console
console copied to clipboard
minio
Links expire within an hour when sharing from web interface regardless of the value set
When i share a file from MinIO web interface its link expires within an hour despite choosing another value like 1 day or 2 days. Sharing files using third party S3 clients works fine
Expected Behavior
Shared link must expire on the established date
Current Behavior
When sharing files from web interface its download links expires 1 hour after their creation
Possible Solution
The issue appear to be at web interface
Steps to Reproduce (for bugs)
1.Upload a file to a bucket 2.Share it from web interface 3.wait 1 hour or 2 4.Open sharing link
Context
I was trying to share a video from a bucket on my personal website and video links stopped working. 2 days later i could share it without issues using a third party S3 client
Regression
Is this issue a regression? No
Your Environment
-
Version used: RELEASE.2021-07-30T00-02-00Z
-
Server setup and configuration: NGINX web server and the following config files api-nginx.txt panel-nginx.txt minio-systemd.txt minio-env.txt
-
Operating System and version : Ubuntu 20.04 (Linux asgardius-minio 5.8.0-1037-oracle minio/minio#38~20.04.1-Ubuntu SMP Fri Jul 16 01:02:14 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux)
This is still broken in minio server installation RELEASE.2021-09-09T21-37-07Z
Are there any updates on this?
Will do some testing on this after https://github.com/minio/console/pull/1083 gets merged. This PR changes the way we request links by date in console.
I noticed a difference in the links generated by the Minio console and the cli tool:
http://10.0.2.100:9000/test/foo?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=VM8UFZ8WA9JDGLX5FJWM%2F20211014%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211014T144835Z&X-Amz-Expires=604799&X-Amz-Security-Token=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJWTThVRlo4V0E5SkRHTFg1RkpXTSIsImV4cCI6MzYwMDAwMDAwMDAwMCwicG9saWN5IjoiY29uc29sZUFkbWluIn0.8baEtu9q-2BRsIFSXNOi3Z9UZzv9NFD0aJoNKRZexv6aCy4To6CYqt9RSgO-_dvyFHBhA-MUVGphv8kFt4ad8Q&X-Amz-SignedHeaders=host&versionId=null&X-Amz-Signature=9c5db22982b55656f14d1620debb113da7062d59b6a40ddb945682e2b0dc6b4e
http://127.0.0.1:9000/test/foo?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=minioadmin%2F20211014%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211014T144913Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=870078410bfeaaff059dabbbaaffe1c9b9a84234042fc8fbd01700478b97d314
The first link was created in the web console, the second via the cli tool. Notice the value of the X-Amz-Expires and X-Amz-Credential parameters.
I don't know how the web console works internally, but to me it looks like the console gets a temporary token on login and uses that to create the link. As https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html points out, as soon as a temporary token is no longer valid the links it created will not work either.
@l-austenfeld that is correct, the console uses a temporary token (STS Token) which last less than 1 hour, we are looking into how to solve this problem so that share links last longer
This is still broken in https://github.com/minio/console/releases/tag/v0.13.2
This is still broken in https://github.com/minio/console/releases/tag/v0.13.2
Yes it is @abhi1693 and it will be for a while - it's not a priority at the moment. Create service accounts use them in mc to generate shared URLs for now.
@harshavardhana Isn't there any way to do this via console? I need to give UI access to our customers who will generate their own links and not being able to do that is a deal breaker.
@harshavardhana Isn't there any way to do this via console? I need to give UI access to our customers who will generate their own links and not being able to do that is a deal breaker.
No not yet @abhi1693 - we will address it in time it's not a priority right now.
@harshavardhana Isn't there any way to do this via console? I need to give UI access to our customers who will generate their own links and not being able to do that is a deal breaker.
No not yet @abhi1693 - we will address it in time it's not a priority right now.
Update on this matter?
No not yet @abhi1693 - we will address it in time it's not a priority right now.
Update on this matter?
No update not a priority right now.
As a quick and dirty workaround for this bug you can downgrade to previous interface, e.g. using bitnami/minio:2021 containers (caution: use only in dev, as they are no longer maintained and consequently have a lot of vulnerabilities)
The issue is known for a year now.... Do you really have a one-year-long bug-fixing backlog?:) Ref. https://wiki.c2.com/?FixBugsFirst
No update not a priority right now.
The issue is known for a year now.... Do you really have a one-year-long bug-fixing backlog?:)
Yes @mirekphd this is not a priority at the moment. Feel free to work on a fix if you must - we will happily accept it.
This is my experience too: when the presigned links expire and I try to create new ones, MinIO web console is invariably logged out (i.e. this takes 1 hour or longer). And boto3 API docs (see link) specify that the presigned URLs are by default valid for 3600 seconds (unlike minio python client (see link, which defaults to the maximum allowed by S3, i.e. 7 days).
So the simplest workaround is to generate pre-signed links using an API client of your choice, e.g. in python:
minio_client = minio.Minio(...)
# Get presigned URL string to download 'my-object' in
# 'my-bucket' with default expiry (i.e. 7 days).
url = minio_client.presigned_get_object("my-bucket", "my-object")
print(url)
[src: presigned_get_object ]
I don't know how the web console works internally, but to me it looks like the console gets a temporary token on login and uses that to create the link
Because of this issue, in last 1 year I created my own ui that works. Can't wait for something crucial to not be fixed for such a long time. Links that expire within the hour are of no use to be shared with anyone.
Because of this issue, in last 1 year I created my own ui that works. Can't wait for something crucial to not be fixed for such a long time. Links that expire within the hour are of no use to be shared with anyone.
This is my experience too: when the presigned links expire and I try to create new ones, MinIO web console is invariably logged out (i.e. this takes 1 hour or longer). And
boto3API docs (see link) specify that the presigned URLs are by default valid for 3600 seconds (unlikeminiopython client (see link, which defaults to the maximum allowed by S3, i.e. 7 days).So the simplest workaround is to generate pre-signed links using an API client of your choice, e.g. in python:
minio_client = minio.Minio(...) # Get presigned URL string to download 'my-object' in # 'my-bucket' with default expiry (i.e. 7 days). url = minio_client.presigned_get_object("my-bucket", "my-object") print(url)[src: presigned_get_object ]
I don't know how the web console works internally, but to me it looks like the console gets a temporary token on login and uses that to create the link
Correct you want to generate links in bulk, write your own code.
Able to share the Object, with X-Amz-Expires=604800. I will wait couple of hours and see if still accesible.
http://127.0.0.1:9000/celis/gas-2023-05-01%2018.42.06.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=FBMBV43X1LW5D1MPXQJ0%2F20230508%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230508T222213Z&X-Amz-Expires=604800&X-Amz-Security-Token=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJGQk1CVjQzWDFMVzVEMU1QWFFKMCIsImV4cCI6MTY4MzYyNzcwMywicGFyZW50IjoibWluaW8ifQ.kBv5SJlSzgkgMiYdFQG0cd51a41-KxNnjkbyiOxnuQbhUIf1M_pQ9SR3AKiyWY1hya_Kfg9OwKRj1uRV2GrKVg&X-Amz-SignedHeaders=host&versionId=null&X-Amz-Signature=0167875adea35de0df7ac5663887ca5accb661dd7663d036b902a29b2ce2324f
Shared object is still accesible after one hour, I will wait one more hour and see if this link still works...
Two hours after and shared object is still accesible via the link, the problem has been solved. Please re-open if there is a case where this is still failing and provide detailed steps to reproduce it.
Thanks! And sorry for the long time till we get this to work.
Link will expire after 12 hours, as we increased session cookie time, this is not fixed yet. But I am checking internally to see if this will be ever fixed or not.
Session cookie time is not the solution here and the issue should be reopened as it has not addressed the actual issue.
I think need to test with longer values 1 or 2 days. Also please try to logout from web interface and check link in a few hours via curl or incognito tab.
Reopening since we reverted it here https://github.com/minio/console/pull/2863
We'll be doing some changes to the UI specifically:
- We'll change the expiration max allowed value to that set in the env variable CONSOLE_STS_DURATION (MINIO_BROWSER_SESSION_DURATION in MinIO) or default to
12hrs. This is because Console creates a token to authenticate against MinIO and if we want to allow for MinIOs 7d max, we'd need to set the env variable as such. - We need to address the issue reported here https://github.com/minio/minio/issues/17902. Since env variable added is not being honored.
- We'll add more info on the UI on how the expiration max value is allowed
- We'll document this in our web docs.
If we don't want to update the env variable, you can do it via mc by creating a service account. We tried to implement a similar behavior in Console here but was too confusing since there are scenarios where users can't/are allowed create service accounts, so we agreed on a much simpler approach (mentioned above).