Bug 1290547

Summary: Heat cfn-push-stats failed with '403 SignatureDoesNotMatch'
Product: Red Hat OpenStack Reporter: Nathan Kinder <nkinder>
Component: python-keystoneclientAssignee: Adam Young <ayoung>
Status: CLOSED ERRATA QA Contact: Rodrigo Duarte <rduartes>
Severity: high Docs Contact:
Priority: high    
Version: 5.0 (RHEL 6)CC: anande, augol, ayoung, jjoyce, jruzicka, jschluet, kbasil, mlopes, nbarcet, nkinder, nlevinki, sclewis, srevivo
Target Milestone: asyncKeywords: ZStream
Target Release: 5.0 (RHEL 6)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-keystoneclient-0.9.0-7.el6ost Doc Type: Bug Fix
Doc Text:
Previously, calculations of AWS Signature Version 4 would not be properly formatted for POST as there was a logic mismatch between boto and keystoneclient. This was because keystoneclient had its own EC2 v4 signature implementation. Consequently, EC2 v4 signature calculations would fail. With this update, CanonicalQueryString is set to an empty string when using POST and calculating AWS Signature Version 4 (this follows the implementation used by the AWS and boto clients). As a result, EC2 Signature Validation now succeeds.
Story Points: ---
Clone Of: 1142090 Environment:
Last Closed: 2017-01-19 13:33:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1142090    
Bug Blocks:    

Comment 2 Mike McCune 2016-03-28 22:18:06 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 7 Rodrigo Duarte 2017-01-17 21:55:49 UTC
verified for python-keystoneclient-0.9.0-8.el6ost.noarch:

- As noted by Jason, the backport has landed and, according to the customer that patched the environment, it is working for them. Below is a general checking of the ec2 signature method (the one affected):

- Implemented a script to generate a signature:

...
credentials = {'host': 'iam.amazonaws.com',
               'verb': 'POST',
               'path': '/',
               'params': params,
               'headers': headers,
               'body_hash': body_hash}
signature = signer.generate(credentials)

print '========= SIGNATURE ========='
print signature

- The signature is equal to what is expected (ced6826de92d2bdeed8f846f0bf508e8559e98e4b0199114b84c54174deb456c):

========= SIGNATURE =========
ced6826de92d2bdeed8f846f0bf508e8559e98e4b0199114b84c54174deb456c

- Changed the method to 'GET' so the params are included in the signature:

========= SIGNATURE =========
3aebad39d75a1302a190a5a5bb0232803f4ded7b70c5e56de55f14f4641d9ad0

Comment 9 errata-xmlrpc 2017-01-19 13:33:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0166.html