Hello Tobias, Thank you so much for the helpful answer. In the meantime I found the corresponding ticket (https://tracker.ceph.com/issues/64308). So the fix will also be included in the upcoming Reef 18.2.5 release, which is good news as our computing centre is planning to update to this version as soon as it's out.
Best Markus > Am 26.02.2025 um 08:12 schrieb Tobias Urdin - Binero IT > <tobias.ur...@binero.com>: > > Hello Markus, > > Try using v17.2.8 that includes this change [1], please note that if you want > to upgrade > to Reef (v18.2.x) that same fix [2] is not yet released there, the fixed is > released in Squid v19.x > > /Tobias > > [1] https://github.com/ceph/ceph/pull/60458 > [2] > https://github.com/ceph/ceph/commit/65523c2ba35d4a2f3b3091d5b2ed0e6395e31ffb > >> On 25 Feb 2025, at 16:28, Haarländer, Markus <haarlaen...@mpdl.mpg.de> wrote: >> >> [You don't often get email from haarlaen...@mpdl.mpg.de. Learn why this is >> important at https://aka.ms/LearnAboutSenderIdentification ] >> >> Hi list, >> >> We encountered a problem with presigned URLs for putting objects in >> connection with CORS and S3 Object tagging in Ceph v17.2.7 >> It works fine with v 16.2.15 and it works fine if the tagging is disabled. >> >> Here are the steps to reproduce: >> >> 1. Create a CORS rule for a bucket called "my-bucket": >> { >> "CORSRules": [ >> { >> "AllowedOrigins": ["*"], >> "AllowedHeaders": ["*"], >> "AllowedMethods": ["PUT", "GET"], >> "ExposeHeaders": ["ETag", "Accept-Ranges", "Content-Encoding", >> "Content-Range"] >> } >> ] >> } >> >> >> 2. Create a presigned URL to upload data to the key "test.txt". A tag called >> "test" should be applied to the resulting object. >> The following presigned url is returned eg. by the Java SDK. It >> automatically contains the "x-amz-tagging" in the X-Amz-Signed-Headers >> parameter. >> >> https://my-bucket.my-s3-server/test.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250225T133859Z&X-Amz-SignedHeaders=host%3Bx-amz-tagging&X-Amz-Credential=36XGCOO29B1THHUWIMU1%2F20250225%2Feu-west3%2Fs3%2Faws4_request&X-Amz-Expires=120&X-Amz-Signature=e4bf3a503e21f5808b7db2c7c611d7d641e1c1bcc3cb83c7346f10e59f9b6db1 >> >> >> 3. Simulate a preflight OPTIONS request with Origin and >> Access-Control-Request-Method headers, as the browser would do when trying >> to PUT to the presigned URL >> >> curl --request OPTIONS >> 'https://my-bucket.my-s3-server/test.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20250225T133859Z&X-Amz-SignedHeaders=host%3Bx-amz-tagging&X-Amz-Credential=36XGCOO29B1THHUWIMU1%2F20250225%2Feu-west3%2Fs3%2Faws4_request&X-Amz-Expires=120&X-Amz-Signature=e4bf3a503e21f5808b7db2c7c611d7d641e1c1bcc3cb83c7346f10e59f9b6db1' >> \ >> --header 'Origin: https://example.org' \ >> --header 'Access-Control-Request-Method: PUT' >> >> The server replies with 403, no CORS headers and the following body: >> <?xml version="1.0" >> encoding="UTF-8"?><Error><Code>SignatureDoesNotMatch</Code><RequestId>tx000006b5686df4e08cfcd-0067bdc7f3-218e3740-default</RequestId><HostId>218e3740-default-default</HostId></Error> >> >> Expectation: The server should reply with 200 and with CORS headers >> >> >> Additional observations: >> - The exact same workflow works on Ceph v16.2.15, with tagging >> - It works with Ceph v17.2.7 if we do not use the tagging (then no >> x-amz-tagging is returned in the X-Amz-Signed-Headers parameter) >> - It works with Ceph v17.2.7 for non-CORS environments (then no OPTIONS >> request is done, the PUT request itself works with tagging) >> - It works with Ceph v17.2.7 if we add the "x-amz-tagging" header to the >> OPTIONS request. But this does not lead anywhere, as for CORS, every browser >> creates the OPTIONS request itself for a preflight request and removes all >> custom headers. There's no possibility to change that. >> >> >> Any ideas or hints are very welcome. Thank you. >> Markus >> _______________________________________________ >> ceph-users mailing list -- ceph-users@ceph.io >> To unsubscribe send an email to ceph-users-le...@ceph.io >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
