You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Thomas O'Dowd (JIRA)" <ji...@apache.org> on 2013/07/03 08:05:25 UTC

[jira] [Commented] (CLOUDSTACK-3341) Object_Store_Refactor - "Download Template" Link gets a 403 from object store.

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-3341?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13698649#comment-13698649 ] 

Thomas O'Dowd commented on CLOUDSTACK-3341:
-------------------------------------------

The following is the S3 request/response that I sniffed. It is generated by my browser (chrome) when I clicked on the link provided by cloudstack to download the template. Notice that request gets a 403 which means permission denied and fails because the signature used in the S3 Query String Authenicated Request does not match the expected signature given the request.


============ Request ==============

GET /template/tmpl/2/201/201-2-f7d6ac8f-9e69-3bf0-b35f-fa7435c36058/tinylinux.vhd?Expires=1372834299&AWSAccessKeyId=AK
IAJ6AT5MEKDOU6H7GQ&Signature=1rOfSK7YNr5/RMZrjAjUBeab7bw= HTTP/1.1.
Host: wexfordire.s3.amazonaws.com.
Connection: keep-alive.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36.
Referer: http://localhost:8080/client/.
Accept-Encoding: gzip,deflate,sdch.
Accept-Language: en-US,en;q=0.8.
.


============ Response ==============

#
T 207.171.163.162:80 -> 10.181.164.198:39716 [AP]
HTTP/1.1 403 Forbidden.
x-amz-request-id: B17BEC2FA6C05B8A.
x-amz-id-2: +M9fdqEvd1adPdHELXgUpn88OkX/tpiKv8d6W/lToIx9MN4ByoWN9vILTW2adXlS.
Content-Type: application/xml.
Transfer-Encoding: chunked.
Date: Wed, 03 Jul 2013 05:59:44 GMT.
Server: AmazonS3.
.
3b3.
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><StringToSignBytes>47 45 54 0a 0a 0a 31 33 37 32 38 33 34 32 39 39 0a 2f 77 65 78 66 6f 72 64 69 72 65 2f 74 65 6d 70 6c 61 74 65 2f 74 6d 70 6c 2f 32 2f 32 30 31 2f 32 30 31 2d 32 2d 66 37 64 36 61 63 38 66 2d 39 65 36 39 2d 33 62 66 30 2d 62 33 35 66 2d 66 61 37 34 33 35 63 33 36 30 35 38 2f 74 69 6e 79 6c 69 6e 75 78 2e 76 68 64</StringToSignBytes><RequestId>B17BEC2FA6C05B8A</RequestId><HostId>+M9fdqEvd1adPdHELXgUpn88OkX/tpiKv8d6W/lToIx9MN4ByoWN9vILTW2adXlS</HostId><SignatureProvided>1rOfSK7YNr5/RMZrjAjUBeab7bw=</SignatureProvided><StringToSign>GET


1372834299
/wexfordire/template/tmpl/2/201/201-2-f7d6ac8f-9e69-3bf0-b35f-fa7435c36058/tinylinux.vhd</StringToSign><AWSAccessKeyId>AKIAJ6AT5MEKDOU6H7GQ</AWSAccessKeyId></Error>.

                
> Object_Store_Refactor - "Download Template" Link gets a 403 from object store.
> ------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-3341
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3341
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: 4.2.0
>         Environment: chrome on linux
> devcloud
> Cloudian or Amazon AWS S3 object stores (you'll need an S3 account on either)
>            Reporter: Thomas O'Dowd
>            Priority: Critical
>              Labels: s3
>
> 1. Login to a freshly deployed devcloud server.
> 2. Click Infrastructure
> 3. Click secondary Storage
> 4. Remove NFS
> 5. Add new S3 Secondary Storage (without https so the S3 traffic is easy to sniff).
>    (I used AWS with 300,000 timeouts (just to be sure as s3 errors are not shown))
>    (I used a pre-allocated bucket (as is expected)).
> 6. Click on Templates
> 7. Register a new template - I used a copy of the tinylinux.vhd image that comes with devcloud but I uploaded it under a new name - MyTiny.
> 8. use s3cmd or other external tool and wait until the template is in the directory. This can take time as it is uploaded using multipart uploads which are not visible in the bucket until the upload is complete.
> 9. Once available, click again on Templates.
> 10. Hover over the QuickView of the MyTiny template.
> 11. Click "Download Template"
> 12. Confirm you want to download and a pop-up will appear asking you to click a large link.
> 13. Click the large link (this is ugly but less important than the actual issue).
> Expectation:
> 14. The template will be downloaded by your browser.
> Actual:
> 14. An XML error indicating a signature failure and no template downloaded.
> I have replicated this issue on both Amazon S3 and Cloudian S3 Object Stores.
> I will add more details to this issue shortly.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira