[solved in 4.0.2] S3 (Backblaze) no longer working with Cells 4.0.1

S3 config that worked in v3 no longer works after upgrading to v4.
All datasources are using “S3-compatible Storage”

Console error:
"error": "The V2 signature authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256"

Custom Endpoint URL:
https://s3.us-west-002.backblazeb2.com

S3 Api Region: blank

1 Like

Interesting. I’ve encountered the same error when trying to add a ‘new’ S3-compatible storage, but an ‘old’ existing connection Google Cloud S3-compatible storage wasn’t affected.

To clarify: I personally cannot afford any S3-compatible cloud storage (alas…) for the amount of data I have on Cells; however, I’m constantly experimenting with whatever kind provider is happy to give me a free trial, and see how well such providers will integrate with the rest of my complicated setup :wink:

I haven’t tested Backblaze yet, but it’s quite clear that they only support V4 authentication, as do most of the providers I have been playing around with. Google Cloud apparently still supports V2 authentication — although they seriously encourage the upgrade to V4 — and that might be the reason why I had no problems with their connection.

Interestingly, when trying to connect to Cells using its own S3 API, it seems that only V4 authentication is supported. I suspected as much when doing some tests in the distant past, but today I experimented with the popular, generic s3cmd Python-based command-line tool to access remote buckets. It has no problems connecting to Cells via V4 authentication, but throws an (expected) error using V2. The documentation for this is very straightforward and doesn’t go into details.

So, it seems that Cells is correctly configured to accept only V4 authentication for its own datasources, but it fails to connect with V4 authentication when mounting external datasources?

That’s a bit weird, isn’t it? The pydio.json configuration file does not seem to allow selecting the signature version, and nothing on the official documentation refers to it.

I have no idea if this worked under Cells 3.

I just tested a fresh install from 3.0.9 → 4.0.1 and still have the “AWS4-HMAC-SHA256” error, so the issue seems to be easily reproducible.

Hello @crobibero
Please try to edit the datasources directly inside the pydio.json :

  • Look for the “pydio.grpc.data.sync.DATASOURCENAME” block
  • Inside that block, look for “StorageConfiguration” section and add a key/value "signatureVersion":"v4"

Would look like :

    "pydio.grpc.data.sync.pydiods1": {
      "ApiKey": "....",
      "ApiSecret": "....",
      [....]
      "StorageConfiguration": {
        [....]
        "signatureVersion": "v4"
      }
    },

Then save and restart Cells.

@charles I am still getting the same error with that config applied

"pydio.grpc.data.sync.personal": {
  "ApiKey": "--",
  "ApiSecret": "--",
  "FlatStorage": true,
  "Name": "personal",
  "ObjectsBucket": "cloud-personal",
  "ObjectsPort": 43173,
  "ObjectsServiceName": "gateway1",
  "StorageConfiguration": {
	"customEndpoint": "https://s3.us-west-002.backblazeb2.com",
	"signatureVersion": "v4"
  },
  "StorageType": 1
},

Log line:

{
	"level": "info",
	"ts": "2022-10-24T13:25:41Z",
	"logger": "pydio.grpc.data.sync.personal",
	"msg": "{\"level\":\"warn\",\"ts\":\"2022-10-24T13:25:41Z\",\"logger\":\"pydio.grpc.data.sync.personal\",\"msg\":\"Cannot contact s3 service (bucket cloud-personal), will retry in 1s\",\"error\":\"The V2 signature authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256\"}"
}

Formatted message:

{
	"level": "warn",
	"ts": "2022-10-24T13:25:41Z",
	"logger": "pydio.grpc.data.sync.personal",
	"msg": "Cannot contact s3 service (bucket cloud-personal), will retry in 1s",
	"error": "The V2 signature authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256"
}

Hum. You did restart cells ?
If you create a new blackblaze datasource from scratch, does it work?

New try : set the signatureVersion in the following config (you may have to create the GatewayConfiguration object, similarly to StorageConfiguration)

services/pydio.grpc.data.object.gateway1/GatewayConfiguration/signatureVersion

(same value “v4”)

Then restart and test

I just made a test with 4.0.2-rc1. As said, I’m not using Backblaze, but rather Cloudflare R2, which also only accepts v4 signatures.

I can confirm that it works when manually editing pydio.json to create a new Storage + Workspace (since from the web backoffice I will constantly get the “V2 signature authorization not supported” error) and adding the GatewayConfiguration object just for the service, while using StorageConfiguration elsewhere — both with "signatureVersion": "v4".

When logging back in and attempting to change any Workspace settings, the usual “v2 not supported” error appears and prevents me from editing anything and saving; but manually changing pydio.json and restarting Cells will work.

I believe I could try a few more providers (lots of copy & pasting of configuration aspects which I have no idea about what I’m doing) if you wish, but I now believe that all will work :smiley: — so I guess that for the final release of 4.0.2, you could simply consider “v4” the default signature type, and just let all the configuration use it as a default — and nobody will have any issues.

And for 4.1 you could add the selection of v2 vs. v4 as an option on the web interface, although the truth is that v2 is pretty much obsolete and deprecated on all storage providers compatible with the S3 API — it’s just used for some more obscure APIs that Amazon provides to other services (at least that’s what I managed to figure out). Thus, dropping v2 signatures for object storage (and making v4 the default) should have no impact on existing services.

But that’s just my opinion :slight_smile: There are thousands of providers around, and there might be the odd exception here or there… thus, having the ability to fall back to v2 is perhaps a good idea.

I can confirm adding the GatewayConfiguration works

"pydio.grpc.data.objects.gateway1": {
  "ApiKey": "--",
  "ApiSecret": "--",
  "EndpointUrl": "https://s3.us-west-002.backblazeb2.com",
  "Name": "gateway1",
  "RunningPort": 43173,
  "StorageType": 1,
  "GatewayConfiguration": {
	"signatureVersion": "v4"
  }
},
1 Like

Hi both of you

I pushed a fix - would you mind testing the latest dev build ?

  • Signature defaults to v4 instead of v2, except for local minio (issue with CopyObject and headers)
  • Proper handling of StorageConfiguration => GatewayConfiguration
  • Ability to choose signature version in UX :wink:

Thx !

Configuring through setup wizard worked!
Selecting the signature version when editing worked!

Thank you for your quick fix :slight_smile:

All tested against backblaze b2

Sorry I’m late in replying, but I can confirm that it works for me as well :slight_smile: