Home
Robin H. Johnson edited this page Jun 23, 2015
·
34 revisions
This wiki is temporarily to hold notes on development of the Ceph RadosGW S3 static website code.
- implement errorpage
- TEST: redirections: HttpRedirectCode, HttpErrorCodeReturnedEquals
- ErrorDocument:
- Needs connection to RADOS to fetch page
- Needs to disable the existing error formatter stuff to send this content
- Redirect, part 2:
- per-object redirect from x-amz-website-redirect-location header
- Per AmazonS3, RoutingRules take precedence x-amz-website-redirect-location
- Redirect, part N:
- HttpRedirectCode in RoutingRules gives a self-contradictory error of
The provided HTTP redirect code (314) is not valid. Valid codes are 3XX except 300.
- The ONLY codes actually accepted are: 301 302 303 304 305 307 308
- We should validate that input to match Amazon
- Ditto Protocol is only
http
orhttps
- HttpRedirectCode in RoutingRules gives a self-contradictory error of
- Tests
- DONE: Bucket tests with base IndexDoc + ErrorDoc
- DONE: Redirect_all tests
- DONE: Redirect rule tests
- refactoring tests to remove more duplication in setup/teardown, maybe Unittest.Testsuite?
- Testing against AmazonS3 shows that changing WebsiteConfiguration can take 10+ seconds to propogate
- Docs
- Admin
- User (maybe just say use boto? need to give more hints I think)
- Update S3 specs to describe the error conditions
- Having ErrorDoc configured, but marked private can give MULTIPLE errors in the HTML output; Eg
404 NoSuchKey
,AccessDenied
, with an extra messageAn Error Occurred While Attempting to Retrieve a Custom Error Document
- RoutingRule.Protocol must be
http
orhttps
- RoutingRule.HttpRedirectCode must be one of: 301, 302, 303, 304, 305, 307, 308
- Having ErrorDoc configured, but marked private can give MULTIPLE errors in the HTML output; Eg
- redirect computation questions:
- Q: How should it be handled when multiple redirects get applied in succession?
- Need to compare with S3
- Known bugs
- Path-style mode is losing the bucket:
- Redirect: prefix1 -> prefix2
- GET http://s3-website.DOMAIN/redirect2/prefix1
- Location: http://s3-website.DOMAIN/prefix2
- Should have been /redirect2/prefix2
- AmazonS3 actually breaks on this too! Gives ">Code: WebsiteRedirect, Message: Request does not contain a bucket name."
- Path-style mode is losing the bucket:
- Q: How should it be handled when multiple redirects get applied in succession?
- Amazon's S3website endpoint exposes the existence of buckets
- Requests for /
- returns 404 NoSuchBucket for non-authenticated requests to buckets that do not exist;
- returns 404 NoSuchWebsiteConfiguration for authenticated requests to buckets that do exist, but don't have websiteconf
- returns 403 AccessDenied for buckets that exist, have websiteconf, but IndexDoc is missing or private
- This means that you can iterate to discover existing buckets very easily.
- For the moment, we rather return 403 AccessDenied for ALL of the above cases.
- Fixing this differently requires a user that can probe ANY buckets for existence, not just their own one.
- Requests for non-/
- Need to verify how redirects are handled in this case
- Requests for /
- Finalize RGWRegion design changes for handling different hostnames/endpoints per API
- Discussed with Yehuda already, need to finalize and formally propose on list
- CivetWeb only binds to IPv4, docs have an example of
port=[::]:80
that doesn't work - Implement AWS-signature-V4 http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html
- implement errorpage
- DONE, but untested: redirections: HttpRedirectCode, HttpErrorCodeReturnedEquals
- DONE framework
- implement redirect computation
- DONE pending questions.
- DONE: Base string matching
- DONE: Error code matching
- HTML error pages
- Only when errorpage is not set, instead of XML errors
- Wrote Fuzzer testcases for website code
- Q: Boto seems to fail at handling of complex RoutingRules
- A: Boto actually fails to handle complex RoutingRule setups, and lead to weird output from the obo tool, per https://github.com/boto/boto/issues/3108
- A: Fixed Boto https://github.com/boto/boto/pull/3224
- Q: Should we enforce the same website endpoints?
- Q: How does real S3 behave for them when website mode is off?
- Q: what is the actual point of them in real S3
- Two possible modes:
- Base decision on (bucket in website mode) && (DNS endpoint used): Don't support ANY authenticated actions or operations OTHER than GET+HEAD on objects (no esp bucket actions) [this is what Amazon does]
- Base decision on (bucket in website mode) && (no auth headers)
- A: both implemented now, with selection between them.
- implement base redirect
- Existing documents explicitly requested should work
- Done for public
- ListBucket needs to be overridden to return the suffix document
- trace op_get
- Q: Does real S3 enforce objects must-be-public?
- Q: How should we enforce it if so?
- A: http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html
- A: it doesn't enforce it, and happily returns a 403 denied
- http://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTwebsite.html
- http://tracker.ceph.com/issues/4097
- http://aws.amazon.com/about-aws/whats-new/2012/12/27/root-domain-support-on-amazon-s3-hosted-websites/
- http://docs.aws.amazon.com/AmazonS3/latest/dev/HowDoIWebsiteConfiguration.html
- https://github.com/s3tools/s3cmd/blob/master/S3/S3.py#L385
-
mod_autoindex
: S3 explicitly does NOT support any functionality to automatically create an index for a bucket in website mode. http://docs.aws.amazon.com/AmazonS3/latest/dev/IndexDocumentSupport.html#IndexDocumentsandFolders