fix: do not defer signature for presigned PUTs (#116 regression)#117
Merged
Conversation
Scylla Manager uploads SSTs via presigned URLs (X-Amz-Signature in query). PR #116 treated missing x-amz-content-sha256 as deferred header-auth, which routed presigned PUTs through prepare_header_auth and failed with 403. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Pass query dict to _needs_body_for_signature in test_routing.py and add presigned coverage. Ruff-format request_handler.py for format check. Co-authored-by: Cursor <cursoragent@cursor.com>
Full-stack integration tests via generate_presigned_url (s3v4, Scylla shape) and hand-crafted V2 URLs. Covers small/large PUT roundtrips and bad-signature 403 for both query-string auth styles. Co-authored-by: Cursor <cursoragent@cursor.com>
Heavy copy e2e tests now use isolated throwaway MinIO containers instead of filling the shared compose instance. Concurrent passthrough flood uses the 96MB source (pipeline/memory test, not 1280MB scale). Give compose MinIO a 4GB tmpfs. Co-authored-by: Cursor <cursoragent@cursor.com>
2 tasks
ServerSideHannes
added a commit
that referenced
this pull request
Jul 8, 2026
#117 added a 4g tmpfs limit on compose MinIO for integration shards, but OOM tests upload 5GB+ in a single case (20×256MB PUTs). Use a compose override for make test-oom so MinIO falls back to disk-backed storage. Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
X-Amz-Signaturein query) must not enter the deferred header-auth pathUNSIGNED-PAYLOAD; verify up front viaverifier.verify(), stream body onceProblem
Scylla Manager uploads SSTs with presigned PUT URLs, not
Authorizationheader auth. #116 deferred signature wheneverx-amz-content-sha256was absent on large PUTs. That incorrectly routed presigned requests throughprepare_header_auth→ deferred verify → 403 Forbidden.Fix
X-Amz-Signature(or legacySignature)Test plan
uv run pytest tests/unit/test_request_handler_body.py tests/unit/test_sigv4.py -q— 42 passed2026.7.13after merge; confirm Scylla backup PUTs return 200Made with Cursor