Skip to content

ceph: fix SignatureDoesNotMatch by using correct secret key when create bucket #11115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ceph: fix SignatureDoesNotMatch by using correct secret key when create bucket #11115

wants to merge 1 commit into from

Conversation

jeanvetorello
Copy link

Description

This PR fixes an issue in the CephObjectStoreDriverImpl where the AWS S3 client was incorrectly initialized using the access key in place of both the access and secret key. This caused SignatureDoesNotMatch errors during bucket operations such as creation and policy updates when interacting with Ceph RGW using Signature V4.

Fix:
Replaced incorrect usage:

getS3Client(url, bucket.getAccessKey(), bucket.getAccessKey())

Impact:
Without this fix, CloudStack fails to perform S3 operations against Ceph RGW due to invalid signature generation, making the object storage integration unusable from the UI/API.

Steps to reproduce:

Configure a Ceph RGW object store in CloudStack.

Attempt to create a bucket via the UI or API.

Observe SignatureDoesNotMatch errors in management server logs.

Types of changes
 Bug fix (non-breaking change which fixes an issue)

 Breaking change (fix or feature that would cause existing functionality to change)

 New feature (non-breaking change which adds functionality)

 Enhancement (improves an existing feature and functionality)

 Cleanup (Code refactoring and cleanup, that may add test cases)

 build/CI

 test (unit or integration test code)
 
 Feature/Enhancement Scale or Bug Severity
Bug Severity
Minor to moderateaffects integration functionality with Ceph RGW for object storage.

@jeanpaneas
ceph: fix SignatureDoesNotMatch by using correct secret key
a334e85 
Ensure bucket.getSecretKey() is used when building the S3 client.
Previously, only getAccessKey() was passed for both key and secret,
causing V4 signature validation failures during operations such as
bucket creation and policy updates.
@boring-cyborg boring-cyborg
Copy link

boring-cyborg bot commented Jul 1, 2025

Congratulations on your first Pull Request and welcome to the Apache CloudStack community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md)
Here are some useful points:

DaanHoogland
DaanHoogland approved these changes Jul 2, 2025
View reviewed changes
Copy link
Contributor

@DaanHoogland DaanHoogland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clgtm

@DaanHoogland DaanHoogland requested review from wido and Copilot July 2, 2025 06:38
@DaanHoogland DaanHoogland added this to the 4.21.0 milestone Jul 2, 2025
Copilot
Copilot AI reviewed Jul 2, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes SignatureDoesNotMatch errors by ensuring the AWS S3 client is initialized with the correct secret key in CephObjectStoreDriverImpl.

  • Replaced the second credential parameter in getS3Client calls from bucket.getAccessKey() to bucket.getSecretKey().
  • Applied this correction across policy, versioning, and encryption bucket operations.
Comments suppressed due to low confidence (1)

plugins/storage/object/ceph/src/main/java/org/apache/cloudstack/storage/datastore/driver/CephObjectStoreDriverImpl.java:196

  • Add unit or integration tests to confirm that getS3Client is invoked with the correct secretKey parameter, ensuring Signature V4 operations succeed against Ceph RGW.
        AmazonS3 client = getS3Client(getStoreURL(storeId), bucket.getAccessKey(), bucket.getSecretKey());

.../src/main/java/org/apache/cloudstack/storage/datastore/driver/CephObjectStoreDriverImpl.java
Comment on lines +196 to +208
AmazonS3 client = getS3Client(getStoreURL(storeId), bucket.getAccessKey(), bucket.getSecretKey());
client.setBucketPolicy(new SetBucketPolicyRequest(bucket.getName(), policyConfig));
}

@Override
public BucketPolicy getBucketPolicy(BucketTO bucket, long storeId) {
AmazonS3 client = getS3Client(getStoreURL(storeId), bucket.getAccessKey(), bucket.getAccessKey());
AmazonS3 client = getS3Client(getStoreURL(storeId), bucket.getAccessKey(), bucket.getSecretKey());
return client.getBucketPolicy(new GetBucketPolicyRequest(bucket.getName()));
}

@Override
public void deleteBucketPolicy(BucketTO bucket, long storeId) {
AmazonS3 client = getS3Client(getStoreURL(storeId), bucket.getAccessKey(), bucket.getAccessKey());
AmazonS3 client = getS3Client(getStoreURL(storeId), bucket.getAccessKey(), bucket.getSecretKey());
Copy link
Preview

Copilot AI Jul 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Consider extracting the repeated getS3Client initialization into a private helper method to reduce duplication and improve readability across bucket operations.

Copilot uses AI. Check for mistakes.

@DaanHoogland
Copy link
Contributor

@jeanvetorello , of you want this fix on an LTS version, rebase it on one of the older release-branches, please.

@codecov Codecov
Copy link

codecov bot commented Jul 2, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 5 lines in your changes missing coverage. Please review.

Project coverage is 16.57%. Comparing base (16c60c7) to head (a334e85).

Files with missing lines Patch % Lines
...ge/datastore/driver/CephObjectStoreDriverImpl.java 0.00% 5 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff            @@
##               main   #11115   +/-   ##
=========================================
  Coverage     16.57%   16.57%           
  Complexity    13968    13968           
=========================================
  Files          5743     5743           
  Lines        510494   510494           
  Branches      62075    62075           
=========================================
+ Hits          84617    84622    +5     
+ Misses       416415   416409    -6     
- Partials       9462     9463    +1
Flag Coverage Δ
uitests 3.90% <ø> (ø)
unittests 17.47% <0.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

wido
wido approved these changes Jul 2, 2025
View reviewed changes
Copy link
Contributor

@wido wido left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CLGTM

@sureshanaparti sureshanaparti moved this to In Progress in Apache CloudStack 4.21.0 Jul 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@wido wido wido approved these changes

@DaanHoogland DaanHoogland DaanHoogland approved these changes

Assignees
No one assigned
Labels
3rd-party:ceph component:storage
Projects
Apache CloudStack 4.21.0
Status: In Progress
Milestone
4.21.0
Development

Successfully merging this pull request may close these issues.
4 participants
@jeanvetorello @DaanHoogland @wido @jeanpaneas