Closed Bug 1905455 Opened 9 months ago Closed 7 months ago

in local dev env, tecken.health.E001 when SYMBOL_URLS includes prod bucket

Categories

(Tecken :: General, defect, P3)

Product:
Tecken
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: willkg, Assigned: sven)

References

Details

Attachments

(1 file, 1 obsolete file)

[mozilla-services/tecken] bug-1905455: Enable anonymous access to storage buckets. (#2965)
52 bytes, text/x-github-pull-request
Details | Review

If I add this to my .env file:

SYMBOL_URLS=http://localstack:4566/publicbucket/,https://s3.us-west-2.amazonaws.com/org.mozilla.crash-stats.symbols-public/

And then run make setup to set up my local dev environment, it fails with:

?: (tecken.health.E001) Unable to connect to https://s3.us-west-2.amazonaws.com/org.mozilla.crash-stats.symbols-public/ (bucket='org.mozilla.crash-stats.symbols-public'), because bucket not found

It's calling exists() and that fails. However, this is how stage is configured, so it shouldn't fail with this error. If we're always using HTTP to determine if files are available in the backend, then exists() doesn't need to use the boto client to verify that the backend exists.

This is a nuisance when testing changes to storage backends.

Priority: -- → P3

There are two different problems here:

  1. For proper S3 URLs we don't pass an endpoint URL to the boto3 client. As a result, the client picks up the AWS_ENDPOINT_URL environment variable, which is set to http://localstack:4566/ in the dev environment.

  2. Setting up a boto3 client for anonymous access requires setting signature_version=UNSIGNED in the client configuration.

The first problem can be fixed by always passing the endpoint URL to the client. The second problem requires a way to configure anonymous access for each S3 backend. I can re-use the configuration mechanism introduced for bug 1906959.

Assignee: nobody → sven

With the above fix, it's possible to use this URL in SYMBOL_URLS:

https://s3.us-west-2.amazonaws.com/org.mozilla.crash-stats.symbols-public/?anonymous=true

I tested that it's possible to download download files from the prod bucket via the local dev environment.

I also made this work for GCS. The GCS client uses anonymous credentials by default if no other credentials are available, so we don't need the anonymous=true setting. However, the bucket metadata endpoint https://storage.googleapis.com/storage/v1/b/<bucket-name> is generally not public for "public" buckets, which usually means that anonymous users have the "Storage Object View" role, which does not include the storage.buckets.get permission. However, you still can detect whether a public bucket exists using a HEAD request to https://storage.googleapis.com/<bucket-name>, so I rewrote GCSStorage.exists() to use that. Unfortunately, HEAD requests don't work at all for our GCS emulator, and GET requests cause 500s for non-existing buckets, so I had to add some special-case code for the emulator.

Attachment #9412013 - Attachment is obsolete: true
Depends on: 1908868

Since we decided to use structured configuration, we no longer need to pass the anonymous flag as a fake query parameter to the storage URL, but can instead pass it as a separate configuration setting.

Everything up to this point went out in bug #1910917 just now.

The original issue isn't a problem in the local dev environment since we don't have a SYMBOL_URLS variable. The download API links in the Symbol File Upload pages work now, too. Marking this as FIXED.

Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: