SignatureDoesNotMatch for some functions

[jahschwa]

This appears to be a ceph bug; but I wanted to report it here since it breaks this package. Some of the functions will always return SignatureDoesNotMatch. This affects:

• create_subuser()
• modify_subuser()
• remove_subuser()
• remove_object()

The bug affects all rgwadmin versions after 2.3.3 because they are using the requests-aws4auth package to do v4 auth instead of the previous awsauth (changed in https://github.com/UMIACS/rgwadmin/pull/59).

This is because those endpoints duplicate query params. For example, for create_subuser(): https://docs.ceph.com/en/latest/radosgw/adminops/#create-subuser

The spec looks like:

PUT /{admin}/user?subuser&format=json

But one of the required params is subuser, resulting in something like:

PUT /{admin}/user?subuser&format=json&uid=bob&subuser=sub1

Which results in SignatureDoesNotMatch. If instead I make the request omitting the initial subuser param, then everything works fine (even though this isn't the documented API spec):

PUT /{admin}/user?format=json&uid=bob&subuser=sub1

Solution

https://tracker.ceph.com/issues/62105

Workaround 1

Downgrade to 2.3.3. Ceph seems to be fine with the double query params if you're doing v2 auth (which is why this was working before #59).

Workaround 2

Apply this patch: https://gist.github.com/jahschwa/14bb50f3ab839158fe2a187cdaf9a916

[dyarnell]

This has been patched and a new version released to PyPI 2.4.3. Please verify and let me know that this release works for you.

[jahschwa]

Sorry took me so long to come back to test this; yep, things work again! I'll try to follow up in a new issue if the ceph bug gets movement.