Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23897

S3 plugin's signed URL expiry is extremely sensitive to clock drift

    Details

    • Similar Issues:

      Description

      The S3 plugin is very sensitive to clock drift on the Jenkins server, as it signs download URLs with a 4000ms (4s) expiry.

      This results in errors like:

      <Error>
        <Code>AccessDenied</Code>
        <Message>Request has expired</Message>
        <RequestId>DBB502010D433E63</RequestId>
        <Expires>2014-07-21T06:44:37Z</Expires>
        <HostId>
          0RLt34WZ9rebc7yijszDZ2gquwYBMj1OENPUtc9KAVtXsATJPdwxoYatu3/+2QOB
        </HostId>
        <ServerTime>2014-07-21T06:47:58Z</ServerTime>
      </Error>
      

      which won't be super-informative to the user.

      I suggest two changes.

      First, default to a longer expiry, say 60 seconds, that allows for things like a little packet loss / a high latency connection / etc, and a little clock drift.

      Second, document the need for NTP to keep up reasonable clock sync.

      I'll follow up with a patch for both.

        Attachments

          Activity

            People

            • Assignee:
              mikewatt Michael Watt
              Reporter:
              ringerc Craig Ringer
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: