-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requests to /sync endpoint resulting in 403 #270
Comments
Hi @acoard-aot ! Auth should be the same across all endpoints as far as I'm aware. I presume you're self-hosting COMS? Based on the error you're seeing though, from a quick search it appears to be related to S3's authentication and not so much COMS. Best guess is that it's some weird edge case, perhaps with characters in the S3 credentials that require escaping (e.g. |
Still investigating this bug (I've managed to reproduce it locally when running in basic auth mode, so almost certainly something to do with S3 rather than JWT/OIDC/Keycloak etc), but in the meantime:
The |
Out of the box, the
Did you modify your own instance of COMS?
|
Looks like the only way I was able to replicate the issue was with incorrect S3 credentials. COMS will verify that they work when you initially create the COMS bucket, but if the S3 credentials change after that it's not going to know until it tries to do something with the underlying S3 bucket (e.g. reading directly from it). Updating the S3 credentials should fix it - you can do that with Just out of curiosity though, what's your setup here? Like Tim said we don't support client credentials at the moment so I'm interested in how you implemented an automated script without requiring manual user login. |
Thank you for the answers you've given here, I really appreciate it. I've been incredibly busy, but will be diving into this issue in more detail today. Perhaps it is a cred issue, and I appreciate the tip. I'm a bit surprised that the creds work for some "buckets" (in COMS) and not all when I don't believe that's how it's configured (we have one shared S3 bucket with same auth for this POC), but it's entirely possible I messed something up. Thanks again. I will make sure to report back and close this ticket with my findings in the next couple days. |
Describe the bug
Hi there, first off, thanks for the software! It's entirely possible this is an error on my end, but I've gone over the documentation and worked on this issue for a while.
I am writing a script that's purpose is to call the /sync endpoint on every single bucket. I have authentication working for every endpoint I need besides /sync. Calling for example /bucket to list buckets works great, as does /status. However, when I call the /sync endpoint I get either two types of results.
Result 1
This result type is 90% of my responses.
Result 2
This result is far more rare, and just says:
I'm assuming a response of 0 is following the Linux exit code convention where 0 = success.
(If useful, my full logs are this, but the first two lines are my scripts logging lines)
Version Number
To Reproduce
Steps to reproduce the behavior:
For simplicity I have copied my entire script here. It refers to an .env file which I will not include:
In the .env file, there are two variables:
Expected behavior
Since my authentication works for other endpoints (like /bucket), I expect it to work for /sync.
My question: does /sync have different auth requirements from /bucket? For example do I need to configure the Keycloak clients differently or setup any additional permissions to call /sync on a bucket?
Screenshots
N/A
Desktop (please complete the following information):
Smartphone (please complete the following information):
N/A
Additional context
The text was updated successfully, but these errors were encountered: