Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNOW-1540431: Panic on OCSP failure with disabled OCSP cache #1180

Closed
adesso-os opened this issue Jul 16, 2024 · 6 comments
Closed

SNOW-1540431: Panic on OCSP failure with disabled OCSP cache #1180

adesso-os opened this issue Jul 16, 2024 · 6 comments
Assignees
@sfc-gh-pfus
Labels
bug Erroneous or unexpected behaviour status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. status-triage_done Initial triage done, will be further handled by the driver team

Comments

@adesso-os
Copy link

adesso-os commented Jul 16, 2024
edited
Loading

Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!

The system is running in such a high level of isolation that it's not trivial to get all the details. Stack trace is pointing to

gosnowflake/connection.go

Line 772 in 06ec38e

ocspResponseCacheLock.Lock()

  1. What version of GO driver are you using?
    1.10

  2. What operating system and processor architecture are you using?
    Linux amd64

  3. What version of GO are you using?
    Whatever Terraform uses.

  4. Server version:* E.g. 1.90.1
    You may get the server version by running a query:

SELECT CURRENT_VERSION();

  1. What did you do?

    1. Tried to establish a connection to a Snowflake instance that is located behind an AWS PrivateLink.
    2. Due to port 80 being blocked on this network path, OCSP fails.
    3. Disabled OCSP caching by setting SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED to "false".
    4. Next time the connection is attempted, OCSP check fails. Snowflake SDK will then try to persist this failure into the cache, which is uninitialized. Result = Panic

  2. What did you expect to see?

A regular error/failure.

  1. Can you set logging to DEBUG and collect the logs?

No

  1. What is your Snowflake account identifier, if any? (Optional)
@adesso-os adesso-os added the bug Erroneous or unexpected behaviour label Jul 16, 2024
@github-actions github-actions bot changed the title Panic on OCSP failure with disabled OCSP cache SNOW-1540431: Panic on OCSP failure with disabled OCSP cache Jul 16, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka self-assigned this Jul 16, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka added the status-triage Issue is under initial triage label Jul 16, 2024
@sfc-gh-dszmolka
Copy link
Contributor

hi and thank you for raising this issue with us ! will take a look

@sfc-gh-dszmolka
Copy link
Contributor

also while we're looking; if this is a super urgent and breaking issue for you, you can try

  • gosnowflake: insecureMode=true
  • Snowflake Terraform Provider: insecure_mode or envvar SNOWFLAKE_INSECURE_MODE to turn off OCSP entirely temporarily

@sfc-gh-dszmolka
Copy link
Contributor

the issue seems to be reproducible even on an environment where port 80 is open, just by simply applying the envvar you mentioned

SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED=false go run cmd/select1/select1.go

instantly causes a panic when the driver tries to build the connection. we'll take a look and fix it.

in the meantime, if you check SYSTEM$ALLOWLIST_PRIVATELINK() output and configure OCSP_CACHE and OCSP_CACHE_REGIONLESS to both point to your VPC Endpoint then you don't need to allow port 80 to any direction which is on the public internet and can avoid using SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED

alternatively, as recommended you can temporarily set insecureMode but it's not recommended to keep it on for a long term.

thank you for drawing our attention to this problem!

@sfc-gh-dszmolka sfc-gh-dszmolka removed the status-triage Issue is under initial triage label Jul 16, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka added the status-triage_done Initial triage done, will be further handled by the driver team label Jul 16, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka added status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. status-pr_pending_merge A PR is made and is under review and removed status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. labels Jul 17, 2024
@sfc-gh-dszmolka
Copy link
Contributor

sfc-gh-dszmolka commented Jul 17, 2024
edited
Loading

fixed with #1181
edit: fix is merged in the meantime so now we're awaiting the next release to roll out with the fix

@sfc-gh-dszmolka sfc-gh-dszmolka added status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. and removed status-pr_pending_merge A PR is made and is under review labels Jul 17, 2024
@adesso-os
Copy link
Author

Awesome! Thanks for the quick work. I really appreciate it!

@sfc-gh-dszmolka
Copy link
Contributor

released with gosnowflake v1.11.0 in July 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-pfus sfc-gh-pfus

Labels
bug Erroneous or unexpected behaviour status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. status-triage_done Initial triage done, will be further handled by the driver team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sfc-gh-dszmolka @adesso-os @sfc-gh-pfus @sfc-gh-snow-drivers-warsaw-dl