Wednesday, 2020-10-28

« Tuesday, 2020-10-27 Index Thursday, 2020-10-29 »
*** cschwede has quit IRC00:46
*** dsariel has quit IRC00:56
*** gyee has quit IRC02:57
*** tkajinam has quit IRC03:10
openstackgerritlikui proposed openstack/swift master: fix ci error test-requirements.txt  https://review.opendev.org/75983603:24
*** psachin has joined #openstack-swift03:38
*** rcernin has quit IRC03:48
*** rcernin has joined #openstack-swift03:53
*** mvalsecc has quit IRC04:47
*** mvalsecc has joined #openstack-swift05:11
*** evrardjp has quit IRC05:33
*** evrardjp has joined #openstack-swift05:33
*** openstackgerrit has quit IRC05:46
*** tkajinam has joined #openstack-swift06:53
*** dsariel has joined #openstack-swift06:55
*** m75abrams has joined #openstack-swift07:27
*** rcernin has quit IRC07:30
*** patchbot has quit IRC07:41
*** patchbot has joined #openstack-swift07:41
*** rpittau|afk is now known as rpittau07:51
*** rcernin has joined #openstack-swift07:54
*** rcernin has quit IRC08:15
*** mvalsecc has quit IRC09:21
*** openstack has quit IRC09:21
*** openstack has joined #openstack-swift09:23
*** ChanServ sets mode: +o openstack09:23
*** rcernin has joined #openstack-swift09:36
*** cschwede has joined #openstack-swift09:47
*** ChanServ sets mode: +v cschwede09:47
*** rcernin has quit IRC09:56
*** psachin has quit IRC10:18
*** psachin has joined #openstack-swift10:27
*** psachin has quit IRC10:45
*** psachin has joined #openstack-swift10:48
*** psachin has quit IRC10:49
*** psachin has joined #openstack-swift10:51
*** rcernin has joined #openstack-swift11:16
*** rcernin has quit IRC12:43
*** thiago__ has quit IRC13:12
*** tdasilva_ has joined #openstack-swift13:13
*** ChanServ sets mode: +v tdasilva_13:13
*** tdasilva_ has quit IRC13:14
*** tdasilva has joined #openstack-swift13:14
*** ChanServ sets mode: +v tdasilva13:14
*** psachin has quit IRC13:40
*** psachin has joined #openstack-swift14:54
*** gyee has joined #openstack-swift15:24
*** takamatsu has quit IRC15:45
*** tdasilva_ has joined #openstack-swift15:46
*** ChanServ sets mode: +v tdasilva_15:46
*** tdasilva has quit IRC15:49
*** takamatsu has joined #openstack-swift15:56
*** rpittau is now known as rpittau|afk17:09
*** m75abrams has quit IRC17:14
ormandjis there a good way to find out the cause of 401/403s issued via s3 requests by swift proxy? we're seeing a request fail, but keystone has no failures logged17:22
ormandjwith insecure logging enabled in keystone, we only see 200s17:22
ormandjonly the proxy is returning a 401/403 to client17:22
*** renich has joined #openstack-swift17:34
*** renich has quit IRC17:43
*** renich has joined #openstack-swift17:44
*** psachin has quit IRC18:22
*** renich has quit IRC18:46
*** dsariel has quit IRC19:12
*** ianychoi__ has joined #openstack-swift19:17
*** ianychoi_ has quit IRC19:21
*** openstackgerrit has joined #openstack-swift19:43
openstackgerritPete Zaitcev proposed openstack/swift master: Let developers/operators add watchers to object audit (simplified)  https://review.opendev.org/70665319:43
*** camelCaser has quit IRC20:00
*** camelCaser has joined #openstack-swift20:03
*** camelCaser has quit IRC20:08
timburkeormandj, it's tricky without client logs -- might be able to sniff for the 401/403 response with tcpdump though?20:12
ormandjtimburke: it's intermittent20:16
ormandjis there no way to have the proxy log the reason for the 401/40320:16
ormandjwe know it's a signature mismatch, but we can see the client logs20:16
ormandjsame signature on both requests, we did the manual signature AWS authorization calculation20:17
ormandjthe value sent is correct20:17
ormandjbut for some reason on one of the requests (both have same date to the second, both GETs for the same object, only different is the Range: header) returns a 403 to the client (401 from swift)20:17
ormandjsame date/get/container/path/etc is why the authorization header stays the same20:18
ormandjwe don't see any failures in keystone at these times20:21
*** camelCaser has joined #openstack-swift20:22
*** camelCaser has quit IRC20:25
*** camelCaser has joined #openstack-swift20:26
timburkestrange -- to my knowledge, range headers aren't used at all in signature calculations...20:43
ormandjthey aren't20:44
ormandjand the AWS authorization header is the exact same on both requests20:44
ormandjso we don't know why one is returning a 403 through s3/401 via swift20:44
ormandjit's breaking the customer :/20:45
*** camelCaser has quit IRC20:45
ormandjwe can't find anywhere the reason for the 401/403 is logged, just that it's a 401/40320:45
tdasilva_timburke: IIRC range headers are used in signature calculations20:45
ormandjtdasilva_: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html20:45
ormandjit's http verb, content md4, content type, date, canonicalizedamzheaders + canonicalizedresource, but they aren't adding those20:46
tdasilva_https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html20:46
ormandjsame request is successful with a 2xx and fails with a 403 (via s3), with the only difference being the range: being slightly different20:47
ormandjthat's v4 sigs20:47
*** camelCaser has joined #openstack-swift20:47
ormandjwe did the Authorization: build ourselves using the data, and get the same string passed in, which again - works on one of the requests in question20:49
ormandjjust intermittently we see 403s20:49
ormandjwe think it might be a timeout with something but there's no logging of the cause/source of the 401 in swift/403 in s3api20:49
ormandjso to construct a authorization, you can do: echo -n "GET\n\n\nWed, 28 Oct 2020 16:17:12 GMT\n/container/object" | openssl sha1 -hmac "EC2SECRETHERE" -binary | base64  <-- that, for example, then your Authorization header is Authorization = "AWS" + " " + AWSKEY + ":" + signaturecalculatedpreviously20:51
ormandjrange isn't included, and that will work for requests with that date/container/object/creds20:52
ormandjbut _intermittently_ we see failures, even though a request at that same second with the same Authorization header 2xxd20:52
ormandjwe don't know if it's a timeout somewhere that's just not being logged for a lookup to memcache/keystone/something else or something else entirely20:53
ormandjwe don't see any failures in the keystone logs even with insecure debug on20:53
ormandjbut unfortunately the proxy service doesn't log any detail beyond just returning a 401/40320:54
timburkehow far apart are the requests? i wonder if it might be hitting a clock-skew error... i think we set our limit more aggressively than AWS, should probably make that configurable...20:54
ormandjliterally the same second with the same date in the request header20:54
ormandjin this case, it was same second down to the thousandth of a millisecon20:54
ormandjd20:54
timburkebut what about the timestamp on the *log line*?20:54
ormandji'll go check, but i think we're configurd to allow a 15 minute delta on time just like AWS20:55
ormandji doubt it's outside that, one sec, looking20:55
*** camelCaser has quit IRC20:55
timburkethe delta at https://github.com/openstack/swift/blob/2.26.0/swift/common/middleware/s3api/s3request.py#L740-L744 should totally be a config option :-/20:56
*** camelCaser has joined #openstack-swift20:57
ormandjone hit proxy01 at 13:24:34, one hit proxy04 13:24:3521:00
ormandjthe one hitting 01 failed21:01
ormandjthe one hitting 04 succeeded21:01
ormandjboth had the header date set as 13:24:3421:01
ormandji am noticing something i missed before, on the request that failed, the S3 request looks the same, but the swift request is not (we started enabling the swift logging too)21:04
ormandjon the working, we see /v1/AUTH_customerid/blahblahblah for request21:04
ormandjon the non-working, we see /v1/somehashofsomething/bucket/object/etc21:04
ormandjAUTH_ is our prefix21:04
ormandjand no idea what that second hash is of21:05
ormandjs3 request is the exact same in the log21:05
*** ccamel has joined #openstack-swift21:07
*** camelCaser has quit IRC21:07
timburkesomehashofsomething is probably the access_key_id -- s3token *should* have swapped it out for the proper swift account tho21:09
timburkeclayg, rledisez (and anyone else who wants to join) ops feedback session starting!21:10
ormandjyeah, can check that, and apologies, the s3 request is the one that's different, the swift request looks the same but spits a 401 probably related to the s3 thing21:11
ormandjso some reason s3token isn't doing the nice thing on some requests, sometimes21:12
ormandjand yep, that's the access key21:17
*** dsariel has joined #openstack-swift21:32
seongsoochoormandj:  In my case, If the Host value of http header is different with swift's domain, the s3token always return 403 .21:49
*** jrosser has quit IRC21:59
*** yuxin_ has quit IRC21:59
*** yuxin_ has joined #openstack-swift21:59
*** jrosser has joined #openstack-swift21:59
*** rcernin has joined #openstack-swift22:46
*** cschwede has quit IRC23:20
*** dsariel has quit IRC23:23
ormandjseongsoocho: thank you, i'll look23:28
« Tuesday, 2020-10-27 Index Thursday, 2020-10-29 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!