost like a chicken with it's butt on fire! 🐔 🔥
So - this small fix will allow for an interested user that wants to use the minio-py client to generate a presigned url in the case that a server is making a request on behalf of a command line client (where the object to be uploaded lives and is not accessible to the server generating the URLs). The command line client sends the sha256sum to the server (which is not able to calculate it). While I think it would be great for minio-py to have a fully supported function to generate these presigned URLS more easily (akin to how you can generate one for a single PUT request), in the meantime this small change to allow specifying the content_hash_hex will be useful to users that have similar use case to me. For future reference, the code I am referring to is singularityhub/sregistry#298.
Signed-off-by: vsoch vsochat@stanford.edu