managerUpload path missing SwapComputePayloadSHA256ForUnsignedPayloadMiddleware, causing XAmzContentSHA256Mismatch on Ceph S3

[awschmeder]

Version

lakeFS v1.79.0

Blockstore

S3-compatible (Ceph RGW)

Description

When uploading files via the web UI to a Ceph S3-compatible blockstore, uploads fail with:

upload multipart failed, upload id: 2~..., cause: operation error S3: UploadPart,
https response error StatusCode: 400, api error XAmzContentSHA256Mismatch: UnknownError

Root Cause

In pkg/block/s3/adapter.go, the Put method routes unknown-size uploads (sizeBytes == -1) through managerUpload, which uses s3manager.NewUploader. This path does not pass v4.SwapComputePayloadSHA256ForUnsignedPayloadMiddleware to the uploader, so the AWS SDK sends STREAMING-AWS4-HMAC-SHA256-PAYLOAD chunked transfer encoding, which Ceph RGW rejects.

By contrast, the direct UploadPart path (line 342) correctly applies the middleware:

resp, err := client.UploadPart(ctx, uploadPartInput,
    retryMaxAttemptsByReader(reader),
    s3.WithAPIOptions(v4.SwapComputePayloadSHA256ForUnsignedPayloadMiddleware),
    ...
)

But managerUpload (~line 975) does not:

output, err := uploader.Upload(ctx, input)  // missing middleware

Proposed Fix

output, err := uploader.Upload(ctx, input, func(u *manager.Uploader) {
    u.ClientOptions = append(u.ClientOptions,
        s3.WithAPIOptions(v4.SwapComputePayloadSHA256ForUnsignedPayloadMiddleware),
    )
})

Steps to Reproduce

1. Configure lakeFS with a Ceph S3-compatible blockstore (LAKEFS_BLOCKSTORE_S3_ENDPOINT, LAKEFS_BLOCKSTORE_S3_FORCE_PATH_STYLE=true)
2. Upload any file via the web UI
3. Observe XAmzContentSHA256Mismatch error in logs and UI

Workaround

None available on the lakeFS side without patching. The Ceph RGW admin can configure the gateway to accept streaming signatures, but this requires infrastructure access.