Specifying the port # in a URL #2568
Comments
|
To add to this I just quickly installed minio (latest version) and I get the same issue with it. |
|
Thanks for filing the issue! Any chance you could post the steps you took to reproduce with minio? (just to save us some time to figure out how to configure it 😄 )
That does look like the correct formatting for the |
|
Sure it's pretty easy to install and configure (I hadn't used it before this) I just used windows but you can install it on linux if you want Download it here https://min.io/download#/windows it's an executable set the following environment variables MINIO_ACCESS_KEY=minioadmin In windows I created a folder c:\minio which is for it's object store and config files etc then execute it as minio server c:\minio If will start up and you can connect to it with a browser on port 127.0.0.1:9000 or the servers ip address:9000 from other workstations. the admin account by default is minioadmin with minioadmin as the password. You can use this account for s3 data as well. use the minioadmin as the s3 secret. There is a client mc.exe you can download and use but you don't have to. The browser will let you create a bucket and you can use s3browser or other s3 util to upload your bundles. Then just set your url to url: http://minio_ip:9000/mybucket and off you go There's probably a lot more to setting minio up but this was enough for me to test it. I guess all your current users are just using a cloud server so never need to specify a port #. This is an on_prem installation and the default ports can't be used to map them to what is required I think I've got the steps down for you okay, sorry if any mistakes crept in |
|
Perfect 👍 Thanks for the instructions. |
The AWS v4 signing feature for bundle requests would automatically add a `Host` header by using the URL hostname. This would break for URLs that specified a port number (eg: https://127.0.0.1:9000/). That causes issues with sending a valid request. This commit changes to use the `URL.Host` which will have the full `host:port` string, when a port was specified. Fixes: open-policy-agent#2568 Signed-off-by: Patrick East <east.patrick@gmail.com>
|
I think I found the issue, or at least got it to work with minio. The @paulmckeown would you be able to give the code in #2572 a try with your Dell EMC ECS S3 object store to ensure it corrects the original issue too? |
The AWS v4 signing feature for bundle requests would automatically add a `Host` header by using the URL hostname. This would break for URLs that specified a port number (eg: https://127.0.0.1:9000/). That causes issues with sending a valid request. This commit changes to use the `URL.Host` which will have the full `host:port` string, when a port was specified. Fixes: #2568 Signed-off-by: Patrick East <east.patrick@gmail.com>
|
Update, we went ahead with merging this. Turns out the issue reproduces with "real" s3 if you put the It would still be good to test it out and ensure we're good to have this issue closed. It's easier now though, try out the latest |
|
Patrick I tried the latest release via the link above but it still fails for minio and for ECS is it the correct link? |
|
Also if you wish to test against Dell EMC ECS we have an online ECS which our partners and customers can use for functional testing. You can sign up for credentials at https://portal.ecstestdrive.com/ It is behind a Load Balancer but you can add the :443 port to the URL to test your fix. |
|
Thanks! I signed up on the test drive site (waiting for email confirmation to get access). For minio I am seeing it work, my steps are: Start minio: In another terminal (I already had the Which confirms the host is setup for s3v4 signing I've got OPA configured to use that service and I tell it to look for environment credentials.. just need to upload a test bundle.. And now getting the Last step is to configure the environment variables that will be read for the credentials and start opa: In the log I'm seeing that it was able to successfully pull the bundle. For your environment please confirm in the debug output if the |
|
Ok I'll try again. I approved your ECS portal account so you should have your credentials now |
|
It works I must've fat fingered something this morning Thanks for quick fix! |
|
Trying it out with the ECS Test Drive: Quick sanity check in Cyberduck (wasn't sure if the Updated opa config (using Updated credentials, the region thing gets defaulted by And running with the updated config: Looks like everything is working ok. This is with OPA |
|
great it worked for you as well so that confirms it BTW - ECS doesn't care what you put for region it ignores it. The credential you have will stay active for ever and yo have about 1TB of storage you can use so feel free to keep using it as another QA target. If you run into issues using it email me on paul.mckeown@dell.com Paul |
When using a URL of the form
url: http://10.246.22.181:9020/opabckt1
on starting OPA the attempt to read the bundles returns signature mismatch errors.
If I change the url to not specify the port number via an IP load balancer to for example
url: http://my_load_balancer.com/opabckt1
OPA is able to read the bundles with no issues.
I would expect to be able to specify the port number by appending the port as in the above example.
OPA version: v0.22.0 which I believe is the latest
I'm running OPA on
Linux CentOS 7
Kernel: Linux 3.10.0-1127.13.1.el7.x86_64
config.yaml
services:
s3:
url: http://10.246.22.181:9020/opabckt1
bundles:
policy:
service: s3
resource: policy.tar.gz
polling:
min_delay_seconds: 10
max_delay_seconds: 30
data:
service: s3
resource: data.tar.gz
polling:
min_delay_seconds: 10
max_delay_seconds: 30
The S3 target is a Dell EMC ECS S3 object store revision 3.5 and 3.4 (both have been tested)
Could I get confirmation that this is the correct way to specify the port # on an S3 type url and if specifying the port number like this is causing the signature mismatch I'm seeing?
Thanks Paul
The text was updated successfully, but these errors were encountered: