Core logs error "failed to verify token: oidc: malformed jwt: square/go-jose: compact JWS format must have three parts" after switch to S3 storage -- excessive warning messages. #12261
Comments
|
Please elaborate on how you reproduce it, did you use a curl command to call Harbor's API? I don't think it's related to S3 or local disk. It seems b/c you are using OIDC auth mode but the request is not carrying valid ID token. |
|
It is deployed to Kubernetes using the neighboring harbor-helm chart.
The /ping requests are done by Kubernete's health-check. As Kubernetes does not restart the server, I guess it's returning something OK.
Neither do I. But when I changed the helm-chart from HDD to S3 storage for images and helm-charts, these errors began appearing. When I switched it back, they stopped (so so forth). I'm in the midst of re-deploying the whole thing to a upgraded cluster, so I'll see if I can reproduce it there...
That would be my guess too, but Kubernets healthcheck-requests AFAIK shouldn't have to carry ID tokens... |
So could you please clarify do the "errors", which seem warnings, impact you calling any API or using your Harbor instance? I think we may probably ignore the warnings safely. I am not sure if we should update the log to remove the warnings, they do help when there are real erros happening. |
|
This is one of the logs from our production systems , is it possible to suppress the ping logs for jwt warnings as there is no token passed |
|
@ajayk |
reasonerjt
changed the title
Getting the same thing with a Kubernetes deployment from the neighboring Helm chart. The spam is making finding actual issues (which I'm also having) extremely tedious. |
|
I'm getting the same warnings using both Chrome and Firefox. Everything seems to be working except those warning messages in logs. I had a look at the request cookies and there's no valid JWT token set (valid as base64 encoded strings in three parts separated via dots). X-Request-Id header matched with the log file entries using My environment has been setup with docker-compose instead of Kubernetes, but I'm using as well:
|
|
+1 from here
|
|
Same issue here.
|
|
+1 with:
|
|
For me it affects docker login as well see #12851 |
|
Guys for short term you may just ignore the this |
|
I'm trying to debug an issue where Harbor 2.1.0 seem to crash whenever I try pull-through caching from Docker hub. Turning the log-level to debug means that every request to /ping logs a stanza like this every five seconds [1]: This amount of noise makes it very hard to figure out what's actually going on (besides unauthenticated ping-requests, that is). [1] Harbor's Helm-chart runs liveness- and readiness-probes every 10s each. Both call /api/v2.0/ping. |
|
It seems to me when oidc is enabled all requests to the api/v2.0 endpoint require a valid JWT payload. Since the healthchecks do not we see the log spam. IMO we should add something like: |
|
This issue may be fixed by this PR #13422 |
|
I think it is, closing this issue, thanks @heww |
|
not solved with #13422 after upgrade to 2.1.2, reopen? |
Yep, not fixed. With debug logging enabled, the error/warning is: 2020-12-29T17:03:32Z [DEBUG] [/server/middleware/log/log.go:30]: attach request id 112e95d5-1cd1-4031-b592-911a8ec527a2 to the logger for the request GET /api/v2.0/ping
2020-12-29T17:03:32Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:52]: In artifact info middleware, url: /api/v2.0/ping
2020-12-29T17:03:32Z [DEBUG] [/common/utils/oidc/helper.go:194]: Raw ID token for verification:
2020-12-29T17:03:32Z [WARNING] [/server/middleware/security/idtoken.go:45][requestID="112e95d5-1cd1-4031-b592-911a8ec527a2"]: failed to verify token: oidc: malformed jwt: square/go-jose: compact JWS format must have three parts
2020-12-29T17:03:32Z [DEBUG] [/server/middleware/security/unauthorized.go:29][requestID="112e95d5-1cd1-4031-b592-911a8ec527a2"]: an unauthorized security context generated for request GET /api/v2.0/ping |
If the request does not have bearer token in the header, do not decode the empty string. Fixes goharbor#12261 Signed-off-by: Daniel Jiang <jiangd@vmware.com>
Expected behavior and actual behavior:
On a Harbor installation (Kubernetes using harbor-helm), I'm seeing the following error for all requests to the core server:
If I switch the installation back to using PersistentVolumeClaims, the errors go away (and leave just the regular ping's).
Steps to reproduce the problem:
Seem to be related to using a S3 backend, likely in combination with us using oAuth for Single Sign-On.
Versions:
Please specify the versions of following systems.
Additional context:
(I was unable to locate any meaningful configuration file on the core server pod. Relevant logs reproduced above.)
The text was updated successfully, but these errors were encountered: