projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bee9aff)
17106: Recommend using full tokens for S3 access.
authorTom Clegg <tom@tomclegg.ca>
Fri, 20 Nov 2020 15:40:30 +0000 (10:40 -0500)
committerTom Clegg <tom@tomclegg.ca>
Fri, 20 Nov 2020 15:40:30 +0000 (10:40 -0500)
Accept munged ("/" => "_") tokens in S3 requests with V2 signatures.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>

doc/api/keep-s3.html.textile.liquid patch | blob | history
services/keep-web/s3.go patch | blob | history

diff --git a/doc/api/keep-s3.html.textile.liquid b/doc/api/keep-s3.html.textile.liquid
index 8fe1ab516f3517b9b696381477ff8ea5768f931f..664dcd317c445a504433e0c8d4bc5ffdd886c6ca 100644 (file)
--- a/doc/api/keep-s3.html.textile.liquid
+++ b/doc/api/keep-s3.html.textile.liquid
@@ -71,4 +71,4 @@ h3. Authorization mechanisms
 Keep-web accepts AWS Signature Version 4 (AWS4-HMAC-SHA256) as well as the older V2 AWS signature.
 
 * If your client uses V4 signatures exclusively, and your Arvados token was issued by the same cluster you are connecting to: use the Arvados token's UUID part as AccessKey, and its secret part as SecretKey. This is preferred, where applicable.
-* If your client uses V2 signatures, or a combination of V2 and V4, or the Arvados token UUID is unknown, or a LoginCluster is in use: use the secret part of the Arvados token for both AccessKey and SecretKey.
+* In all other cases, replace every "/" in your Arvados token with "_", and use the resulting string as both AccessKey and SecretKey.
diff --git a/services/keep-web/s3.go b/services/keep-web/s3.go
index ef3a16404c30ffba64330de3c2a149cd1aa5c36b..603198684c629b79b044e82632c7f17527075a51 100644 (file)
--- a/services/keep-web/s3.go
+++ b/services/keep-web/s3.go
@@ -191,6 +191,12 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
                        return true
                }
                token = split[0]
+               if strings.HasPrefix(token, "v2_") {
+                       // User provided a full Arvados token with "/"
+                       // munged to "_" (see V4 signature validation)
+                       // but client software used S3 V2 signature.
+                       token = strings.Replace(token, "_", "/", -1)
+               }
        } else if strings.HasPrefix(auth, s3SignAlgorithm+" ") {
                t, err := h.checks3signature(r)
                if err != nil {