Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-7491

presigned S3 request computed by Quay using signature-version v2

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • quay-v3.12.1
    • None
    • None
    • False
    • None
    • False
    • Customer Escalated

      From Storage integration and verificatio QE with NetAPP's OnTAP S3 implementation we see Errors like

      presigned URL request computed using signature-version v2 is not supported by ONTAP-S3 

      The reason is that boto iterates over a map of authentications if none is requested and returns v2 as it's ordered earlier than v4.

      The currently presigned URL's created do not carry any v4 specifics query_parameters like:

      • X-Amz-Algorithm
      • X-Amz-Credential
      • X-Amz-Date
      • X-Amz-Expires
      • X-Amz-SignedHeaders
      • X-Amz-Signature

      but do carry the v2 query_parameters 

      • AWSAccessKeyId
      • Signature
      • Expires

      this can be easily seen when setting Quay in `FEATURE_PROXY_STORAGE` 

      To mitigate the issue we can patch the StorageClasses to accept a configurable signature_version and default to None which does not change the current behavior for existing and working deployments.

       

       

        1. image-2024-08-14-00-23-45-746.png
          121 kB
          Nisha Agrawal
        2. image-2024-08-14-00-24-08-607.png
          88 kB
          Nisha Agrawal
        3. image-2024-08-14-00-50-00-688.png
          51 kB
          Nisha Agrawal
        4. image-2024-08-14-01-11-48-569.png
          80 kB
          Nisha Agrawal
        5. image-2024-08-14-01-15-09-077.png
          83 kB
          Nisha Agrawal
        6. image-2024-08-20-15-27-27-290.png
          80 kB
          Aditya Honkalas

              rhn-support-ibazulic Ivan Bazulic
              rhn-support-milang Michaela Lang
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: