Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Object Lock Error Responses Wrong/Weird #498

Open
ferristocrat opened this issue Aug 30, 2024 · 9 comments
Open

Object Lock Error Responses Wrong/Weird #498

ferristocrat opened this issue Aug 30, 2024 · 9 comments
Assignees
@halkyon
Labels
bug Something isn't working edge
Milestone
Object Lock

Comments

@ferristocrat
Copy link
Contributor

ferristocrat commented Aug 30, 2024
edited
Loading

The following object lock related actions returned an "unauthorized" error rather than the appropriate error.

Action Example Request Response Expected response
PutBucketVersioning aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=Suspended --endpoint-url https://gateway.qa.storjshare.io An error occurred (AccessDenied) when calling the PutBucketVersioning operation: Access Denied. Not sure, but probably something different than the current response.
DeleteObject (with retention set) aws s3api delete-object --bucket my-bucket --key my-object --version-id 0000000000000001a008c98f1d6afe18 --endpoint-url https://gateway.qa.storjshare.io An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied Not sure, but probably something different than the current response.
PutObjectLegalHold aws s3api put-object-legal-hold --bucket my-bucket --key my-object --legal-hold '{ "Status": "ON"}' --endpoint-url https://gateway.qa.storjshare.io An error occurred (InvalidRequest) when calling the PutObjectLegalHold operation: Bucket is missing ObjectLockConfiguration Would expect "not implemented" response

See columns G, H, I for more context: https://docs.google.com/spreadsheets/d/1Yfz1sSTRD2nTRAkgGJ27aAv7wTMJCd-74fJlujdNPBw/edit?gid=0#gid=0
@ferristocrat ferristocrat added the bug Something isn't working label Aug 30, 2024
@ferristocrat ferristocrat added this to the Object Lock milestone Aug 30, 2024
@halkyon
Copy link
Contributor

halkyon commented Sep 4, 2024
edited
Loading

Additional unmapped or incorrect errors discovered in tests: https://review.dev.storj.io/c/storj/edge/+/14432

  • GetObjectRetention on an object without retention unmapped error: object retention not found: object does not have a retention configuration. Maybe this should be InvalidRequest.
  • PutObject (and possibly PutObjectRetention) with governance mode unmapped error: invalid retention mode 0, expected 1 (compliance)
  • PutObjectRetention on an object with a retain until date in the past produced MalformedXML error instead of InvalidRequest.
  • PutObject when attempting to set lock settings on unversioned bucket produces unmapped error cannot specify Object Lock settings when uploading into a bucket without Versioning enabled

@halkyon
Copy link
Contributor

halkyon commented Sep 4, 2024
edited
Loading

Jeremy mentioned that S3 returns AccessDenied if attempting to delete a locked object, so that one should probably keep the code as-is but provide a more useful message. S3 responds with this:

An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied because object protected by object lock.

@storj-gerrit
Copy link

storj-gerrit bot commented Sep 4, 2024

Change miniogw: map GetObjectRetention no retention errors mentions this issue.

storjBuildBot pushed a commit to storj/gateway-st that referenced this issue Sep 4, 2024
@halkyon
miniogw: map GetObjectRetention no retention errors
f99eaf8 
this maps metaclient.ErrRetentionNotFound errors to a minio
error of "InvalidRequest" so the client sees an appropriate
response instead of an internal server error.

Updates storj/edge#498

Change-Id: I0d86d308c5cfaf449014b0d87da48af9406a1cca
@halkyon
Copy link
Contributor

halkyon commented Sep 5, 2024
edited
Loading

AWS S3 error response research:

GetObjectLockConfiguration on bucket without object lock

S3: HTTP 404: ObjectLockConfigurationNotFoundError: Object Lock configuration does not exist for this bucket

Us: HTTP 400: "InvalidRequest: Bucket is missing Object Lock Configuration"

This is a big difference we should probably fix.

GetObjectRetention on object without any (bucket has object lock configuration)

S3: HTTP 404: "NoSuchObjectLockConfiguration: The specified object does not have a ObjectLock configuration"

Us: HTTP 400: "InvalidRequest: Object is missing retention configuration"

This is a big difference we should probably fix.

GetObjectRetention on object without any (bucket has no object lock configuration)

S3: HTTP 400: "InvalidRequest: Bucket is missing Object Lock Configuration"

Us: HTTP 400: "InvalidRequest: Object is missing retention configuration"

PutObjectLockConfiguration on bucket without versioning enabled

S3: HTTP 409: InvalidBucketState: Versioning must be 'Enabled' on the bucket to apply a Object Lock configuration

US: HTTP 501: Unimplemented

PutObject with retain date in the past

S3: HTTP 400: InvalidArgument: The retain until date must be in the future!

