search

CDLUC3 / ezid

CDLUC3 ezid
MIT License
11 stars 4 forks source link

Investigate 401 unauthorized errors from Merritt submissions #616

Closed jsjiang closed 4 months ago

jsjiang commented 4 months ago

There are

From Eric (5/7): Each of the requests noted above are from mrtingest-prd01. It's interesting to note that yesterday, roughly between 8:40am - 5pm 529 401s were encountered via requests from the three new ingest hosts. OpenSearch Dashboard&_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2eba4800-2c2b-11ee-832c-9936b416e823',key:elb_status_code.keyword,negate:!f,params:(query:'401'),type:phrase),query:(match_phrase:(elb_status_code.keyword:'401'))),('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2eba4800-2c2b-11ee-832c-9936b416e823',key:clientip,negate:!f,params:!('52.35.63.255','54.244.52.64','54.244.52.21'),type:phrases,value:'52.35.63.255,%2054.244.52.64,%2054.244.52.21'),query:(bool:(minimum_should_match:1,should:!((match_phrase:(clientip:'52.35.63.255')),(match_phrase:(clientip:'54.244.52.64')),(match_phrase:(clientip:'54.244.52.21'))))))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),query:(language:kuery,query:''),timeRestore:!f,title:ezid-elb_dashboard,viewMode:view))

Many more can be seen by going back a day further to May 5.

Client IPs: 54.244.52.64, 54.244.52.21, 52.35.63.255

Jing: In the past 30 days, almost 50% of the requests from the above IPs ended up with 401 error Past 30 day requests with 50% 401 errors&_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2eba4800-2c2b-11ee-832c-9936b416e823',key:clientip,negate:!f,params:!('52.35.63.255','54.244.52.64','54.244.52.21'),type:phrases,value:'52.35.63.255,%2054.244.52.64,%2054.244.52.21'),query:(bool:(minimum_should_match:1,should:!((match_phrase:(clientip:'52.35.63.255')),(match_phrase:(clientip:'54.244.52.64')),(match_phrase:(clientip:'54.244.52.21'))))))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),query:(language:kuery,query:''),timeRestore:!f,title:ezid-elb_dashboard,viewMode:view))

It looks like there is a 401 paired for each request.

Note: updating IDs from Postman didn't cause 401 errors:

jsjiang commented 4 months ago

This is a result of using higher-level authentication from the user side. We may want to ask Merritt to use lower-level authentication when traffic on EZID becomes an issue.

From EZID API documentation:

The downside of using higher-level authentication mechanisms is that they often do not supply credentials initially, but only in response to a challenge from EZID, thus doubling the number of HTTP transactions.