From: Tom Clegg Date: Fri, 20 Nov 2020 15:40:30 +0000 (-0500) Subject: 17106: Recommend using full tokens for S3 access. X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/51251e7473df5f1a9036d36f2d38d9dd1788f9cc 17106: Recommend using full tokens for S3 access. Accept munged ("/" => "_") tokens in S3 requests with V2 signatures. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- diff --git a/doc/api/keep-s3.html.textile.liquid b/doc/api/keep-s3.html.textile.liquid index a5a9eeb788..b1d2c740dc 100644 --- a/doc/api/keep-s3.html.textile.liquid +++ b/doc/api/keep-s3.html.textile.liquid @@ -75,4 +75,4 @@ h3. Authorization mechanisms Keep-web accepts AWS Signature Version 4 (AWS4-HMAC-SHA256) as well as the older V2 AWS signature. * If your client uses V4 signatures exclusively, and your Arvados token was issued by the same cluster you are connecting to: use the Arvados token's UUID part as AccessKey, and its secret part as SecretKey. This is preferred, where applicable. -* If your client uses V2 signatures, or a combination of V2 and V4, or the Arvados token UUID is unknown, or a LoginCluster is in use: use the secret part of the Arvados token for both AccessKey and SecretKey. +* In all other cases, replace every "/" in your Arvados token with "_", and use the resulting string as both AccessKey and SecretKey. diff --git a/services/keep-web/s3.go b/services/keep-web/s3.go index 0170146c09..f85b5592c9 100644 --- a/services/keep-web/s3.go +++ b/services/keep-web/s3.go @@ -191,6 +191,12 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool { return true } token = split[0] + if strings.HasPrefix(token, "v2_") { + // User provided a full Arvados token with "/" + // munged to "_" (see V4 signature validation) + // but client software used S3 V2 signature. + token = strings.Replace(token, "_", "/", -1) + } } else if strings.HasPrefix(auth, s3SignAlgorithm+" ") { t, err := h.checks3signature(r) if err != nil {