Us: MalformedXML. Might be a minio issue.

PutObject with invalid mode

S3: HTTP 400: InvalidArgument: Unknown wormMode directive.

Us: HTTP 400: InvalidRequest

Might not be worth fixing the code when the status is the same.

PutObject with correct retention settings, versioning not enabled on bucket and no bucket lock configuration:

S3: HTTP 400: InvalidRequest: Bucket is missing ObjectLockConfiguration

Us: HTTP 500: "cannot specify Object Lock settings when uploading into a bucket without Versioning enabled"

This is critical to fix as it's unmapped (defaults to 500) resulting in misleading clients to retry with the same result.

PutObject with correct retention settings, versioning is enabled on bucket and no bucket lock configuration:

S3: HTTP 400: InvalidRequest: Bucket is missing ObjectLockConfiguration

Us: HTTP 500: ""cannot specify Object Lock settings when uploading into a bucket without Object Lock enabled"

This is critical to fix as it's unmapped (defaults to 500) resulting in misleading clients to retry with the same result.

DeleteObject locked version

S3: HTTP 403: AccessDenied: Access Denied because object protected by object lock.

Us: HTTP 403: AccessDenied: Access Denied.

Adjusting the error message might be helpful to users.

PutBucketVersioning suspend bucket with existing object lock configuration

S3: HTTP 409: InvalidBucketState: An Object Lock configuration is present on this bucket, so the versioning state cannot be changed

Us: HTTP 403: AccessDenied: Access Denied:

This is probably worth fixing to make it more descriptive, at least.

@storj-gerrit
Copy link

storj-gerrit bot commented Sep 5, 2024

Change miniogw: fix error responses for missing lock or retention mentions this issue.

@storj-gerrit
Copy link

storj-gerrit bot commented Sep 10, 2024

Change satellite/metainfo: return object lock messages consistent with S3 mentions this issue.

@storj-gerrit
Copy link

storj-gerrit bot commented Sep 10, 2024

Change private/metaclient: remap object lock errors mentions this issue.

@storj-gerrit
Copy link

storj-gerrit bot commented Sep 10, 2024

Change miniogw: return 404 for GetObjectLockConfig if no lock found mentions this issue.

storjBuildBot pushed a commit to storj/gateway-st that referenced this issue Sep 10, 2024
@halkyon
miniogw: return 404 for GetObjectLockConfig if no lock found
6229533 
This endpoint should return a 404 for when lock config is not
found, instead of a 400.

Additionally, fix tests to use the object API layer for testing
GetObjectLockConfig. Gateway tests should not be testing the
metaclient endpoints, since that's uplink domain.

Updates storj/edge#498

Change-Id: Ic7cbb3f217acf086884c8ebe935bd9fc976c1680
storjBuildBot pushed a commit to storj/uplink that referenced this issue Sep 11, 2024
@halkyon
private/metaclient: add new error types for object lock upload errs
0e957ac 
this also fixes a case where Commit calls didn't convert to known
errors and caused unmapped errors on gateway.

Updates storj/edge#498

Change-Id: I07907185c26559805c342be584b3b2c8bc776800
@storj-gerrit
Copy link

storj-gerrit bot commented Sep 11, 2024

Change miniogw: fix up mappings to latest uplink code mentions this issue.

storjBuildBot pushed a commit to storj/gateway-st that referenced this issue Sep 11, 2024
@halkyon
miniogw: fix up mappings to latest uplink code
f511249 
- use the new uplink ErrRetentionNotFound error type. Additionally
this should return a 404 with the right status S3 uses. Note that
if the bucket has no lock enabled, GetObjectRetention does the same
as S3 and return a 400 response bucket lock not configured.

- uplink ErrBucketNoLock, ErrNoObjectLockConfiguration, and
ErrBucketNoVersioningObjectLock should all map to
miniogw.ErrRetentionNotFound, a 400 status. We will need to also
map ObjectLockDisabled (for when the feature is disabled entirely)
as well as ProjectLockDisabled to this same error, but these will
come in a later change.

Updates storj/edge#498

Change-Id: Ic3702e24cb3e8f177eac303ccb3f9869a8de96b5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@halkyon halkyon

Labels
bug Something isn't working edge
Projects
None yet
Milestone
Object Lock
Development

No branches or pull requests
2 participants
@halkyon @ferristocrat