mirror of
https://github.com/minio/minio.git
synced 2025-01-12 15:33:22 -05:00
return different status code for internode communication (#17655)
mc admin trace -a will be able to quickly show 401 Unauthorized header to pinpoint trivial issues between nodes, such as wrong root credentials and skewed time.
This commit is contained in:
parent
3e196fa7b3
commit
df29d25e6b
@ -46,6 +46,8 @@ var (
|
|||||||
errAccessKeyDisabled = errors.New("The access key you provided is disabled")
|
errAccessKeyDisabled = errors.New("The access key you provided is disabled")
|
||||||
errAuthentication = errors.New("Authentication failed, check your access credentials")
|
errAuthentication = errors.New("Authentication failed, check your access credentials")
|
||||||
errNoAuthToken = errors.New("JWT token missing")
|
errNoAuthToken = errors.New("JWT token missing")
|
||||||
|
errSkewedAuthTime = errors.New("Skewed authenticationdate/time")
|
||||||
|
errMalformedAuth = errors.New("Malformed authentication input")
|
||||||
)
|
)
|
||||||
|
|
||||||
// cachedAuthenticateNode will cache authenticateNode results for given values up to ttl.
|
// cachedAuthenticateNode will cache authenticateNode results for given values up to ttl.
|
||||||
|
@ -56,9 +56,15 @@ type storageRESTServer struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (s *storageRESTServer) writeErrorResponse(w http.ResponseWriter, err error) {
|
func (s *storageRESTServer) writeErrorResponse(w http.ResponseWriter, err error) {
|
||||||
if errors.Is(err, errDiskStale) {
|
err = unwrapAll(err)
|
||||||
|
switch err {
|
||||||
|
case errDiskStale:
|
||||||
w.WriteHeader(http.StatusPreconditionFailed)
|
w.WriteHeader(http.StatusPreconditionFailed)
|
||||||
} else {
|
case errFileNotFound, errFileVersionNotFound:
|
||||||
|
w.WriteHeader(http.StatusNotFound)
|
||||||
|
case errInvalidAccessKeyID, errAccessKeyDisabled, errNoAuthToken, errMalformedAuth, errAuthentication, errSkewedAuthTime:
|
||||||
|
w.WriteHeader(http.StatusUnauthorized)
|
||||||
|
default:
|
||||||
w.WriteHeader(http.StatusForbidden)
|
w.WriteHeader(http.StatusForbidden)
|
||||||
}
|
}
|
||||||
w.Write([]byte(err.Error()))
|
w.Write([]byte(err.Error()))
|
||||||
@ -74,7 +80,7 @@ func storageServerRequestValidate(r *http.Request) error {
|
|||||||
if err == jwtreq.ErrNoTokenInRequest {
|
if err == jwtreq.ErrNoTokenInRequest {
|
||||||
return errNoAuthToken
|
return errNoAuthToken
|
||||||
}
|
}
|
||||||
return err
|
return errMalformedAuth
|
||||||
}
|
}
|
||||||
|
|
||||||
claims := xjwt.NewStandardClaims()
|
claims := xjwt.NewStandardClaims()
|
||||||
@ -94,7 +100,7 @@ func storageServerRequestValidate(r *http.Request) error {
|
|||||||
requestTimeStr := r.Header.Get("X-Minio-Time")
|
requestTimeStr := r.Header.Get("X-Minio-Time")
|
||||||
requestTime, err := time.Parse(time.RFC3339, requestTimeStr)
|
requestTime, err := time.Parse(time.RFC3339, requestTimeStr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return errMalformedAuth
|
||||||
}
|
}
|
||||||
utcNow := UTCNow()
|
utcNow := UTCNow()
|
||||||
delta := requestTime.Sub(utcNow)
|
delta := requestTime.Sub(utcNow)
|
||||||
@ -102,7 +108,7 @@ func storageServerRequestValidate(r *http.Request) error {
|
|||||||
delta *= -1
|
delta *= -1
|
||||||
}
|
}
|
||||||
if delta > DefaultSkewTime {
|
if delta > DefaultSkewTime {
|
||||||
return fmt.Errorf("client time %v is too apart with server time %v", requestTime, utcNow)
|
return errSkewedAuthTime
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
Loading…
Reference in New Issue
Block a user