S3 authentication

Edit online

Requests to the Ceph Object Gateway can be either authenticated or unauthenticated. Ceph Object Gateway assumes that unauthenticated requests are sent by an anonymous user. Ceph Object Gateway supports canned ACLs.

For most use cases, clients use existing open source libraries like the Amazon SDK’s AmazonS3Client for Java, and Python Boto. With open source libraries, you pass in the access key and secret key and the library builds the request header and authentication signature for you. However, you can create requests and sign them too.

Authenticating a request requires including an access key and a base 64-encoded Hash-based Message Authentication Code (HMAC) in the request before it is sent to the Ceph Object Gateway server. Ceph Object Gateway uses an S3-compatible authentication approach.

Example 

HTTP/1.1
PUT /buckets/bucket/object.mpeg
Host: cname.domain.com
Date: Mon, 2 Jan 2012 00:01:01 +0000
Content-Encoding: mpeg
Content-Length: 9999999

Authorization: AWS _ACCESS_KEY_:_HASH_OF_HEADER_AND_SECRET_

In the example, replace ACCESS_KEY with the value for the access key ID followed by a colon (:). Replace HASH_OF_HEADER_AND_SECRET with a hash of a canonicalized header string and the secret corresponding to the access key ID.

Generate a hash of header string and secret.

To generate the hash of the header string and secret:

  1. Get the value of the header string.

  2. Normalize the request header string into canonical form.

  3. Generate an HMAC with an SHA-1 hashing algorithm.

  4. Encode the hmac result as base-64.

Normalizing header

Normalize the header into canonical form.

  1. Get all content- headers.

  2. Remove all content- headers except for content-type and content-md5.

  3. Ensure the content- header names are lowercase.

  4. Sort the content- headers lexicographically.

  5. Ensure you have a Date header AND ensure the specified date uses GMT and not an offset.

  6. Get all headers that begins with x-amz-.

  7. Ensure that the x-amz- headers are all lowercase.

  8. Sort the x-amz- headers lexicographically.

  9. Combine multiple instances of the same field name into a single field and separate the field values with a comma.

  10. Replace white space and line breaks in header values with a single space.

  11. Remove white space before and after colons.

  12. Append a new line after each header.

  13. Merge the headers back into the request header.

Replace the HASH_OF_HEADER_AND_SECRET with the base-64 encoded HMAC string.