search

scitokens / scitokens-cpp

A C++ implementation of the SciTokens library with a C library interface
Apache License 2.0
5 stars 22 forks source link

Curl timeout while retrieving IAM public key #114

Closed esindril closed 1 year ago

esindril commented 1 year ago

While using the latest released version of scitokens-cpp (1.0.0) we hit timeouts while trying to retrieve the public key for the configured IAM. In this case the IAM in question is https://wlcg.cloud.cnaf.infn.it/

The corresponding trace in the logs is the following:

230413 00:53:33 10141 scitokens_GenerateAcls: ACL generation from SciToken failed: Timeout was reached
230413 00:53:33 10141 scitokens_Access: Failed to generate ACLs for token

Below you can find the relevant part of the trace which throws the exception. [1]

While investigating this, modifyin the default_timeout used here [2] when doing the CURL requests from 4 to 10 seconds, reliably fixed out issues. Therefore, could the default value be a bit higher to accomodate such slow instances or at least be somehow configurable via the XrdSciTokens plug-in?

Thanks!

[2] https://github.com/scitokens/scitokens-cpp/blob/master/src/scitokens_internal.h#L70 [1] 

#0  0x00007fa7fee85bed in __cxa_throw () from /lib64/libstdc++.so.6
#1  0x00007fa7f528b0aa in scitokens::internal::SimpleCurlGet::perform_continue() () from /lib64/libSciTokens.so.0
#2  0x00007fa7f528e529 in scitokens::Validator::get_public_keys_from_web_continue(std::unique_ptr<scitokens::AsyncStatus, std::default_delete<scitokens::AsyncStatus> >) () from /lib64/libSciTokens.so.0
#3  0x00007fa7f528ff66 in scitokens::Validator::get_public_key_pem_continue(std::unique_ptr<scitokens::AsyncStatus, std::default_delete<scitokens::AsyncStatus> >, std::string&, std::string&) ()
   from /lib64/libSciTokens.so.0
#4  0x00007fa7f528761f in scitokens::Validator::verify_async_continue(std::unique_ptr<scitokens::AsyncStatus, std::default_delete<scitokens::AsyncStatus> >) () from /lib64/libSciTokens.so.0
#5  0x00007fa7f5289d2c in scitokens::Validator::verify(scitokens::SciToken const&, long) () from /lib64/libSciTokens.so.0
#6  0x00007fa7f52765df in enforcer_generate_acls () from /lib64/libSciTokens.so.0
#7  0x00007fa7f54eb345 in XrdAccSciTokens::GenerateAcls (groups=std::vector of length 0, capacity 0, map_rules=std::vector of length 0, capacity 0, issuer="", token_subject="", username="",
    rules=std::vector of length 0, capacity 0, cache_expiry=<synthetic pointer>: <optimized out>,
    authz="xyz"..., this=0x61300000bb80) at /usr/src/debug/xrootd-5.5.8/src/XrdSciTokens/XrdSciTokensAccess.cc:771
#8  XrdAccSciTokens::Access (this=<optimized out>, Entity=<optimized out>, path=<optimized out>, oper=<optimized out>, env=<optimized out>) at /usr/src/debug/xrootd-5.5.8/src/XrdSciTokens/XrdSciTokensAccess.cc:488
#9  0x00007fa7183bd513 in Macaroons::Authz::Access (this=0x607000012a10, Entity=<optimized out>, path=<optimized out>, oper=<optimized out>, env=<optimized out>)
djw8605 commented 1 year ago

I think this is very reasonable request. As all things, the 4 seconds was a tradeoff that was deliberately decided upon. But, now that we have the async interface, I think increasing the default timeout is reasonable. I will discuss with others, but I expect I can make this change next week.

djw8605 commented 1 year ago

@esindril A 1.0.1 release of scitokens-cpp has beens submitted to the EPEL update system. Here is the epel7 and epel8 update links.