[
https://issues.apache.org/jira/browse/CLOUDSTACK-3341?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13698662#comment-13698662
]
Thomas O'Dowd commented on CLOUDSTACK-3341:
-------------------------------------------
When the pop-up_download_link was generated and shown to me by the browser, the
cloudstack management server also output the following log line.
INFO [datastore.driver.S3ImageStoreDriverImpl] (Job-Executor-2:job-9)
Pre-Signed URL =
http://wexfordire.s3.amazonaws.com/template%2Ftmpl%2F2%2F201%2F201-2-f7d6ac8f-9e69-3bf0-b35f-fa7435c36058%2Ftinylinux.vhd?Expires=1372834299&AWSAccessKeyId=AKIAJ6AT5MEKDOU6H7GQ&Signature=1rOfSK7YNr5%2FRMZrjAjUBeab7bw%3D
By the time you find this link, it will have expired as the default expiry is 1
hour, but copying this link to the same browser allowed me to successfully
download the template.
The difference is that the pre-signed URL is using %2F for '/' and %3D for '='
etc. Where as the actual link the the browser ended up sending was using the
'/' and '=' characters directly so it becomes a different url and the signature
does not match. Hence you cannot download it.
Here are the urls side by side for easier comparison.
http://wexfordire.s3.amazonaws.com/template%2Ftmpl%2F2%2F201%2F201-2-f7d6ac8f-9e69-3bf0-b35f-fa7435c36058%2Ftinylinux.vhd?Expires=1372834299&AWSAccessKeyId=AKIAJ6AT5MEKDOU6H7GQ&Signature=1rOfSK7YNr5%2FRMZrjAjUBeab7bw%3D
VERSES
http://wexfordire.s3.amazonaws.com/template/tmpl/2/201/201-2-f7d6ac8f-9e69-3bf0-b35f-fa7435c36058/tinylinux.vhd?Expires=1372834299&AWSAccessKeyId=AKIAJ6AT5MEKDOU6H7GQ&Signature=1rOfSK7YNr5/RMZrjAjUBeab7bw=
The url that is pre-signed must be the same url that the browser sends to the
S3 server.
> Object_Store_Refactor - "Download Template" Link gets a 403 from object store.
> ------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-3341
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3341
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Affects Versions: 4.2.0
> Environment: chrome on linux
> devcloud
> Cloudian or Amazon AWS S3 object stores (you'll need an S3 account on either)
> Reporter: Thomas O'Dowd
> Priority: Critical
> Labels: s3
> Attachments: pop-up_download_link.png
>
>
> 1. Login to a freshly deployed devcloud server.
> 2. Click Infrastructure
> 3. Click secondary Storage
> 4. Remove NFS
> 5. Add new S3 Secondary Storage (without https so the S3 traffic is easy to
> sniff).
> (I used AWS with 300,000 timeouts (just to be sure as s3 errors are not
> shown))
> (I used a pre-allocated bucket (as is expected)).
> 6. Click on Templates
> 7. Register a new template - I used a copy of the tinylinux.vhd image that
> comes with devcloud but I uploaded it under a new name - MyTiny.
> 8. use s3cmd or other external tool and wait until the template is in the
> directory. This can take time as it is uploaded using multipart uploads which
> are not visible in the bucket until the upload is complete.
> 9. Once available, click again on Templates.
> 10. Hover over the QuickView of the MyTiny template.
> 11. Click "Download Template"
> 12. Confirm you want to download and a pop-up will appear asking you to click
> a large link.
> 13. Click the large link (this is ugly but less important than the actual
> issue).
> Expectation:
> 14. The template will be downloaded by your browser.
> Actual:
> 14. An XML error indicating a signature failure and no template downloaded.
> I have replicated this issue on both Amazon S3 and Cloudian S3 Object Stores.
> I will add more details to this issue shortly.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
