Hi list, We encountered a problem with presigned URLs for putting objects in connection with CORS and S3 Object tagging in Ceph v17.2.7 It works fine with v 16.2.15 and it works fine if the tagging is disabled.
Here are the steps to reproduce:
1. Create a CORS rule for a bucket called "my-bucket":
{
"CORSRules": [
{
"AllowedOrigins": ["*"],
"AllowedHeaders": ["*"],
"AllowedMethods": ["PUT", "GET"],
"ExposeHeaders": ["ETag", "Accept-Ranges", "Content-Encoding", "Content-Range"]
}
]
}
2. Create a presigned URL to upload data to the key "test.txt". A tag called
"test" should be applied to the resulting object.
The following presigned url is returned eg. by the Java SDK. It automatically
contains the "x-amz-tagging" in the X-Amz-Signed-Headers parameter.
https://my-bucket.my-s3-server/test.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250225T133859Z&X-Amz-SignedHeaders=host%3Bx-amz-tagging&X-Amz-Credential=36XGCOO29B1THHUWIMU1%2F20250225%2Feu-west3%2Fs3%2Faws4_request&X-Amz-Expires=120&X-Amz-Signature=e4bf3a503e21f5808b7db2c7c611d7d641e1c1bcc3cb83c7346f10e59f9b6db1
3. Simulate a preflight OPTIONS request with Origin and
Access-Control-Request-Method headers, as the browser would do when trying to
PUT to the presigned URL
curl --request OPTIONS
'https://my-bucket.my-s3-server/test.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250225T133859Z&X-Amz-SignedHeaders=host%3Bx-amz-tagging&X-Amz-Credential=36XGCOO29B1THHUWIMU1%2F20250225%2Feu-west3%2Fs3%2Faws4_request&X-Amz-Expires=120&X-Amz-Signature=e4bf3a503e21f5808b7db2c7c611d7d641e1c1bcc3cb83c7346f10e59f9b6db1'
\
--header 'Origin: https://example.org' \
--header 'Access-Control-Request-Method: PUT'
The server replies with 403, no CORS headers and the following body:
<?xml version="1.0"
encoding="UTF-8"?><Error><Code>SignatureDoesNotMatch</Code><RequestId>tx000006b5686df4e08cfcd-0067bdc7f3-218e3740-default</RequestId><HostId>218e3740-default-default</HostId></Error>
Expectation: The server should reply with 200 and with CORS headers
Additional observations:
- The exact same workflow works on Ceph v16.2.15, with tagging
- It works with Ceph v17.2.7 if we do not use the tagging (then no
x-amz-tagging is returned in the X-Amz-Signed-Headers parameter)
- It works with Ceph v17.2.7 for non-CORS environments (then no OPTIONS request
is done, the PUT request itself works with tagging)
- It works with Ceph v17.2.7 if we add the "x-amz-tagging" header to the
OPTIONS request. But this does not lead anywhere, as for CORS, every browser
creates the OPTIONS request itself for a preflight request and removes all
custom headers. There's no possibility to change that.
Any ideas or hints are very welcome. Thank you.
Markus
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
