Bug 1290547 - Heat cfn-push-stats failed with '403 SignatureDoesNotMatch'
Summary: Heat cfn-push-stats failed with '403 SignatureDoesNotMatch'
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-keystoneclient
Version: 5.0 (RHEL 6)
Hardware: All
OS: Linux
high
high
Target Milestone: async
: 5.0 (RHEL 6)
Assignee: Adam Young
QA Contact: Rodrigo Duarte
URL:
Whiteboard:
Depends On: 1142090
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-10 18:44 UTC by Nathan Kinder
Modified: 2023-02-22 23:02 UTC (History)
13 users (show)

Fixed In Version: python-keystoneclient-0.9.0-7.el6ost
Doc Type: Bug Fix
Doc Text:
Previously, calculations of AWS Signature Version 4 would not be properly formatted for POST as there was a logic mismatch between boto and keystoneclient. This was because keystoneclient had its own EC2 v4 signature implementation. Consequently, EC2 v4 signature calculations would fail. With this update, CanonicalQueryString is set to an empty string when using POST and calculating AWS Signature Version 4 (this follows the implementation used by the AWS and boto clients). As a result, EC2 Signature Validation now succeeds.
Clone Of: 1142090
Environment:
Last Closed: 2017-01-19 13:33:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 116523 0 None None None Never
Red Hat Product Errata RHBA-2017:0166 0 normal SHIPPED_LIVE openstack-keystone bug fix advisory 2017-01-19 18:22:08 UTC

Comment 2 Mike McCune 2016-03-28 22:18:06 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 7 Rodrigo Duarte 2017-01-17 21:55:49 UTC 
verified for python-keystoneclient-0.9.0-8.el6ost.noarch:

- As noted by Jason, the backport has landed and, according to the customer that patched the environment, it is working for them. Below is a general checking of the ec2 signature method (the one affected):

- Implemented a script to generate a signature:

...
credentials = {'host': 'iam.amazonaws.com',
               'verb': 'POST',
               'path': '/',
               'params': params,
               'headers': headers,
               'body_hash': body_hash}
signature = signer.generate(credentials)

print '========= SIGNATURE ========='
print signature

- The signature is equal to what is expected (ced6826de92d2bdeed8f846f0bf508e8559e98e4b0199114b84c54174deb456c):

========= SIGNATURE =========
ced6826de92d2bdeed8f846f0bf508e8559e98e4b0199114b84c54174deb456c

- Changed the method to 'GET' so the params are included in the signature:

========= SIGNATURE =========
3aebad39d75a1302a190a5a5bb0232803f4ded7b70c5e56de55f14f4641d9ad0
Comment 9 errata-xmlrpc 2017-01-19 13:33:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0166.html
Note You need to log in before you can comment on or make changes to this bug.