search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.41k stars 1.74k forks source link

Problems using presigned S3 URLs #38575

Open philchristensen opened 7 months ago

philchristensen commented 7 months ago

This is related to #23435 but is about using a presigned URL generated by a 3rd-party library (databricks-sql-connector in this case).

When using the databricks.sql library to fetch large result sets, it appears to generate a pre-signed S3 URL that is then fetched using the requests library.

Expected behavior:

The presigned URL should pass through the local Teleport proxy without alteration.

Current behavior:

Attempting to pass a presigned S3 URL through the local AWS proxy fails with:

2024-02-23T15:51:05Z             DEBU Started forwarding request for "sre-databricks-int-shr-569907343002-eu-west-2.s3.eu-west-2.amazonaws.com:443". alpnproxy/forward_proxy.go:366
2024-02-23T15:51:06Z [AWS_ACCES] ERRO Failed to parse AWS request authorization header. error:[
ERROR REPORT:
Original Error: *trace.BadParameterError empty AWS SigV4 header
Stack Trace:
    github.com/gravitational/teleport/lib/utils/aws/aws.go:95 github.com/gravitational/teleport/lib/utils/aws.ParseSigV4
    github.com/gravitational/teleport/lib/srv/alpnproxy/aws_local_proxy.go:108 github.com/gravitational/teleport/lib/srv/alpnproxy.(*AWSAccessMiddleware).HandleRequest
    github.com/gravitational/teleport/lib/srv/alpnproxy/local_proxy.go:321 github.com/gravitational/teleport/lib/srv/alpnproxy.(*LocalProxy).StartHTTPAccessProxy.func1
    net/http/server.go:2136 net/http.HandlerFunc.ServeHTTP
    net/http/server.go:2938 net/http.serverHandler.ServeHTTP
    net/http/server.go:2009 net/http.(*conn).serve
    runtime/asm_arm64.s:1197 runtime.goexit
User Message: empty AWS SigV4 header] alpnproxy/aws_local_proxy.go:110
2024-02-23T15:51:06Z             DEBU Stopped forwarding request for "sre-databricks-int-shr-569907343002-eu-west-2.s3.eu-west-2.amazonaws.com:443". alpnproxy/forward_proxy.go:372

Bug details:

philchristensen commented 7 months ago

no, databricks.sql is a library as well as databricks-sql-connector, not a file. please revert your changes, they are not helpful.

philchristensen commented 7 months ago

sorry, i see you noticed that at the same time i wrote the comment. Thanks!