return different status code for internode communication (#17655)

mc admin trace -a will be able to quickly show
401 Unauthorized header to pinpoint trivial issues
between nodes, such as wrong root 
credentials and skewed time.
This commit is contained in:
Anis Eleuch 2023-07-15 02:34:55 +01:00 committed by GitHub
parent 3e196fa7b3
commit df29d25e6b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 5 deletions

View File

@ -46,6 +46,8 @@ var (
errAccessKeyDisabled = errors.New("The access key you provided is disabled") errAccessKeyDisabled = errors.New("The access key you provided is disabled")
errAuthentication = errors.New("Authentication failed, check your access credentials") errAuthentication = errors.New("Authentication failed, check your access credentials")
errNoAuthToken = errors.New("JWT token missing") errNoAuthToken = errors.New("JWT token missing")
errSkewedAuthTime = errors.New("Skewed authenticationdate/time")
errMalformedAuth = errors.New("Malformed authentication input")
) )
// cachedAuthenticateNode will cache authenticateNode results for given values up to ttl. // cachedAuthenticateNode will cache authenticateNode results for given values up to ttl.

View File

@ -56,9 +56,15 @@ type storageRESTServer struct {
} }
func (s *storageRESTServer) writeErrorResponse(w http.ResponseWriter, err error) { func (s *storageRESTServer) writeErrorResponse(w http.ResponseWriter, err error) {
if errors.Is(err, errDiskStale) { err = unwrapAll(err)
switch err {
case errDiskStale:
w.WriteHeader(http.StatusPreconditionFailed) w.WriteHeader(http.StatusPreconditionFailed)
} else { case errFileNotFound, errFileVersionNotFound:
w.WriteHeader(http.StatusNotFound)
case errInvalidAccessKeyID, errAccessKeyDisabled, errNoAuthToken, errMalformedAuth, errAuthentication, errSkewedAuthTime:
w.WriteHeader(http.StatusUnauthorized)
default:
w.WriteHeader(http.StatusForbidden) w.WriteHeader(http.StatusForbidden)
} }
w.Write([]byte(err.Error())) w.Write([]byte(err.Error()))
@ -74,7 +80,7 @@ func storageServerRequestValidate(r *http.Request) error {
if err == jwtreq.ErrNoTokenInRequest { if err == jwtreq.ErrNoTokenInRequest {
return errNoAuthToken return errNoAuthToken
} }
return err return errMalformedAuth
} }
claims := xjwt.NewStandardClaims() claims := xjwt.NewStandardClaims()
@ -94,7 +100,7 @@ func storageServerRequestValidate(r *http.Request) error {
requestTimeStr := r.Header.Get("X-Minio-Time") requestTimeStr := r.Header.Get("X-Minio-Time")
requestTime, err := time.Parse(time.RFC3339, requestTimeStr) requestTime, err := time.Parse(time.RFC3339, requestTimeStr)
if err != nil { if err != nil {
return err return errMalformedAuth
} }
utcNow := UTCNow() utcNow := UTCNow()
delta := requestTime.Sub(utcNow) delta := requestTime.Sub(utcNow)
@ -102,7 +108,7 @@ func storageServerRequestValidate(r *http.Request) error {
delta *= -1 delta *= -1
} }
if delta > DefaultSkewTime { if delta > DefaultSkewTime {
return fmt.Errorf("client time %v is too apart with server time %v", requestTime, utcNow) return errSkewedAuthTime
} }
return nil return nil