Bug 1290547
Summary: | Heat cfn-push-stats failed with '403 SignatureDoesNotMatch' | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Nathan Kinder <nkinder> |
Component: | python-keystoneclient | Assignee: | Adam Young <ayoung> |
Status: | CLOSED ERRATA | QA Contact: | Rodrigo Duarte <rduartes> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 5.0 (RHEL 6) | CC: | anande, augol, ayoung, jjoyce, jruzicka, jschluet, kbasil, mlopes, nbarcet, nkinder, nlevinki, sclewis, srevivo |
Target Milestone: | async | Keywords: | ZStream |
Target Release: | 5.0 (RHEL 6) | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | python-keystoneclient-0.9.0-7.el6ost | Doc Type: | Bug Fix |
Doc Text: |
Previously, calculations of AWS Signature Version 4 would not be properly formatted for POST as there was a logic mismatch between boto and keystoneclient. This was because keystoneclient had its own EC2 v4 signature implementation. Consequently, EC2 v4 signature calculations would fail. With this update, CanonicalQueryString is set to an empty string when using POST and calculating AWS Signature Version 4 (this follows the implementation used by the AWS and boto clients). As a result, EC2 Signature Validation now succeeds.
|
Story Points: | --- |
Clone Of: | 1142090 | Environment: | |
Last Closed: | 2017-01-19 13:33:26 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1142090 | ||
Bug Blocks: |
Comment 2
Mike McCune
2016-03-28 22:18:06 UTC
verified for python-keystoneclient-0.9.0-8.el6ost.noarch: - As noted by Jason, the backport has landed and, according to the customer that patched the environment, it is working for them. Below is a general checking of the ec2 signature method (the one affected): - Implemented a script to generate a signature: ... credentials = {'host': 'iam.amazonaws.com', 'verb': 'POST', 'path': '/', 'params': params, 'headers': headers, 'body_hash': body_hash} signature = signer.generate(credentials) print '========= SIGNATURE =========' print signature - The signature is equal to what is expected (ced6826de92d2bdeed8f846f0bf508e8559e98e4b0199114b84c54174deb456c): ========= SIGNATURE ========= ced6826de92d2bdeed8f846f0bf508e8559e98e4b0199114b84c54174deb456c - Changed the method to 'GET' so the params are included in the signature: ========= SIGNATURE ========= 3aebad39d75a1302a190a5a5bb0232803f4ded7b70c5e56de55f14f4641d9ad0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0166.html |