ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

S3 buckets and presigned URLs

frigo
‎2023-04-09 03:26 AM
3,082 Views

Hi! I installed a ONTAP simulator 9.12.1, and configured an object store bucket with type NAS.

Everything appears to work, but I could not manage to use presigned S3 URLs:

 

$ aws s3 cp --ca-bundle /etc/pki/ca-trust/source/anchors/test1.crt --endpoint https://test1/ s3://mybucket/a a
download: s3://mybucket/a to ./a 
$ aws s3 presign --ca-bundle /etc/pki/ca-trust/source/anchors/test1.crt --endpoint https://test1/ s3://mybucket/a
https://test1/mybucket/a?AWSAccessKeyId=360XN217SR4QDGKA535X&Signature=oAmbont1oJxDn3d7R1TWFgI0Xc4%3D&Expires=1681037328
$ curl 'https://test1/mybucket/a?AWSAccessKeyId=360XN217SR4QDGKA535X&Signature=oAmbont1oJxDn3d7R1TWFgI0Xc4%3D&Expires=1681037328'
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message></Error>

an event is logged

 nblade.css.s3.AccessDenied: Access is denied for user 'anonymous user' (Vserver 2), 
from client IP 10.224.123.151 accessing resource '/mybucket/a?AWSAccessKeyId=360XN217SR4QDGKA535X&Signature=oAmbont1oJxDn3d7R1TWFgI0Xc4%3D&Expires=1681037328'.

I tried with buckets of type S3 as well and got the same issue.

I also tried to activate as much logs as possible and check the sktrace.log file that I paste below.

I deduce the signature in the URL query parameters is somehow not considered and the request is considered as coming from anonymous, and the access is denied.

2023-04-09T10:21:05Z 11674352780881 [0:0] PCP_Tls: PcpTlsFilter:_cbPreOpen: < (0xfffff8024d49e4c0) 
2023-04-09T10:21:05Z 11674352790235 [0:0] S3_PCP_Info: n0x10fed0: S3 ConnOpen 
2023-04-09T10:21:05Z 11674352791203 [0:0] S3_PCP_Info: n0x10ff1a: OpenS3Connection 
2023-04-09T10:21:05Z 11674352799241 [0:0] S3_PCP_Info: n0x10ffef: OpenS3Connection::cid = 0xee81aa53 Conn Gen 0x1 from ip/port 10.224.123.151/35976 
2023-04-09T10:21:05Z 11674352799917 [0:0] S3_PCP_Info: n0x11000c: ConnOpen Result:0 
2023-04-09T10:21:05Z 11674352881203 [0:0] S3_PCP_Info: n0x11064d: S3 RecieveData 
2023-04-09T10:21:05Z 11674352883097 [0:0] S3_PCP_Info: n0x11014a: S3TcpProcess:Before connn->exec 
2023-04-09T10:21:05Z 11674352883719 [0:0] S3_Info: n0xa0772: [0] S3Connection::exec :1 
2023-04-09T10:21:05Z 11674352884745 [0:0] S3_Info: n0xa0bc8: [0] S3Connection::allocateProcessor 
2023-04-09T10:21:05Z 11674352887471 [0:0] S3_Ctx: n0xa0c26: N=CONN: t=0, c2os=1, c2ns=2 
2023-04-09T10:21:05Z 11674352888199 [0:0] S3_Info: n0xa0de4: [0] S3Connection::readHeaderData 
2023-04-09T10:21:05Z 11674352888705 [0:0] S3_Info: n0xa0e21: [0] S3Connection::readDataFromNetwork 
2023-04-09T10:21:05Z 11674352892573 [0:0] S3_Info: n0xa0e98: [0] S3Connection::readHeaderData:isHeaderFound 
2023-04-09T10:21:05Z 11674352893339 [0:0] S3_Ctx: n0xa0eca: N=CONN: t=3793907372, c2os=2, c2ns=3 
2023-04-09T10:21:05Z 11674352894153 [0:0] S3_Info: n0xa10b2: [3793907372] S3Connection::callProcessorExec 
2023-04-09T10:21:05Z 11674352894791 [0:0] S3_Ctx: n0x117fe3: N=PROC: t=0, c2os=1, c2ns=1 
2023-04-09T10:21:05Z 11674352895463 [0:0] S3_Ctx: n0xa1102: N=CONN: t=3793907372, c2os=3, c2ns=4 
2023-04-09T10:21:05Z 11674352896609 [0:0] S3_Info: n0x114aee: [3793907372] S3Processor::initParser 
2023-04-09T10:21:05Z 11674352902161 [0:0] S3_Ctx: n0x114a41: N=PROC: t=3793907372, c2os=1, c2ns=2 
2023-04-09T10:21:05Z 11674352902525 [0:0] S3_Info: n0x114c51: [3793907372] S3Processor::invokeParser 
2023-04-09T10:21:05Z 11674352908299 [0:0] S3_Dbg: n0x7a6c4d: [3793907372] pPath = /mybucket/a?AWSAccessKeyId=360XN217SR4QDGKA535X&Signature=zL%2FE9SyAYE9vZuSzXNeoAdn8u%2Fc%3D&Expires=1681038429 
2023-04-09T10:21:05Z 11674352912351 [0:0] S3_Dbg: n0xc8c44: S3 Config lock NOT HELD 
2023-04-09T10:21:05Z 11674352919939 [0:0] S3_Ctx: n0x114cf5: N=PROC: t=3793907372, c2os=2, c2ns=3 
2023-04-09T10:21:05Z 11674352921263 [0:0] S3_Info: n0x115114: [3793907372] S3Processor::authenticateUser 
2023-04-09T10:21:05Z 11674352924911 [0:0] S3_Info: n0x1151ed: [3793907372] S3Processor::anon request 
2023-04-09T10:21:05Z 11674352925205 [0:0] S3_Ctx: n0x11506a: N=PROC: t=3793907372, c2os=3, c2ns=4 
2023-04-09T10:21:05Z 11674352925809 [0:0] S3_Info: n0x115593: [3793907372] S3Processor::checkFLTraffic 
2023-04-09T10:21:05Z 11674352926085 [0:0] S3_Ctx: n0x1155c8: N=PROC: t=3793907372, c2os=4, c2ns=6 
2023-04-09T10:21:05Z 11674352926905 [0:0] S3_Info: n0x115c09: [3793907372] S3Processor::authorize 
2023-04-09T10:21:05Z 11674352929179 [0:0] S3_AUTH_Dbg: n0x7c3ecc: [3793907372] Anonymous User: Skipping Group Policy access check. 
2023-04-09T10:21:05Z 11674352930463 [0:0] S3_AUTH_Dbg: n0x7c4af0: [3793907372] Evaluating Bucket Policy for user NULL action GetObject 
2023-04-09T10:21:05Z 11674352931455 [0:0] S3_AUTH_Dbg: n0x111c9b: [3793907372] Action = GetObject, user = NULL, path = /mybucket/a?AWSAccessKeyId=360XN217SR4QDGKA535X&Signature=zL%2FE9SyAYE9vZuSzXNeoAdn8u%2Fc%3D&Expires=1681038429 
2023-04-09T10:21:05Z 11674352933405 [0:0] S3_AUTH_Dbg: n0x111b16: [3793907372] DENY pass 
2023-04-09T10:21:05Z 11674352933703 [0:0] S3_AUTH_Dbg: n0x111b16: [3793907372] ALLOW pass 
2023-04-09T10:21:05Z 11674352934213 [0:0] S3_AUTH_Dbg: n0x111cef: [3793907372] No matching statements and hence Implict Deny 
2023-04-09T10:21:05Z 11674352934733 [0:0] S3_AUTH_Dbg: n0x7c4997: [3793907372] Bucket Policy Evaluation found No match for user NULL 
2023-04-09T10:21:05Z 11674352944585 [0:0] S3_AUTH_Err: n0x7c3fc1: [3793907372] Access-denied for user NULL with Result 9907 
2023-04-09T10:21:05Z 11674352945665 [0:0] S3_Info: n0x11757d: [3793907372] S3Processor::buildErrorResponse 
2023-04-09T10:21:05Z 11674352950143 [0:0] S3_Ctx: n0xa067c: N=CONN: t=3793907372, c2os=4, c2ns=2 
2023-04-09T10:21:05Z 11674352952191 [0:0] S3_Err: n0xb64cc: [3793907372] S3 OP 1 failed with error 9907 (mapped to HTTP Status: 21) 
2023-04-09T10:21:05Z 11674352952927 [0:0] S3_Err: n0xb6526: [3793907372] OP URI: HTTPMethodId(1) /mybucket/a?AWSAccessKeyId=360XN217SR4QDGKA535X&Signature=zL%2FE9SyAYE9vZuSzXNeoAdn8u%2Fc%3D&Expires=1681038429 AWSAccessKeyId=360XN217SR4QDGKA535X&Signature=zL%2FE9SyAYE9vZuSzXNeoAdn8u%2Fc%3D&Expires=1681038429
2023-04-09T10:21:05Z 11674352964499 [0:0] S3_Ctx: n0xb5c50: N=ErrCmd: t=3793907372, c2os=1, c2ns=2

 any idea what I am doing wrong? Is there something special to activate the support of presigned S3 URLs on ONTAP?

Thanks!

1 ACCEPTED SOLUTION

frigo
‎2023-04-09 02:17 PM
3,041 Views

Never mind I found it, the trick is to use signature v4 (as documented at the bottom of https://kb.netapp.com/onprem/ontap/da/S3/Does_ONTAP_S3_support_AWSv2_signatures)

 

aws configure set default.s3.signature_version s3v4

does the trick.

View solution in original post

1 REPLY 1

frigo
‎2023-04-09 02:17 PM
3,042 Views

Never mind I found it, the trick is to use signature v4 (as documented at the bottom of https://kb.netapp.com/onprem/ontap/da/S3/Does_ONTAP_S3_support_AWSv2_signatures)

 

aws configure set default.s3.signature_version s3v4

does the trick.

Announcements
All Community Forums
Public