aicam commented on issue #3842: URL: https://github.com/apache/texera/issues/3842#issuecomment-4773370632
> [@aicam](https://github.com/aicam) I picked up this issue and spent some time trying to reproduce the `AccessDenied` from the 10/23 notes on a `single-node` deployment. I haven't hit your exact error yet, but I found two things that matter for the new approach, plus a question that might help pin down your case. > > Things I could reproduce: > > 1. The LakeFS S3 gateway at `lakefs:8000` ignores `response-content-disposition`. Presigning a GET through the gateway returns 200 but no `Content-Disposition`, so the filename never gets set. Presigning directly against MinIO does set it (`attachment; filename="Iris.csv"`). So for the "presign-url with filename header" plan on the board, the presign has to go against MinIO, not the gateway. > 2. The URL has to be signed against the same endpoint the browser hits. SigV4 signs the `Host` header, so: > > ``` > signed texera-minio:9000, fetched localhost:9000 -> 403 SignatureDoesNotMatch > signed localhost:9000, fetched localhost:9000 -> 200, Content-Disposition set > ``` > > On your actual error, though, I don't think I've matched it yet. The two failures I can produce are host mismatch (`SignatureDoesNotMatch`) and an expired URL (`AccessDenied` / "Request has expired"). Yours is `AccessDenied` with a plain "Access Denied." and no Key/BucketName in the body, which fits neither. Do you still have the failing request, specifically the URL the browser actually hit (host/port) and roughly how long after the presign it failed? That'd help me tell whether it's an endpoint mismatch, an expiry/clock thing, or a bucket-policy denial. > > For the fix itself either way: presign directly against MinIO with `response-content-disposition`, signed with the external pre-signed endpoint. `file-service` only knows the internal `STORAGE_S3_ENDPOINT` today, so it'd need the external one too (same idea as LakeFS's `BLOCKSTORE_S3_PRE_SIGNED_ENDPOINT`). Happy to take a shot at that. Hi @suyashj1231 and thanks for your help. The issue happen in different layers, first of all, I would highly recommend to use K8s to test because it is the standard production deployment. Also, the problem gets more complicated when a real domain is connected. As you pointed out, LakeFS is not allowing to specify file name and we need to directly call MinIO. However, when we try to get presign URL directly from MinIO, we do not get filename set, the only way is for us to manually add the name and eventually MinIO refuse it because we modified the headers and checksum has changed. You can check [this issue](https://github.com/treeverse/lakeFS/issues/9673)0 we opened on LakeFS Github. I am not sure if we can fix it without any change from LakeFS or MinIO team but you are more than welcome to check. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
