Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7491

presigned S3 request computed by Quay using signature-version v2

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • quay-v3.12.1
    • None
    • None
    • False
    • None
    • False
    • Customer Escalated

      From Storage integration and verificatio QE with NetAPP's OnTAP S3 implementation we see Errors like

      presigned URL request computed using signature-version v2 is not supported by ONTAP-S3 

      The reason is that boto iterates over a map of authentications if none is requested and returns v2 as it's ordered earlier than v4.

      The currently presigned URL's created do not carry any v4 specifics query_parameters like:

      • X-Amz-Algorithm
      • X-Amz-Credential
      • X-Amz-Date
      • X-Amz-Expires
      • X-Amz-SignedHeaders
      • X-Amz-Signature

      but do carry the v2 query_parameters 

      • AWSAccessKeyId
      • Signature
      • Expires

      this can be easily seen when setting Quay in `FEATURE_PROXY_STORAGE` 

      To mitigate the issue we can patch the StorageClasses to accept a configurable signature_version and default to None which does not change the current behavior for existing and working deployments.

       

       

              rhn-support-ibazulic Ivan Bazulic
              rhn-support-milang Michaela Lang
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: