Home

This wiki is temporarily to hold notes on development of the Ceph RadosGW S3 static website code.

TODO

• implement errorpage
  • TEST: redirections: HttpRedirectCode, HttpErrorCodeReturnedEquals
  • ErrorDocument:
    • Needs connection to RADOS to fetch page
    • Needs to disable the existing error formatter stuff to send this content
• Redirect, part 2:
  • per-object redirect from x-amz-website-redirect-location header
  • Per AmazonS3, RoutingRules take precedence x-amz-website-redirect-location
• Redirect, part N:
  • HttpRedirectCode in RoutingRules gives a self-contradictory error of The provided HTTP redirect code (314) is not valid. Valid codes are 3XX except 300.
  • The ONLY codes actually accepted are: 301 302 303 304 305 307 308
  • We should validate that input to match Amazon
  • Ditto Protocol is only http or https
• Tests
  • DONE: Bucket tests with base IndexDoc + ErrorDoc
  • DONE: Redirect_all tests
  • DONE: Redirect rule tests
  • refactoring tests to remove more duplication in setup/teardown, maybe Unittest.Testsuite?
  • Testing against AmazonS3 shows that changing WebsiteConfiguration can take 10+ seconds to propogate
• Docs
  • Admin
  • User (maybe just say use boto? need to give more hints I think)

FUTURE

• Update S3 specs to describe the error conditions
  • Having ErrorDoc configured, but marked private can give MULTIPLE errors in the HTML output; Eg 404 NoSuchKey, AccessDenied, with an extra message An Error Occurred While Attempting to Retrieve a Custom Error Document
  • RoutingRule.Protocol must be http or https
  • RoutingRule.HttpRedirectCode must be one of: 301, 302, 303, 304, 305, 307, 308
• redirect computation questions:
  • Q: How should it be handled when multiple redirects get applied in succession?
    • Need to compare with S3
  • Known bugs
    • Path-style mode is losing the bucket:
      • Redirect: prefix1 -> prefix2
      • GET http://s3-website.DOMAIN/redirect2/prefix1
      • Location: http://s3-website.DOMAIN/prefix2
      • Should have been /redirect2/prefix2
      • AmazonS3 actually breaks on this too! Gives ">Code: WebsiteRedirect, Message: Request does not contain a bucket name."
• Amazon's S3website endpoint exposes the existence of buckets
  • Requests for /
    • returns 404 NoSuchBucket for non-authenticated requests to buckets that do not exist;
    • returns 404 NoSuchWebsiteConfiguration for authenticated requests to buckets that do exist, but don't have websiteconf
    • returns 403 AccessDenied for buckets that exist, have websiteconf, but IndexDoc is missing or private
    • This means that you can iterate to discover existing buckets very easily.
    • For the moment, we rather return 403 AccessDenied for ALL of the above cases.
    • Fixing this differently requires a user that can probe ANY buckets for existence, not just their own one.
  • Requests for non-/
    • Need to verify how redirects are handled in this case
• Finalize RGWRegion design changes for handling different hostnames/endpoints per API
  • Discussed with Yehuda already, need to finalize and formally propose on list
• CivetWeb only binds to IPv4, docs have an example of port=[::]:80 that doesn't work
• Implement AWS-signature-V4 http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html

DONE

• implement errorpage
  • DONE, but untested: redirections: HttpRedirectCode, HttpErrorCodeReturnedEquals
  • DONE framework
• implement redirect computation
  • DONE pending questions.
  • DONE: Base string matching
  • DONE: Error code matching
• HTML error pages
  • Only when errorpage is not set, instead of XML errors
• Wrote Fuzzer testcases for website code
• Q: Boto seems to fail at handling of complex RoutingRules
  • A: Boto actually fails to handle complex RoutingRule setups, and lead to weird output from the obo tool, per https://github.com/boto/boto/issues/3108
  • A: Fixed Boto https://github.com/boto/boto/pull/3224
• Q: Should we enforce the same website endpoints?
  • Q: How does real S3 behave for them when website mode is off?
  • Q: what is the actual point of them in real S3
  • Two possible modes:
    • Base decision on (bucket in website mode) && (DNS endpoint used): Don't support ANY authenticated actions or operations OTHER than GET+HEAD on objects (no esp bucket actions) [this is what Amazon does]
    • Base decision on (bucket in website mode) && (no auth headers)
  • A: both implemented now, with selection between them.
• implement base redirect
• Existing documents explicitly requested should work
  • Done for public
• ListBucket needs to be overridden to return the suffix document
• trace op_get
• Q: Does real S3 enforce objects must-be-public?
  • Q: How should we enforce it if so?
  • A: http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html
  • A: it doesn't enforce it, and happily returns a 403 denied

Codebases

• Ceph
  • Initial static-website code from Yehuda
  • Base static-website code, rebased to master
  • Base static-website code, active dev
• Ceph S3-tests
  • Fuzzer code: https://github.com/robbat2/s3-tests/tree/wip-website-fuzzy
  • Website tests: https://github.com/robbat2/s3-tests/tree/wip-static-website
• Yehuda's Obo tool

References

• http://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTwebsite.html
• http://tracker.ceph.com/issues/4097
• http://aws.amazon.com/about-aws/whats-new/2012/12/27/root-domain-support-on-amazon-s3-hosted-websites/
• http://docs.aws.amazon.com/AmazonS3/latest/dev/HowDoIWebsiteConfiguration.html
• https://github.com/s3tools/s3cmd/blob/master/S3/S3.py#L385

Documentation notes

• mod_autoindex: S3 explicitly does NOT support any functionality to automatically create an index for a bucket in website mode. http://docs.aws.amazon.com/AmazonS3/latest/dev/IndexDocumentSupport.html#IndexDocumentsandFolders