Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23897

S3 plugin's signed URL expiry is extremely sensitive to clock drift

    XMLWordPrintable

Details

    Description

      The S3 plugin is very sensitive to clock drift on the Jenkins server, as it signs download URLs with a 4000ms (4s) expiry.

      This results in errors like:

      <Error>
        <Code>AccessDenied</Code>
        <Message>Request has expired</Message>
        <RequestId>DBB502010D433E63</RequestId>
        <Expires>2014-07-21T06:44:37Z</Expires>
        <HostId>
          0RLt34WZ9rebc7yijszDZ2gquwYBMj1OENPUtc9KAVtXsATJPdwxoYatu3/+2QOB
        </HostId>
        <ServerTime>2014-07-21T06:47:58Z</ServerTime>
      </Error>
      

      which won't be super-informative to the user.

      I suggest two changes.

      First, default to a longer expiry, say 60 seconds, that allows for things like a little packet loss / a high latency connection / etc, and a little clock drift.

      Second, document the need for NTP to keep up reasonable clock sync.

      I'll follow up with a patch for both.

      Attachments

        Activity

          People

            mikewatt Michael Watt
            ringerc Craig Ringer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: