[resolved] Minio show the signature mismatch problem , While amazone s3 storate works fine. · Issue #5083 · minio/minio

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

狂野的柳树 · A connection attempt ...· 2 年前 ·

纯真的足球 · No CUDA runtime is ...· 2 年前 ·

迷茫的番茄 · pandas读取csv文件时报错：Empty ...· 3 年前 ·

文雅的沙发 · SQL 操作常见问题 | PingCAP 文档中心· 3 年前 ·

细心的打火机 · mysql - WHERE ...· 3 年前 ·

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account [resolved] Minio show the signature mismatch problem , While amazone s3 storate works fine. #5083 [resolved] Minio show the signature mismatch problem , While amazone s3 storate works fine. #5083 Mo33n opened this issue Oct 18, 2017 · 20 comments

moeenmohsin [2:42 PM]
PUT URL GENERATED :
http://65.39.201.4:9000/waafi/9ffba7f803a6a4898b54d35896f6cb19a0dbb13bb53bc643a2b0540801ae72cc/1508319687974.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=N95ZGNOF4LYAMUJAOEBV%2F20171018%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20171018T093959Z&X-Amz-Expires=6000&X-Amz-Signature=fc76702b228ac2aadf6777bc158fa6d1a70384498e156f698f1fdb48095716c8&X-Amz-SignedHeaders=content-length%3Bcontent-type%3Bhost&x-amz-acl=public-read

Following Error I see when i put image.

ERRO[3282] {"method":"PUT","reqURI":"/waafi/9ffba7f803a6a4898b54d35896f6cb19a0dbb13bb53bc643a2b0540801ae72cc/1508319687974.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=N95ZGNOF4LYAMUJAOEBV%2F20171018%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20171018T093959Z&X-Amz-Expires=6000&X-Amz-Signature=fc76702b228ac2aadf6777bc158fa6d1a70384498e156f698f1fdb48095716c8&X-Amz-SignedHeaders=content-length%3Bcontent-type%3Bhost&x-amz-acl=public-read","header":{"Accept-Encoding":["gzip"],"Connection":["Keep-Alive"],"Content-Length":["77067"],"Content-Type":["image/jpeg"],"Host":["65.39.201.4:9000"],"User-Agent":["Dalvik/2.1.0 (Linux; U; Android 7.1.2; Nexus 5X Build/N2G48C)"]}}  cause=Signature does not match source=[object-handlers.go:569:objectAPIHandlers.PutObjectHandler()]
[REQUEST (objectAPIHandlers).PutObjectHandler-fm] [150831960.055573] [2017-10-18 12:40:00 +0300]
PUT /waafi/9ffba7f803a6a4898b54d35896f6cb19a0dbb13bb53bc643a2b0540801ae72cc/1508319687974.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=N95ZGNOF4LYAMUJAOEBV%2F20171018%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20171018T093959Z&X-Amz-Expires=6000&X-Amz-Signature=fc76702b228ac2aadf6777bc158fa6d1a70384498e156f698f1fdb48095716c8&X-Amz-SignedHeaders=content-length%3Bcontent-type%3Bhost&x-amz-acl=public-read
Host: 65.39.201.4:9000
Content-Length: 77067
Content-Type: image/jpeg
User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.2; Nexus 5X Build/N2G48C)
Connection: Keep-Alive
Accept-Encoding: gzip
[RESPONSE] [150831960.055573] [2017-10-18 12:40:02 +0300]
403 Forbidden
Content-Type: application/xml
Vary: Origin
X-Amz-Request-Id: 14EEA0AF6EED28C0
Server: Minio/DEVELOPMENT.GOGET (linux; amd64)
Accept-Ranges: bytes
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><Key></Key><BucketName></BucketName><Resource>/waafi/9ffba7f803a6a4898b54d35896f6cb19a0dbb13bb53bc643a2b0540801ae72cc/1508319687974.jpg</Resource><RequestId>3L137</RequestId><HostId>3L137</HostId></Error>
          This is a go code which generates a presigned PUT with content-length/content-type/acl requirements:
// +build example
package main
import (
	"fmt"
	"log"
	"time"
	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/s3"
func main() {
	// Create a AWS SDK for Go Session that will load credentials using the SDK's
	// default credential change.
	sess := session.Must(session.NewSession())
	s3Svc := s3.New(sess, &aws.Config{
		Endpoint:         aws.String("http://localhost:9000"),
		Region:           aws.String("us-east-1"),
		S3ForcePathStyle: aws.Bool(true),
	sdkReq, _ := s3Svc.PutObjectRequest(&s3.PutObjectInput{
		Bucket: aws.String("vadmeste"),
		Key:    aws.String("testkey"),
		ACL:           aws.String("public-read"),
		ContentType:   aws.String("image/jpeg"),
		ContentLength: aws.Int64(1024),
	u, _, err := sdkReq.PresignRequest(15 * time.Hour)
	if err != nil {
		log.Fatal(err)
	fmt.Printf("URL = %s\n", u)
This works fine with Minio server. Besides it looks like mongooseIM is missing adding x-amz-acl to the list of X-Amz-SignedHeaders because it seems this is required according to the following link:
http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
X-Amz-SignedHeader:
Lists the headers that you used to calculate the signature. The following headers are required in the signature calculations:
The HTTP host header.
Any x-amz-* headers that you plan to add to the request.
I really don't know how this is working with AWS S3.
          @Mo33n, can you disable ACL support in mod_http_upload ?
https://github.com/esl/MongooseIM/blob/master/doc/modules/mod_http_upload.md
Set add_acl to false. I expect this will resolve your problem though this is just a workaround.
<BucketName/>
<Resource>
/waafi/22c2e898a5c6eb0004fc68ca9a095ac42db4dee44c0eb2e9db30d64c3abc2f86/1508415843822.jpg
</Resource>
<RequestId>3L137</RequestId>
<HostId>3L137</HostId>
</Error>
          Dear @vadmeste

[root@ivr /]# ./mc policy  download ~/Photos/waafi/

Access permission for /root/Photos/waafi/ is set to download
Still the problem is same.
          @Mo33n, you should set the policy of a bucket belonging to a S3 server and not to a path in your machine.
For that, you need to configure an alias first in mc. The alias should point to your server.
https://docs.minio.io/docs/minio-client-quickstart-guide
e.g.:

mc config host add myminio http://192.168.1.51 BKIKJAA5BMMU2RHO6IBB V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12 S3v4
then:

mc policy download myminio/waafi
          Its working fine with by disabling the acl support. and setting the buckets policy as download. this seems a work around.
I believe this ticket is still valid.

Please close it if i am wrong.
Its working fine with by disabling the acl support. and setting the buckets policy as download. this seems a work around.
The bug is in the client @Mo33n this is the reason we asked you to disable ACL to avoid the x-amz-acl signature issue.  Also enabling ACL doesn't make sense with Minio since we do not support ACL anyways.
FWIW we cannot fix this aws-sdk-go works properly as indicated by @vadmeste with similar headers and requirements. What needs to be fixed here is mongooseIM which is incorrectly generating a presigned URL. If the workaround by disabling ACL works then that would be a resolution for the time being but ideally mongooseIM should be fixed .
          Okay, i understand the point, But my concern is that, Why mongooseIm presigned URL work fine with the Amazone s3 cloud, But not with minio.

as both storage are s3 compliant.
Okay, i understand the point, But my concern i that, What mongooseIm presigned URL work fine with the Amazone s3 cloud, But not with minio.

as both storage are s3 compliant.
In our experience AWS S3 is inconsistent at times with the signature spec implementation and varies based on the region of the bucket.  It is not conclusive and sporadically changes in nature.
      changed the title
Minio show the signature mismatch problem , While amazone s3 storate works fine.
[resolved] Minio show the signature mismatch problem , While amazone s3 storate works fine.
    Apr 10, 2020