Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth: Disable the Authorization header for ECR redirects. #6728

Merged
merged 1 commit into from May 9, 2024
Merged

auth: Disable the Authorization header for ECR redirects. #6728

merged 1 commit into from May 9, 2024

Conversation

gdlg
Copy link
Contributor

@gdlg gdlg commented Apr 30, 2024

Why the changes in this PR are needed?

I am attempting to address #6580

ECR serves OCI blobs by redirecting to S3 using pre-signed URLs. Currently, OPA adds the ECR auth header to the S3 request in addition to the pre-signed parameter, and S3 returns a 400 Bad Request:

Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified

What are the changes in this PR?

I removed the auth header from the redirects to S3.

I hesitated between checking whether the request is generated by a 307 redirect, or whether the request host matches the host specified in the OPA OCI config. I went for the second option because http auth is usually tied to a specific origin, and should not be shared across origin. The Prepare function adds the auth header only if the host matches, and returns early if doesn’t.

@gdlg
Disable the Authorization header for ECR redirects.
ff5fa4b 
ECR uses S3 pre-signed URLs for OCI blobs. If the ECR auth header is
added to the pre-signed URL, S3 returns a 400 error.

We address the issue by checking whether the request host matches
the one specified in the OCI configuration.

Signed-off-by: Grégoire Payen de La Garanderie <gregoire.payen.de.la.garanderie@intel.com>
@ashutosh-narkar
Copy link
Member

@gdlg the changes look fine. Have you tested this with an actual ECR-S3 scenario as described in #6580?

@gdlg
Copy link
Contributor Author

gdlg commented May 9, 2024

@ashutosh-narkar Yes, I have tested ECR with the S3 redirection. As far as I am aware, ECR always does a redirection to S3. For testing, we also ported this change to opa-envoy-plugin and deployed it as a K8s sidecar and it is working as expected.

@ashutosh-narkar ashutosh-narkar merged commit d526589 into open-policy-agent:main May 9, 2024
28 checks passed
@ashutosh-narkar ashutosh-narkar mentioned this pull request May 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ashutosh-narkar ashutosh-narkar ashutosh-narkar approved these changes

Assignees
No one assigned
Labels
waiting-for-response
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@gdlg @ashutosh-narkar