[ARVADOS] updated: 2.1.0-111-g199ca290a

Git user git at public.arvados.org
Fri Nov 20 15:42:23 UTC 2020

Summary of changes:
 doc/api/keep-s3.html.textile.liquid | 2 +-
 services/keep-web/s3.go             | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

       via  199ca290ab259ba21f798bb059bb808fe3b609ba (commit)
      from  bee9aff3bd6b69f81a0dd53fa7b4118d0eeeb0a9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

commit 199ca290ab259ba21f798bb059bb808fe3b609ba
Author: Tom Clegg <tom at tomclegg.ca>
Date:   Fri Nov 20 10:40:30 2020 -0500

    17106: Recommend using full tokens for S3 access.
    Accept munged ("/" => "_") tokens in S3 requests with V2 signatures.
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>

diff --git a/doc/api/keep-s3.html.textile.liquid b/doc/api/keep-s3.html.textile.liquid
index 8fe1ab516..664dcd317 100644
--- a/doc/api/keep-s3.html.textile.liquid
+++ b/doc/api/keep-s3.html.textile.liquid
@@ -71,4 +71,4 @@ h3. Authorization mechanisms
 Keep-web accepts AWS Signature Version 4 (AWS4-HMAC-SHA256) as well as the older V2 AWS signature.
 * If your client uses V4 signatures exclusively, and your Arvados token was issued by the same cluster you are connecting to: use the Arvados token's UUID part as AccessKey, and its secret part as SecretKey. This is preferred, where applicable.
-* If your client uses V2 signatures, or a combination of V2 and V4, or the Arvados token UUID is unknown, or a LoginCluster is in use: use the secret part of the Arvados token for both AccessKey and SecretKey.
+* In all other cases, replace every "/" in your Arvados token with "_", and use the resulting string as both AccessKey and SecretKey.
diff --git a/services/keep-web/s3.go b/services/keep-web/s3.go
index ef3a16404..603198684 100644
--- a/services/keep-web/s3.go
+++ b/services/keep-web/s3.go
@@ -191,6 +191,12 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
 			return true
 		token = split[0]
+		if strings.HasPrefix(token, "v2_") {
+			// User provided a full Arvados token with "/"
+			// munged to "_" (see V4 signature validation)
+			// but client software used S3 V2 signature.
+			token = strings.Replace(token, "_", "/", -1)
+		}
 	} else if strings.HasPrefix(auth, s3SignAlgorithm+" ") {
 		t, err := h.checks3signature(r)
 		if err != nil {



More information about the arvados-commits mailing list