Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23897

S3 plugin's signed URL expiry is extremely sensitive to clock drift

    XMLWordPrintable

Details

    Description

      The S3 plugin is very sensitive to clock drift on the Jenkins server, as it signs download URLs with a 4000ms (4s) expiry.

      This results in errors like:

      <Error>
        <Code>AccessDenied</Code>
        <Message>Request has expired</Message>
        <RequestId>DBB502010D433E63</RequestId>
        <Expires>2014-07-21T06:44:37Z</Expires>
        <HostId>
          0RLt34WZ9rebc7yijszDZ2gquwYBMj1OENPUtc9KAVtXsATJPdwxoYatu3/+2QOB
        </HostId>
        <ServerTime>2014-07-21T06:47:58Z</ServerTime>
      </Error>
      

      which won't be super-informative to the user.

      I suggest two changes.

      First, default to a longer expiry, say 60 seconds, that allows for things like a little packet loss / a high latency connection / etc, and a little clock drift.

      Second, document the need for NTP to keep up reasonable clock sync.

      I'll follow up with a patch for both.

      Attachments

        Activity

          ringerc Craig Ringer created issue -
          ringerc Craig Ringer made changes -
          Field Original Value New Value
          Description The S3 plugin is very sensitive to clock drift on the Jenkins server, as it signs URLs with a 4000ms (4s) expiry.

          This results in errors like:

          {code}
          <Error>
            <Code>AccessDenied</Code>
            <Message>Request has expired</Message>
            <RequestId>DBB502010D433E63</RequestId>
            <Expires>2014-07-21T06:44:37Z</Expires>
            <HostId>
              0RLt34WZ9rebc7yijszDZ2gquwYBMj1OENPUtc9KAVtXsATJPdwxoYatu3/+2QOB
            </HostId>
            <ServerTime>2014-07-21T06:47:58Z</ServerTime>
          </Error>
          {code}

          which won't be super-informative to the user.

          I suggest two changes.

          First, default to a longer expiry, say 60 seconds, that allows for things like a little packet loss / a high latency connection / etc, and a little clock drift.

          Second, document the need for NTP to keep up reasonable clock sync.

          I'll follow up with a patch for both.
          The S3 plugin is very sensitive to clock drift on the Jenkins server, as it signs download URLs with a 4000ms (4s) expiry.

          This results in errors like:

          {code}
          <Error>
            <Code>AccessDenied</Code>
            <Message>Request has expired</Message>
            <RequestId>DBB502010D433E63</RequestId>
            <Expires>2014-07-21T06:44:37Z</Expires>
            <HostId>
              0RLt34WZ9rebc7yijszDZ2gquwYBMj1OENPUtc9KAVtXsATJPdwxoYatu3/+2QOB
            </HostId>
            <ServerTime>2014-07-21T06:47:58Z</ServerTime>
          </Error>
          {code}

          which won't be super-informative to the user.

          I suggest two changes.

          First, default to a longer expiry, say 60 seconds, that allows for things like a little packet loss / a high latency connection / etc, and a little clock drift.

          Second, document the need for NTP to keep up reasonable clock sync.

          I'll follow up with a patch for both.
          ringerc Craig Ringer made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          ringerc Craig Ringer made changes -
          Status In Progress [ 3 ] Open [ 1 ]
          ringerc Craig Ringer made changes -
          Labels s3 timeout patch pull_request s3 timeout
          ringerc Craig Ringer made changes -
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Resolved [ 5 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 156762 ] JNJira + In-Review [ 195496 ]

          People

            mikewatt Michael Watt
            ringerc Craig Ringer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: