Skip to content

Retry request on specific authentication errors. #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jan 5, 2023
Merged

Retry request on specific authentication errors. #37

merged 4 commits into from
Jan 5, 2023

Conversation

@connelly38
Copy link
Member

@connelly38 connelly38 commented Jan 4, 2023

In some Instance Principal cases, the security token returned from OCI Identity may have a very short expiration. This change removes the expiration check, and allows a single retry on requests that get specific authN errors.
It also adds trace-level logging of authentication token details.

@connelly38
Retry request on specific authentication errors.
2be78ea 
In some Instance Principal cases, the security token returned
from OCI Identity may have a very short expiration. This change removes
the expiration check, and allows a single retry on requests that
get specific authN errors.
It also adds trace-level logging of authentication token details.
@connelly38 connelly38 requested a review from gmfeinberg January 4, 2023 20:27
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jan 4, 2023
gmfeinberg
gmfeinberg reviewed Jan 4, 2023
View reviewed changes
driver/src/main/java/oracle/nosql/driver/http/Client.java Outdated
/* allow a single retry on clock skew / auth errors */
String msg = iae.getMessage();
if ((msg.contains("clock skew") == false &&
msg.contains("request signature is invalid") == false) ||
Copy link
Contributor

@gmfeinberg gmfeinberg Jan 4, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would not do the right thing if IAM starts returning expired token exceptions. See the code I posted in slack. Look at the possible errors based on that code. It may not be worth the check on the message and just make this "if (kvRequest.getNumRetries() > 0)".
That is, I don't see a path where this exception happens where we wouldn't want to retry once

gmfeinberg
gmfeinberg reviewed Jan 5, 2023
View reviewed changes
driver/src/main/java/oracle/nosql/driver/http/Client.java Outdated
/* allow a single retry on clock skew errors */
if (iae.getMessage().contains("clock skew") == false ||
kvRequest.getNumRetries() > 0) {
/* allow a single retry on clock skew / auth errors */
Copy link
Contributor

@gmfeinberg gmfeinberg Jan 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe comment that these are errors indicating actual invalid/expired auth info vs a permission-related error

gmfeinberg
gmfeinberg previously approved these changes Jan 5, 2023
View reviewed changes
@connelly38 connelly38 merged commit 437d4a2 into main Jan 5, 2023
@connelly38 connelly38 deleted the bugfix/instance_principal_expirations branch January 5, 2023 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gmfeinberg gmfeinberg gmfeinberg approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@connelly38 @gmfeinberg