search

Azure / azure-storage-java

Microsoft Azure Storage Library for Java
https://docs.microsoft.com/en-us/java/api/overview/azure/storage
MIT License
189 stars 163 forks source link

Batch Delete with SAS Token Auth Fails #492

Closed original-brownbear closed 4 years ago

original-brownbear commented 5 years ago

Which service(blob, file, queue, table) does this issue concern?

Blob

Which version of the SDK was used?

v8.4.0

What problem was encountered?

Using SAS Token authentication, batch delete operations fail because they are not correctly authenticated. I get the following exception:

Caused by: com.microsoft.azure.storage.StorageException: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
at com.microsoft.azure.storage.StorageException.translateException(StorageException.java:87) ~[azure-storage-8.4.0.jar:?]
   at com.microsoft.azure.storage.core.StorageRequest.materializeException(StorageRequest.java:305) ~[azure-storage-8.4.0.jar:?]
    at com.microsoft.azure.storage.core.ExecutionEngine.executeWithRetry(ExecutionEngine.java:196) ~[azure-storage-8.4.0.jar:?]
    at com.microsoft.azure.storage.blob.BlobBatchOperation.execute(BlobBatchOperation.java:24) ~[azure-storage-8.4.0.jar:?]
   at com.microsoft.azure.storage.blob.CloudBlobClient.executeBatch(CloudBlobClient.java:796) ~[azure-storage-8.4.0.jar:?]
   at com.microsoft.azure.storage.blob.CloudBlobClient.executeBatch(CloudBlobClient.java:762) ~[azure-storage-8.4.0.jar:?]

Have you found a mitigation/solution?

The same exact code works fine when using normal key authentication. All other operations (putting blobs, deleting single blobs etc.) work as well. For now we can't move to bulk deletes as a result of this issue since we require SAS token auth to work but the SDK is not broken per-se since we can work around it by using single deletes.

rickle-msft commented 5 years ago

Hi, @original-brownbear. I am sorry for the delay. Somehow I am just now seeing this issue. Can you please share whether you are using a SAS on the overall request or if you are trying to authenticate the subrequests with SAS? Or some combination of the two? And could you also share whether you are trying to use an account sas or a service sas?

original-brownbear commented 5 years ago

Hi @rickle-msft, no worries, thanks for taking a look!

And could you also share whether you are trying to use an account sas or a service sas?

This was tested using an account level SAS token.

Can you please share whether you are using a SAS on the overall request or if you are trying to authenticate the subrequests with SAS? Or some combination of the two?

I'm not sure what the right answer is here, it seems that is an implementation detail of the SDK rather than something I'm consciously setting? I'm basically just setting up my SDK client using the ;SharedAccessSignature=... param in the connect string and that's it and it works for everything but the batched deletes. Can I do anything besides that to work around the issue maybe?

jaschrep-msft commented 5 years ago

It appears to be a known issue on the service that batch requests cannot be authenticated with an account SAS. If SAS authentication is a requirement, I can suggest using a service SAS instead of an account level SAS if you want to move to batching delete requests.

rickle-msft commented 4 years ago

@original-brownbear I am going to close this issue as we have determined that this is a known service issue with a suggested work around of using a service sas. Please feel free to continue the discussion here if you feel you need more support.

original-brownbear commented 4 years ago

Sorry @rickle-msft, totally forgot answering here. Thanks for getting back to me on this one, working with the service SAS is fine for us for now :)