Skip to content

Disable backend payload signing; verify ciphertext MD5 against backend ETag#129

Open
ServerSideHannes wants to merge 1 commit into
mainfrom
feat/backend-unsigned-payload-etag-verify
Open

Disable backend payload signing; verify ciphertext MD5 against backend ETag#129
ServerSideHannes wants to merge 1 commit into
mainfrom
feat/backend-unsigned-payload-etag-verify

Conversation

@ServerSideHannes

Copy link
Copy Markdown
Owner

Closes #127

What

  • Backend S3 client now signs requests with UNSIGNED-PAYLOAD (payload_signing_enabled: False) and only computes flexible checksums when_required. SigV4 payload hashing forced botocore to hold/read a second full copy of every uploaded internal part — roughly half of the multi-frame upload peak documented in streaming_upload_peak().
  • The lost transport-integrity check is replaced by ciphertext ETag verification: every upload_part / put_object compares the backend's returned ETag against the MD5 of the ciphertext we sent (incremental for streaming bodies, direct for bytes). Mismatch raises BackendIntegrityError → 500 InternalError → the client (rclone/barman) retries the part. This is the no-regression condition from Backend payload signing doubles per-request upload memory — switch to UNSIGNED-PAYLOAD #127.
  • Non-MD5 ETags (SSE-KMS backends) skip verification with a one-time BACKEND_ETAG_NOT_MD5 warning; our RGW backend returns plain MD5 ETags.

Side effect: local ~/.aws/config can no longer flip payload signing behavior (the prior local-vs-CI divergence), since it's now pinned in the client config.

Tests

tests/unit/test_backend_etag_verification.py: config pins (signing off, checksums when_required), match/mismatch/skip paths for both operations, streaming-body duck-typed verification, and the mapping to a retryable 500.

Integration suites exercise the unsigned-payload path against real MinIO end-to-end — any ETag mismatch now fails loudly there.

Backup impact & rollout

None expected: same requests, same retry behavior, same data format. Deploy between backup runs; rollback is a plain image revert. Ship before #128 (frame-streaming bodies build on the unsigned-payload hop).

…backend ETag

Backend SigV4 payload signing forced botocore to hold a second full copy of
every uploaded internal part. Switch the backend hop to UNSIGNED-PAYLOAD and
flexible checksums to when_required, and replace the lost integrity check with
an incremental ciphertext-MD5 vs backend-ETag comparison on every upload_part
and put_object (BackendIntegrityError -> 500 InternalError -> client retries).
Non-MD5 ETags (SSE-KMS backends) skip verification with a one-time warning.

Closes #127
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Backend payload signing doubles per-request upload memory — switch to UNSIGNED-PAYLOAD

1 participant