New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Core logs error "failed to verify token: oidc: malformed jwt: square/go-jose: compact JWS format must have three parts" after switch to S3 storage -- excessive warning messages. #12261
Comments
Please elaborate on how you reproduce it, did you use a curl command to call Harbor's API? I don't think it's related to S3 or local disk. It seems b/c you are using OIDC auth mode but the request is not carrying valid ID token. |
It is deployed to Kubernetes using the neighboring harbor-helm chart.
The /ping requests are done by Kubernete's health-check. As Kubernetes does not restart the server, I guess it's returning something OK.
Neither do I. But when I changed the helm-chart from HDD to S3 storage for images and helm-charts, these errors began appearing. When I switched it back, they stopped (so so forth). I'm in the midst of re-deploying the whole thing to a upgraded cluster, so I'll see if I can reproduce it there...
That would be my guess too, but Kubernets healthcheck-requests AFAIK shouldn't have to carry ID tokens... |
So could you please clarify do the "errors", which seem warnings, impact you calling any API or using your Harbor instance? I think we may probably ignore the warnings safely. I am not sure if we should update the log to remove the warnings, they do help when there are real erros happening. |
This is one of the logs from our production systems , is it possible to suppress the ping logs for jwt warnings as there is no token passed
|
@ajayk |
Getting the same thing with a Kubernetes deployment from the neighboring Helm chart. The spam is making finding actual issues (which I'm also having) extremely tedious. |
I'm getting the same warnings using both Chrome and Firefox. Everything seems to be working except those warning messages in logs. I had a look at the request cookies and there's no valid JWT token set (valid as base64 encoded strings in three parts separated via dots). X-Request-Id header matched with the log file entries using My environment has been setup with docker-compose instead of Kubernetes, but I'm using as well:
|
+1 from here
|
Same issue here.
|
+1 with:
|
For me it affects docker login as well see #12851 |
Guys for short term you may just ignore the this |
I'm trying to debug an issue where Harbor 2.1.0 seem to crash whenever I try pull-through caching from Docker hub. Turning the log-level to debug means that every request to /ping logs a stanza like this every five seconds [1]:
This amount of noise makes it very hard to figure out what's actually going on (besides unauthenticated ping-requests, that is). [1] Harbor's Helm-chart runs liveness- and readiness-probes every 10s each. Both call /api/v2.0/ping. |
It seems to me when oidc is enabled all requests to the api/v2.0 endpoint require a valid JWT payload. Since the healthchecks do not we see the log spam.
IMO we should add something like:
|
This issue may be fixed by this PR #13422 |
I think it is, closing this issue, thanks @heww |
not solved with #13422 after upgrade to 2.1.2, reopen? |
Yep, not fixed. With debug logging enabled, the error/warning is: 2020-12-29T17:03:32Z [DEBUG] [/server/middleware/log/log.go:30]: attach request id 112e95d5-1cd1-4031-b592-911a8ec527a2 to the logger for the request GET /api/v2.0/ping
2020-12-29T17:03:32Z [DEBUG] [/server/middleware/artifactinfo/artifact_info.go:52]: In artifact info middleware, url: /api/v2.0/ping
2020-12-29T17:03:32Z [DEBUG] [/common/utils/oidc/helper.go:194]: Raw ID token for verification:
2020-12-29T17:03:32Z [WARNING] [/server/middleware/security/idtoken.go:45][requestID="112e95d5-1cd1-4031-b592-911a8ec527a2"]: failed to verify token: oidc: malformed jwt: square/go-jose: compact JWS format must have three parts
2020-12-29T17:03:32Z [DEBUG] [/server/middleware/security/unauthorized.go:29][requestID="112e95d5-1cd1-4031-b592-911a8ec527a2"]: an unauthorized security context generated for request GET /api/v2.0/ping |
If the request does not have bearer token in the header, do not decode the empty string. Fixes goharbor#12261 Signed-off-by: Daniel Jiang <jiangd@vmware.com>
Expected behavior and actual behavior:
On a Harbor installation (Kubernetes using harbor-helm), I'm seeing the following error for all requests to the core server:
If I switch the installation back to using PersistentVolumeClaims, the errors go away (and leave just the regular ping's).
Steps to reproduce the problem:
Seem to be related to using a S3 backend, likely in combination with us using oAuth for Single Sign-On.
Versions:
Please specify the versions of following systems.
Additional context:
(I was unable to locate any meaningful configuration file on the core server pod. Relevant logs reproduced above.)
The text was updated successfully, but these errors were encountered: