search

trinodb / aws-proxy

Proxy for S3
Apache License 2.0
8 stars 6 forks source link

Credentials error logs are misleading #88

Closed vagaerg closed 4 months ago

vagaerg commented 4 months ago

CredentialsController will attempt to locate a full set of credentials (emulated + real) from a given emulated credential (and optionally a session token). If found, it will pass them to a credentialsConsumer that can apply whatever transformation or computation it wants with the credentials and return an Optional<T>.

https://github.com/trinodb/aws-proxy/blob/7aa2af1e43e6ed3a2883ad7323f273598b8326c7/trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/credentials/CredentialsController.java#L138-L146

The issue is CredentialsController will log an error stating the credentials were not found if its final result is an empty optional. This could happen in two cases:

The latter happens, for instance, if the request has an invalid signature. That results in a log along the lines of

2024-07-02T11:14:29.634Z    DEBUG   http-worker-91  io.trino.aws.proxy.server.credentials.CredentialsController Credentials not found. EmulatedAccessKey: df4899b1-9026-4c51-a3f3-38fffa236748
2024-07-02T11:14:29.639Z    DEBUG   http-worker-91  io.trino.aws.proxy.spi.signing.SigningController    ValidateAndParseAuthorization failed. Request: Request[requestId=7d882ba7-c682-4c35-99ad-be36f29810af, requestAuthorization=RequestAuthorization[authorization=AWS4-HMAC-SHA256 Credential=df4899b1-9026-4c51-a3f3-38fffa236748/20240617/us-east-1/s3/aws4_request, SignedHeaders=content-md5;content-type;host;x-amz-content-sha256;x-amz-date, Signature=79fffb33b584a661ec05906a3da4975903e13c46e030b4231c53711c36a9f78e, accessKey=df4899b1-9026-4c51-a3f3-38fffa236748, region=us-east-1, keyPath=20240617/us-east-1/s3/aws4_request, lowercaseSignedHeaders=[content-md5, content-type, host, x-amz-content-sha256, x-amz-date], signature=79fffb33b584a661ec05906a3da4975903e13c46e030b4231c53711c36a9f78e, securityToken=Optional.empty], requestDate=20240617T114456Z, requestUri=http://127.0.0.1:10064/api/v1/s3Proxy/s3/foo/bar, requestHeaders=io.trino.aws.proxy.spi.collections.ImmutableMultiMap@21ac2709, requestQueryParameters=io.trino.aws.proxy.spi.collections.ImmutableMultiMap@77a8cdf0, httpVerb=PUT, requestContent=io.trino.aws.proxy.server.rest.RequestBuilder$1@39653dc6], SigningServiceType: SigningServiceType[serviceName=s3, contentIsSigned=true]
2024-07-02T11:14:29.656Z    DEBUG   http-worker-91  io.trino.aws.proxy.server.rest.RequestLoggerController  RequestEnd: {request.http.method=PUT, request.errors={request.security.authorization.mismatch={request=AWS4-HMAC-SHA256 Credential=df4899b1-9026-4c51-a3f3-38fffa236748/20240617/us-east-1/s3/aws4_request, SignedHeaders=content-md5;content-type;host;x-amz-content-sha256;x-amz-date, Signature=79fffb33b584a661ec05906a3da4975903e13c46e030b4231c53711c36a9f78e, generated=AWS4-HMAC-SHA256 Credential=df4899b1-9026-4c51-a3f3-38fffa236748/20240617/us-east-1/s3/aws4_request, SignedHeaders=content-md5;content-type;host;x-amz-content-sha256;x-amz-date, Signature=89fffb33b584a661ec05906a3da4975903e13c46e030b4231c53711c36a9f78e}, webException.status=401, webException.message=HTTP 401 Unauthorized}, request.properties={}, request.type=SigningServiceType[serviceName=s3, contentIsSigned=true], request.uri=http://127.0.0.1:10064/api/v1/s3Proxy/s3/foo/bar, request.http.entity=true, request.id=7d882ba7-c682-4c35-99ad-be36f29810af, request.elapsed.ms=34}

The second log line is correct (signature validation failed), but the first one is not - I sent a request with a valid set of credentials, I simply mis-signed the contents.

I got these results by running this test: https://github.com/trinodb/aws-proxy/blob/7aa2af1e43e6ed3a2883ad7323f273598b8326c7/trino-aws-proxy/src/test/java/io/trino/aws/proxy/server/TestGenericRestRequests.java#L128-L140

And modifying any of the signed header values or the signature, to ensure it was invalid.