fix: attach per-part checksum header on UploadPart for Object Lock buckets#1363
Merged
Slach merged 3 commits intoAltinity:masterfrom Apr 27, 2026
Merged
Conversation
…ckets S3 Object Lock buckets reject UploadPart requests that carry the checksum only as a trailer (the default behaviour of s3manager.Uploader) with InvalidRequest "Content-MD5 OR x-amz-checksum-* HTTP header is required for Put Part requests with Object Lock parameters". When CheckSumAlgorithm is set to CRC32 and the file is large enough to require multipart, switch to a manual CreateMultipartUpload / UploadPart / CompleteMultipartUpload loop that pre-computes CRC32 per part and sends it as the x-amz-checksum-crc32 request header via UploadPartInput.ChecksumCRC32. Extends Altinity#829 (which fixed the PutObject / CopyObject paths) to the UploadPart path.
david-pivonka
force-pushed
the
fix/upload-part-checksum-object-lock
branch
from
6a14ff8 to
7451e32
Compare
Contributor
Author
Signed-off-by: slach <bloodjazman@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes upload failures against S3 buckets with Object Lock enabled.
Problem
With
s3.checksum_algorithm: CRC32set in config, singlePutObject/CopyObjectuploads succeed against Object Lock buckets (that path was fixed in #829). Large file uploads still fail during multipart:s3manager.Uploadersends the per-part checksum as an HTTP trailer (via aws-chunked encoding). Object Lock rejects trailer-based checksums onUploadPart— it requires the checksum as a request header.Fix
When
CheckSumAlgorithm == CRC32and the file is large enough to trigger multipart,PutFileAbsolutedispatches to a manual multipart path (putFileMultipartCRC32) that:CreateMultipartUpload(existing enrich helper used, so tags / SSE / ACL preserved).UploadPartwithChecksumAlgorithm: CRC32andChecksumCRC32: <base64>— the SDK serialises this as thex-amz-checksum-crc32request header, which Object Lock accepts.CompleteMultipartUploadon success.For all other cases (no checksum configured, non-CRC32 algo, file below part size), the original
s3manager.Uploaderpath is unchanged.Scope
checksum_algorithm: CRC32, so existing deployments are unaffected.CopyObject(multipart copy) —UploadPartCopyInputhas noChecksumAlgorithmfield; server-side copy derives integrity from the source object and is not covered by this failure mode.s3manager.Uploaderbehaviour only in the dispatched case. Can be parallelised as a follow-up if needed.Verification
Tested against a real AWS S3 bucket in
ca-central-1with Object Lock Compliance mode (30-day default retention). Before the patch: every multipart upload fails with the InvalidRequest error above. After: uploads complete and objects land under the default retention.Related