Subrequests from ratelimit for /auth/v1.0 considered as proxy-server errors
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hi,
I'm upgrading from swift 2.2 to swift 2.10 and starting from swift-proxy, I noticed some 400s for HEAD /auth/v1.0 marked as "RL" that also cause "proxy-
Jun 2 13:44:24 ms-fe2005 proxy-server: - - 02/Jun/
Jun 2 13:44:42 ms-fe2005 proxy-server: - - 02/Jun/
We're using tempauth and the HEAD seems to be generated also as part of normal client requests (e.g. in response of PUT).
I wanted to know if this behavior is expected? AFAICT those 400s shouldn't account towards proxy-server errors.
Thanks!
The proxy configuration looks like the one below.
[DEFAULT]
bind_port = 80
workers = 16
user = swift
log_statsd_host = localhost
log_statsd_port = 8125
log_statsd_
log_statsd_
[pipeline:main]
pipeline = rewrite healthcheck cache container_sync tempurl ratelimit tempauth cors proxy-logging proxy-server
[app:proxy-server]
use = egg:swift#proxy
account_autocreate = true
[filter:tempurl]
use = egg:swift#tempurl
# default includes PUT
methods = GET HEAD
[filter:tempauth]
use = egg:swift#tempauth
token_life = 604800
<accounts>
[filter:ratelimit]
use = egg:swift#ratelimit
# accounts limited to 5/s PUT/DELETE to containers
account_ratelimit = 5
account_whitelist = AUTH_mw
log_sleep_
# containers with > 200 objects limited to 30/s PUT/DELETE/POST and listings
container_
container_
[filter:
use = egg:swift#
[filter:
use = egg:swift#
[filter:cache]
use = egg:swift#memcache
memcache_servers = <servers>
memcache_
# per worker!
memcache_
[filter:cors]
paste.filter_
[filter:
use = egg:swift#
set access_log_facility = LOG_LOCAL1
[filter:rewrite]
# the auth system turns our login and key into an account / token pair.
# the account remains valid forever, but the token times out.
account = AUTH_mw
# the name of the scaler cluster.
thumbhost = imagescaler-
# upload doesn't like our User-agent (Python-
user_agent = Mozilla/5.0
# this list is the containers that should be sharded
shard_container
backend_url_format = sitelang
tld = org
paste.filter_
Unfortunately, ratelimit is a bit of a blunt instrument -- it assumes that anything with at least two components to the path will correspond to a Swift path, regardless of whether the first component is a valid api version (like v1) or not (like auth). Unfortunately, this gets more complicated when you need to consider ratelimit's placement with respect to cname_lookup, domain_remap, or swift3 middlewares; as a result I'm not even sure that the current, rather broad behavior covers *enough* cases.
Fortunately, though, the errors are benign and can just be ignored. I think it's pretty safe to ignore *any* 4xx error with a RL source.
See also: https:/ /bugs.launchpad .net/swift/ +bug/1669888
(Separately, though, I think tempauth is out of spec returning a 400 on HEAD where a GET would 401... never mind the fact that there's a better code (405) for exactly this situation of using the wrong method on a known path...)