Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23897

S3 plugin's signed URL expiry is extremely sensitive to clock drift

    Details

    • Similar Issues:

      Description

      The S3 plugin is very sensitive to clock drift on the Jenkins server, as it signs download URLs with a 4000ms (4s) expiry.

      This results in errors like:

      <Error>
        <Code>AccessDenied</Code>
        <Message>Request has expired</Message>
        <RequestId>DBB502010D433E63</RequestId>
        <Expires>2014-07-21T06:44:37Z</Expires>
        <HostId>
          0RLt34WZ9rebc7yijszDZ2gquwYBMj1OENPUtc9KAVtXsATJPdwxoYatu3/+2QOB
        </HostId>
        <ServerTime>2014-07-21T06:47:58Z</ServerTime>
      </Error>
      

      which won't be super-informative to the user.

      I suggest two changes.

      First, default to a longer expiry, say 60 seconds, that allows for things like a little packet loss / a high latency connection / etc, and a little clock drift.

      Second, document the need for NTP to keep up reasonable clock sync.

      I'll follow up with a patch for both.

        Attachments

          Activity

          ringerc Craig Ringer created issue -
          ringerc Craig Ringer made changes -
          Field Original Value New Value
          Description The S3 plugin is very sensitive to clock drift on the Jenkins server, as it signs URLs with a 4000ms (4s) expiry.

          This results in errors like:

          {code}
          <Error>
            <Code>AccessDenied</Code>
            <Message>Request has expired</Message>
            <RequestId>DBB502010D433E63</RequestId>
            <Expires>2014-07-21T06:44:37Z</Expires>
            <HostId>
              0RLt34WZ9rebc7yijszDZ2gquwYBMj1OENPUtc9KAVtXsATJPdwxoYatu3/+2QOB
            </HostId>
            <ServerTime>2014-07-21T06:47:58Z</ServerTime>
          </Error>
          {code}

          which won't be super-informative to the user.

          I suggest two changes.

          First, default to a longer expiry, say 60 seconds, that allows for things like a little packet loss / a high latency connection / etc, and a little clock drift.

          Second, document the need for NTP to keep up reasonable clock sync.

          I'll follow up with a patch for both.
          The S3 plugin is very sensitive to clock drift on the Jenkins server, as it signs download URLs with a 4000ms (4s) expiry.

          This results in errors like:

          {code}
          <Error>
            <Code>AccessDenied</Code>
            <Message>Request has expired</Message>
            <RequestId>DBB502010D433E63</RequestId>
            <Expires>2014-07-21T06:44:37Z</Expires>
            <HostId>
              0RLt34WZ9rebc7yijszDZ2gquwYBMj1OENPUtc9KAVtXsATJPdwxoYatu3/+2QOB
            </HostId>
            <ServerTime>2014-07-21T06:47:58Z</ServerTime>
          </Error>
          {code}

          which won't be super-informative to the user.

          I suggest two changes.

          First, default to a longer expiry, say 60 seconds, that allows for things like a little packet loss / a high latency connection / etc, and a little clock drift.

          Second, document the need for NTP to keep up reasonable clock sync.

          I'll follow up with a patch for both.
          ringerc Craig Ringer made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          ringerc Craig Ringer made changes -
          Status In Progress [ 3 ] Open [ 1 ]
          Hide
          ringerc Craig Ringer added a comment -
          Show
          ringerc Craig Ringer added a comment - Pull request https://github.com/jenkinsci/s3-plugin/pull/33 created.
          ringerc Craig Ringer made changes -
          Labels s3 timeout patch pull_request s3 timeout
          Hide
          ringerc Craig Ringer added a comment -

          This fix has been merged.

          Show
          ringerc Craig Ringer added a comment - This fix has been merged.
          ringerc Craig Ringer made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 156762 ] JNJira + In-Review [ 195496 ]

            People

            • Assignee:
              mikewatt Michael Watt
              Reporter:
              ringerc Craig Ringer
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: