This repository has been archived by the owner on Mar 19, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 16
HTTP headers vs. NeoFS attributes and associated logic #255
Comments
roman-khimov
changed the title
HTTP attributes vs. NeoFS attributes and associated logic
HTTP headers vs. NeoFS attributes and associated logic
May 25, 2023
|
roman-khimov
added
bug
Something isn't working
U4
Nothing urgent
S2
Regular significance
I1
High impact
labels
Dec 20, 2023
tatiana-nspcc
added a commit
to nspcc-dev/neofs-rest-gw
that referenced
this issue
Feb 2, 2024
When we receive headers, they are automatically formatted from any case to only the first letter being uppercase. For example, `FilePath` transforms into `Filepath`. However, NEOFS is case-sensitive for these attributes, which is why we intentionally change them to CamelCase style. We hope this is a temporary workaround and will be removed asap. Connected to nspcc-dev/neofs-http-gw#255. Signed-off-by: Tatiana Nesterenko <tatiana@nspcc.io>
tatiana-nspcc
added a commit
to nspcc-dev/neofs-rest-gw
that referenced
this issue
Feb 5, 2024
When we receive headers, they are automatically formatted from any case to only the first letter being uppercase. For example, `FilePath` transforms into `Filepath`. However, NEOFS is case-sensitive for these attributes, which is why we intentionally change them to CamelCase style. We hope this is a temporary workaround and will be removed asap. Connected to nspcc-dev/neofs-http-gw#255. Signed-off-by: Tatiana Nesterenko <tatiana@nspcc.io>
tatiana-nspcc
added a commit
to nspcc-dev/neofs-rest-gw
that referenced
this issue
Feb 7, 2024
When we receive headers, they are automatically formatted from any case to only the first letter being uppercase. For example, `FilePath` transforms into `Filepath`. However, NEOFS is case-sensitive for these attributes, which is why we intentionally change them to CamelCase style. We hope this is a temporary workaround and will be removed asap. Connected to nspcc-dev/neofs-http-gw#255. Signed-off-by: Tatiana Nesterenko <tatiana@nspcc.io>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Suppose you're trying to make a real send.fs.neo.org, not a fake one, but the one that really uses the underlying technologies. So you set up a container that looks like this:
It's sowewhat open for the basic ACL, but it's got an extended one as well that fixes it:
Basically, no one but the owner can do anything with it, an attempt to upload any object will fail miserably:
And that's what we want, because our mighty neofs-oauthz will issue proper token for us with a very simple constraint:
One can upload, but only if the uploaded object has an
Email
attribute of very specific kind (hash of the e-mail received via OAuth). All good. There is nspcc-dev/neofs-oauthz#29, but let's consider it to be fixed for the moment.The way send.fs.neo.org works is it uploads objects via HTTP gateway (that's why we're here!), so frontend initiates upload with
Notice
X-Attribute-Email
andAuthorization
, that's exactly what HTTP gateway needs to get a bearer token and anEmail
attribute for the object. But what we receive as a reply for this request is not a CID/OID pair, butHow could it happen? If we're to extract the bearer token and email hash from the browser and try going via CLI, that'd be like:
And it works just fine (thanks, NeoFS). But if we're to
It still doesn't work. Now let's remember that the setup is a little more complicated than that and in fact we've got an nginx in-between the HTTP gateway and the client. It does some
proxy_pass
for requests with slight URL adjustments, cachesGET
s, so it's useful there. But it passes the headers as well.If we're to try to push the same request to the gateway directly (right from the appropriate host):
It all suddenly works again! But it's not via the nginx. So nginx can be easily blamed for this, but in fact it's still a little more complicated than that. If you're to carefully look at
http-gw
debug logs you may notice that the gateway doesn't use any bearer token at all for the upsteam request, no wonder it's denied. But if we're to also trytcpdump -A -i lo port 8888
to see what's going on on the wire there are expected headers there:So why can't HTTP gateway take the token and use it? The answer to that is this attempt:
Which suddenly doesn't work at all. And the only difference with the successful one is lowercased
authorization
header.RFC 2616 says:
So one might argue that the header is OK, but there is something wrong with the l33t fasthttp server we're using. Yes and no, we set it up this way:
neofs-http-gw/app.go
Line 120 in 8321181
And this knob is documented as "Header names are passed as-is without normalization if this option is set" (hi, #125 also). Why do we have it then? Well, NeoFS (unlike HTTP) has case-sensitive attributes and gateway is documented to accept them from HTTP headers:
Obviously if you want
Ololo
you have to have this passed asOlolo
asololo
is a different attribute.Maybe nginx can be fixed to not change attributes? No, because it only cares about HTTP and it's absolutely compatible with the 1.1 specification while HTTP 2.0 is even more interesting:
Our http gateway is 1.1 only, but nginx obviously works with any HTTP version and does what's more appropriate for it to do (lowercases everything). And if we're to consider switching to HTTP 2.0 then the whole attribute scheme breaks completely as we'll never receive
Ololo
and couldn't sendX-Attribute-Ololo
in response as well (like we do now).What options do we have?
DisableHeaderNamesNormalizing
back tofalse
? This seems like an easy solution,email
becomesEmail
again,Authorization
is alwaysAuthorization
irrespective of how it's encoded in the request, all good. Except that the example from the README withX-Attribute-FilePath
breaks immediately, it'll beFilepath
, sorry.Authorization
specially, iterate through all headers manually and do case-insensitive comparisons to find it? Yeah, but this may then also be required forfasthttp.HeaderDate
and doesn't solve object attribute problem (we may switch toemail
for send.fs.neo.org, but in general the problem still remains).I tend to think we might do 2 as a quick fix, but this problem may eventually bite us in some other setting. Opinions are welcome.
The text was updated successfully, but these errors were encountered: