Description of problem: After deploying the overcloud that has the s3 middleware enabled by default in OSP14, triying to use the swifts s3 api fails: With s3cmd: (overcloud) [stack@undercloud s3curl]$ s3cmd la ERROR: S3 error: 403 (SignatureDoesNotMatch): The request signature we calculated does not match the signature you provided. Check your key and signing method. or s3curl: (overcloud) [stack@undercloud s3curl]$ ./s3curl.pl --debug --acl public-read --id c0c362abda5e46549b75e00f38fde903 --key bc84281e59614129bfca8fdf5698bf7c http://swift.localdomain:8080 <Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method. DEBUG: Response: {'data': "<?xml version='1.0' encoding='UTF-8'?>\n<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><RequestId>txe74fbd622bed4b488ede7-005bfeac75</RequestId><StringToSignBytes>47 45 54 0a 0a 0a 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 57 65 64 2c 20 32 38 20 4e 6f 76 20 32 30 31 38 20 31 34 3a 35 35 3a 34 39 20 2b 30 30 30 30 0a 2f</StringToSignBytes><StringToSign>GET\n\n\n\nx-amz-date:Wed, 28 Nov 2018 14:55:49 +0000\n/</StringToSign><SignatureProvided>iz4E0jKd3sJDI9FaVi1fP3IDtiw=</SignatureProvided><AWSAccessKeyId>1df95511e44146ebbf1c94bb3cef8e86</AWSAccessKeyId></Error>", 'headers': {'content-type': 'application/xml', 'date': 'Wed, 28 Nov 2018 14:55:49 GMT', 'transfer-encoding': 'chunked', 'x-amz-id-2': 'txe74fbd622bed4b488ede7-005bfeac75', 'x-amz-request-id': 'txe74fbd622bed4b488ede7-005bfeac75', 'x-openstack-request-id': 'txe74fbd622bed4b488ede7-005bfeac75', 'x-trans-id': 'txe74fbd622bed4b488ede7-005bfeac75'}, 'reason': 'Forbidden', 'status': 403} DEBUG: S3Error: 403 (Forbidden) The proxy-server.conf get's deployed without the v3 at the end of the auth_uri: [root@lab-controller01 swift]# cat proxy-server.conf | tail -3 [filter:s3token] use=egg:swift#s3token auth_uri=http://172.17.1.150:5000/ Once the /v3 is added to the auth_uri and the swift docker restarted it works ok: [root@lab-controller01 swift]# cat proxy-server.conf | tail -3 [filter:s3token] use=egg:swift#s3token auth_uri=http://172.17.1.150:5000/v3/ (overcloud) [stack@undercloud s3curl]$ s3cmd ls 2009-02-03 16:45 s3://s3curl.pl 2009-02-03 16:45 s3://test Version-Release number of selected component (if applicable): (undercloud) [stack@undercloud ~]$ rpm -qa | grep -i penstack-tripleo openstack-tripleo-validations-9.3.1-0.20181008110751.4064fb7.el7ost.noarch openstack-tripleo-common-containers-9.4.1-0.20181012010878.el7ost.noarch openstack-tripleo-image-elements-9.0.1-0.20181007200835.el7ost.noarch openstack-tripleo-heat-templates-9.0.1-0.20181013060890.el7ost.noarch openstack-tripleo-puppet-elements-9.0.0-0.20181007201103.daf9069.el7ost.noarch openstack-tripleo-common-9.4.1-0.20181012010878.el7ost.noarch How reproducible: Steps to Reproduce: 1.deploy overcloud 2.test with a s3 client 3. Actual results: the s3 client fails Expected results: s3 client works Additional info:
Created attachment 1512964 [details] Simple test script using s3cmd
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:0045