return different status code for internode communication (#17655)

mc admin trace -a will be able to quickly show
401 Unauthorized header to pinpoint trivial issues
between nodes, such as wrong root 
credentials and skewed time.
This commit is contained in:
Anis Eleuch 2023-07-15 02:34:55 +01:00 committed by GitHub
parent 3e196fa7b3
commit df29d25e6b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 5 deletions

View File

@ -46,6 +46,8 @@ var (
errAccessKeyDisabled = errors.New("The access key you provided is disabled")
errAuthentication = errors.New("Authentication failed, check your access credentials")
errNoAuthToken = errors.New("JWT token missing")
errSkewedAuthTime = errors.New("Skewed authenticationdate/time")
errMalformedAuth = errors.New("Malformed authentication input")
)
// cachedAuthenticateNode will cache authenticateNode results for given values up to ttl.

View File

@ -56,9 +56,15 @@ type storageRESTServer struct {
}
func (s *storageRESTServer) writeErrorResponse(w http.ResponseWriter, err error) {
if errors.Is(err, errDiskStale) {
err = unwrapAll(err)
switch err {
case errDiskStale:
w.WriteHeader(http.StatusPreconditionFailed)
} else {
case errFileNotFound, errFileVersionNotFound:
w.WriteHeader(http.StatusNotFound)
case errInvalidAccessKeyID, errAccessKeyDisabled, errNoAuthToken, errMalformedAuth, errAuthentication, errSkewedAuthTime:
w.WriteHeader(http.StatusUnauthorized)
default:
w.WriteHeader(http.StatusForbidden)
}
w.Write([]byte(err.Error()))
@ -74,7 +80,7 @@ func storageServerRequestValidate(r *http.Request) error {
if err == jwtreq.ErrNoTokenInRequest {
return errNoAuthToken
}
return err
return errMalformedAuth
}
claims := xjwt.NewStandardClaims()
@ -94,7 +100,7 @@ func storageServerRequestValidate(r *http.Request) error {
requestTimeStr := r.Header.Get("X-Minio-Time")
requestTime, err := time.Parse(time.RFC3339, requestTimeStr)
if err != nil {
return err
return errMalformedAuth
}
utcNow := UTCNow()
delta := requestTime.Sub(utcNow)
@ -102,7 +108,7 @@ func storageServerRequestValidate(r *http.Request) error {
delta *= -1
}
if delta > DefaultSkewTime {
return fmt.Errorf("client time %v is too apart with server time %v", requestTime, utcNow)
return errSkewedAuthTime
}
return nil