[jira] [Commented] (CLOUDSTACK-3341) Object_Store_Refactor - "Download Template" Link gets a 403 from object store.

Tue, 02 Jul 2013 23:08:05 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-3341?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13698649#comment-13698649
 ] 

Thomas O'Dowd commented on CLOUDSTACK-3341:
-------------------------------------------

The following is the S3 request/response that I sniffed. It is generated by my 
browser (chrome) when I clicked on the link provided by cloudstack to download 
the template. Notice that request gets a 403 which means permission denied and 
fails because the signature used in the S3 Query String Authenicated Request 
does not match the expected signature given the request.


============ Request ==============

GET 
/template/tmpl/2/201/201-2-f7d6ac8f-9e69-3bf0-b35f-fa7435c36058/tinylinux.vhd?Expires=1372834299&AWSAccessKeyId=AK
IAJ6AT5MEKDOU6H7GQ&Signature=1rOfSK7YNr5/RMZrjAjUBeab7bw= HTTP/1.1.
Host: wexfordire.s3.amazonaws.com.
Connection: keep-alive.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/28.0.1500.63 Safari/537.36.
Referer: http://localhost:8080/client/.
Accept-Encoding: gzip,deflate,sdch.
Accept-Language: en-US,en;q=0.8.
.


============ Response ==============

#
T 207.171.163.162:80 -> 10.181.164.198:39716 [AP]
HTTP/1.1 403 Forbidden.
x-amz-request-id: B17BEC2FA6C05B8A.
x-amz-id-2: +M9fdqEvd1adPdHELXgUpn88OkX/tpiKv8d6W/lToIx9MN4ByoWN9vILTW2adXlS.
Content-Type: application/xml.
Transfer-Encoding: chunked.
Date: Wed, 03 Jul 2013 05:59:44 GMT.
Server: AmazonS3.
.
3b3.
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we 
calculated does not match the signature you provided. Check your key and 
signing method.</Message><StringToSignBytes>47 45 54 0a 0a 0a 31 33 37 32 38 33 
34 32 39 39 0a 2f 77 65 78 66 6f 72 64 69 72 65 2f 74 65 6d 70 6c 61 74 65 2f 
74 6d 70 6c 2f 32 2f 32 30 31 2f 32 30 31 2d 32 2d 66 37 64 36 61 63 38 66 2d 
39 65 36 39 2d 33 62 66 30 2d 62 33 35 66 2d 66 61 37 34 33 35 63 33 36 30 35 
38 2f 74 69 6e 79 6c 69 6e 75 78 2e 76 68 
64</StringToSignBytes><RequestId>B17BEC2FA6C05B8A</RequestId><HostId>+M9fdqEvd1adPdHELXgUpn88OkX/tpiKv8d6W/lToIx9MN4ByoWN9vILTW2adXlS</HostId><SignatureProvided>1rOfSK7YNr5/RMZrjAjUBeab7bw=</SignatureProvided><StringToSign>GET


1372834299
/wexfordire/template/tmpl/2/201/201-2-f7d6ac8f-9e69-3bf0-b35f-fa7435c36058/tinylinux.vhd</StringToSign><AWSAccessKeyId>AKIAJ6AT5MEKDOU6H7GQ</AWSAccessKeyId></Error>.

                
> Object_Store_Refactor - "Download Template" Link gets a 403 from object store.
> ------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-3341
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3341
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>    Affects Versions: 4.2.0
>         Environment: chrome on linux
> devcloud
> Cloudian or Amazon AWS S3 object stores (you'll need an S3 account on either)
>            Reporter: Thomas O'Dowd
>            Priority: Critical
>              Labels: s3
>
> 1. Login to a freshly deployed devcloud server.
> 2. Click Infrastructure
> 3. Click secondary Storage
> 4. Remove NFS
> 5. Add new S3 Secondary Storage (without https so the S3 traffic is easy to 
> sniff).
>    (I used AWS with 300,000 timeouts (just to be sure as s3 errors are not 
> shown))
>    (I used a pre-allocated bucket (as is expected)).
> 6. Click on Templates
> 7. Register a new template - I used a copy of the tinylinux.vhd image that 
> comes with devcloud but I uploaded it under a new name - MyTiny.
> 8. use s3cmd or other external tool and wait until the template is in the 
> directory. This can take time as it is uploaded using multipart uploads which 
> are not visible in the bucket until the upload is complete.
> 9. Once available, click again on Templates.
> 10. Hover over the QuickView of the MyTiny template.
> 11. Click "Download Template"
> 12. Confirm you want to download and a pop-up will appear asking you to click 
> a large link.
> 13. Click the large link (this is ugly but less important than the actual 
> issue).
> Expectation:
> 14. The template will be downloaded by your browser.
> Actual:
> 14. An XML error indicating a signature failure and no template downloaded.
> I have replicated this issue on both Amazon S3 and Cloudian S3 Object Stores.
> I will add more details to this issue shortly.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to