Bug 1290547 - Heat cfn-push-stats failed with '403 SignatureDoesNotMatch'
Heat cfn-push-stats failed with '403 SignatureDoesNotMatch'
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-keystoneclient (Show other bugs)
5.0 (RHEL 6)
All Linux
high Severity high
: async
: 5.0 (RHEL 6)
Assigned To: Adam Young
Rodrigo Duarte
: ZStream
Depends On: 1142090
  Show dependency treegraph
Reported: 2015-12-10 13:44 EST by Nathan Kinder
Modified: 2018-02-08 06:06 EST (History)
14 users (show)

See Also:
Fixed In Version: python-keystoneclient-0.9.0-7.el6ost
Doc Type: Bug Fix
Doc Text:
Previously, calculations of AWS Signature Version 4 would not be properly formatted for POST as there was a logic mismatch between boto and keystoneclient. This was because keystoneclient had its own EC2 v4 signature implementation. Consequently, EC2 v4 signature calculations would fail. With this update, CanonicalQueryString is set to an empty string when using POST and calculating AWS Signature Version 4 (this follows the implementation used by the AWS and boto clients). As a result, EC2 Signature Validation now succeeds.
Story Points: ---
Clone Of: 1142090
Last Closed: 2017-01-19 08:33:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 116523 None None None Never

  None (edit)
Comment 2 Mike McCune 2016-03-28 18:18:06 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 7 Rodrigo Duarte 2017-01-17 16:55:49 EST
verified for python-keystoneclient-0.9.0-8.el6ost.noarch:

- As noted by Jason, the backport has landed and, according to the customer that patched the environment, it is working for them. Below is a general checking of the ec2 signature method (the one affected):

- Implemented a script to generate a signature:

credentials = {'host': 'iam.amazonaws.com',
               'verb': 'POST',
               'path': '/',
               'params': params,
               'headers': headers,
               'body_hash': body_hash}
signature = signer.generate(credentials)

print '========= SIGNATURE ========='
print signature

- The signature is equal to what is expected (ced6826de92d2bdeed8f846f0bf508e8559e98e4b0199114b84c54174deb456c):

========= SIGNATURE =========

- Changed the method to 'GET' so the params are included in the signature:

========= SIGNATURE =========
Comment 9 errata-xmlrpc 2017-01-19 08:33:26 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.