search

microsoft / AzureStorageExplorer

Easily manage the contents of your storage account with Azure Storage Explorer. Upload, download, and manage blobs, files, queues, tables, and Cosmos DB entities. Gain easy access to manage your virtual machine disks. Work with either Azure Resource Manager or classic storage accounts, plus manage and configure cross-origin resource sharing (CORS) rules.
Creative Commons Attribution 4.0 International
377 stars 87 forks source link

unable to find blobs in a container with a blob tag filter sql expression using container SAS #6259

Closed Venu-prahalad closed 2 years ago

Venu-prahalad commented 2 years ago

Preflight Checklist

Storage Explorer Version

1.26.1

Regression From

No response

Architecture

x64

Storage Explorer Build Number

20221018.5

Platform

Windows

OS Version

Windows 10

Bug Description

I am in need to filter blobs by tags when connected using container SAS. When I tried doing so, I get the error "Server failed to authenticate the request......." as in below image

image

NOTE: Filter tag works if I use account level SAS This problem is only seen when I use container level SAS. I have granted all required permissions racwdxltf on container level SAS.

I found same issue with Azure CLI, powershell as well. CLI team has fixed the issue for CLI and powershell. You can refer to the URL for the issue https://github.com/Azure/azure-cli/issues/24171

Steps to Reproduce

  1. Launch storage explorer
  2. click on connect button
  3. select blob container
  4. select SAS connection string option
  5. provide SAS connection string generated for the container
  6. proceed to connect to the container.
  7. After connecting to container, click on Filter button
  8. select filter by tag. provide filter option and click on appy.
  9. observe the behavior.

The extract from the log file is as below

[2022-11-08T19:38:00.888Z] (se-blob-extension:29852) Fallback for operation 'BlobServiceClient.findBlobsByTags, count 1 [2022-11-08T19:40:11.695Z] (se-blob-extension:29852) API call for BlobServiceClient.findBlobsByTags failed GET https://xx.blob.core.windows.net/?sv=2021-08-06&st=2022-11-07T18%3A42%3A00Z&si=xxTestFagFilterSAS&sr=c&sig=AzureSAS Token Redacted&maxresults=5000&comp=blobs&where=%22tagKey%22%3D'tagValue'%20AND%20%40container%3D'xx' - 403 Credential used: SAS token - sv=2021-08-06&st=2022-11-07T18%3A42%3A00Z&si=xxTestFagFilterSAS&sr=c&sig=** RequestId: 09aeab90-f556-42f1-9081-740b2ba8a3a1, Date sent: Tue, 08 Nov 2022 19:40:10 GMT, ApiVersion: 2017-04-17, ProxySettings: undefined ErrorCode: undefined [2022-11-08T19:40:11.696Z] (se-blob-extension:29852) Fallback for operation 'BlobServiceClient.findBlobsByTags, count 1

Actual Experience

I receive error "Server failed to authenticate the request..."

Expected Experience

When right container level SAS is used, application should filter blobs byt ags

Additional Context

The extract from the log file is as below

[2022-11-08T19:38:00.888Z] (se-blob-extension:29852) Fallback for operation 'BlobServiceClient.findBlobsByTags, count 1 [2022-11-08T19:40:11.695Z] (se-blob-extension:29852) API call for BlobServiceClient.findBlobsByTags failed GET https://xx.blob.core.windows.net/?sv=2021-08-06&st=2022-11-07T18%3A42%3A00Z&si=xxTestFagFilterSAS&sr=c&sig=AzureSAS Token Redacted&maxresults=5000&comp=blobs&where=%22tagKey%22%3D'tagValue'%20AND%20%40container%3D'xx' - 403 Credential used: SAS token - sv=2021-08-06&st=2022-11-07T18%3A42%3A00Z&si=xxTestFagFilterSAS&sr=c&sig=** RequestId: 09aeab90-f556-42f1-9081-740b2ba8a3a1, Date sent: Tue, 08 Nov 2022 19:40:10 GMT, ApiVersion: 2017-04-17, ProxySettings: undefined ErrorCode: undefined [2022-11-08T19:40:11.696Z] (se-blob-extension:29852) Fallback for operation 'BlobServiceClient.findBlobsByTags, count 1

craxal commented 2 years ago

@Venu-prahalad The SAS you appear to be using is based on a shared access policy (indicated by the "si=xxx" part of the token). I assume the shared access policy includes "t" and "f" permissions?

JasonYeMSFT commented 2 years ago

This is a known issue we are trying to resolve in 1.27.0 #6184 . Currently the container level SAS won't work for the filter by tags API we use.

MRayermannMSFT commented 2 years ago

Since #6184 is merged we will close this. This scenario will be supported in 1.27.