trino icon indicating copy to clipboard operation
trino copied to clipboard

Published 20 hours ago verified publisher icon trinodb

Add client option to disable following redirects

Open alprusty opened this issue 11 months ago • 19 comments

Description

During 412 release as part of OkHttp version upgrade, explicit client retry logic was removed in the event of a 307/308 redirect. This will cause 401: 'Unauthorized' error when trino client is talking to a Trino Cluster that is deployed behind a load balancer(For example AWS ALB) with a redirect mode(e.g. 307/308) routing policy.

Reference: https://github.com/trinodb/trino/commit/4be14018af945684bb28a53e4dcedfe744529bb0

Okhttp by default does follow redirects. However it drops Authorization headers if the redirect is across hosts.

Reference: https://github.com/square/okhttp/blob/okhttp_4.10.x/okhttp/src/main/kotlin/okhttp3/internal/http/RetryAndFollowUpInterceptor.kt#L323-L328

Solution: This PR introduces a flag --disable-follow-redirects to give an option to clients to follow a redirect or not. By default the flag is set to false which means redirects are going to be followed.

Additional context and related issues

Fixes https://github.com/trinodb/trino/issues/21026

Release notes

( ) This is not user-visible or is docs only, and no release notes are required. ( ) Release notes are required. Please propose a release note for me. ( ) Release notes are required, with the following suggested text:

alprusty avatar Mar 12 '24 09:03 alprusty

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: alprusty. This is most likely caused by a git client misconfiguration; please make sure to:

  1. check if your git client is configured with an email to sign commits git config --list | grep email
  2. If not, set it up using git config --global user.email [email protected]
  3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

cla-bot[bot] avatar Mar 12 '24 09:03 cla-bot[bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: alprusty. This is most likely caused by a git client misconfiguration; please make sure to:

  1. check if your git client is configured with an email to sign commits git config --list | grep email
  2. If not, set it up using git config --global user.email [email protected]
  3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

cla-bot[bot] avatar Mar 12 '24 09:03 cla-bot[bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: alprusty. This is most likely caused by a git client misconfiguration; please make sure to:

  1. check if your git client is configured with an email to sign commits git config --list | grep email
  2. If not, set it up using git config --global user.email [email protected]
  3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

cla-bot[bot] avatar Mar 12 '24 09:03 cla-bot[bot]

We shouldn't make this change until we've a clear consensus on whether to include the Authorization header on redirects. https://github.com/trinodb/trino/issues/21026#issuecomment-1991556960

oneonestar avatar Mar 12 '24 12:03 oneonestar

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: alprusty. This is most likely caused by a git client misconfiguration; please make sure to:

  1. check if your git client is configured with an email to sign commits git config --list | grep email
  2. If not, set it up using git config --global user.email [email protected]
  3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

cla-bot[bot] avatar Mar 12 '24 21:03 cla-bot[bot]

Can you submit a CLA @alprusty ? @martint can process it soon after and trigger check here .. but we can work on reviews and more in parallel.

mosabua avatar Mar 21 '24 18:03 mosabua

Also fyi @sajjoseph

mosabua avatar Mar 21 '24 18:03 mosabua

This was discussed with @electrum @dain @martint and others in the Trino Contributor Call from 21 March 2024.

mosabua avatar Mar 21 '24 18:03 mosabua

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: alprusty. This is most likely caused by a git client misconfiguration; please make sure to:

  1. check if your git client is configured with an email to sign commits git config --list | grep email
  2. If not, set it up using git config --global user.email [email protected]
  3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

cla-bot[bot] avatar Mar 22 '24 21:03 cla-bot[bot]

CLA is signed .. I am working with @alprusty to get configuration fixed

mosabua avatar Mar 22 '24 22:03 mosabua

@cla-bot check

mosabua avatar Mar 22 '24 22:03 mosabua

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: alprusty. This is most likely caused by a git client misconfiguration; please make sure to:

  1. check if your git client is configured with an email to sign commits git config --list | grep email
  2. If not, set it up using git config --global user.email [email protected]
  3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

cla-bot[bot] avatar Mar 22 '24 22:03 cla-bot[bot]

The cla-bot has been summoned, and re-checked this pull request!

cla-bot[bot] avatar Mar 22 '24 22:03 cla-bot[bot]

@alprusty We also need a regression test on the client actually sent the Authorization header after a redirect.

oneonestar avatar Mar 26 '24 01:03 oneonestar

@oneonestar I took care of all the review comments.

  • Made followRedirects default to true instead of false
  • Added Network interceptor to OkHttp builder
  • Added a test case to verify Authorization header is being pushed on a redirect https://github.com/trinodb/trino/blob/4dffa6b6d645e26581b5992a8a3caff198446883/client/trino-cli/src/test/java/io/trino/cli/TestClientRedirect.java

Please review again 🙏

alprusty avatar Mar 31 '24 18:03 alprusty

It will be great if this PR can be split into two.

  1. Control followRedirects in okhttp
  2. Retain authorization header during redirects

sajjoseph avatar Apr 01 '24 21:04 sajjoseph

squashed all commits as one

alprusty avatar Apr 17 '24 08:04 alprusty

This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua

github-actions[bot] avatar May 09 '24 17:05 github-actions[bot]

We still want to continue with this. Can you rebase @alprusty

And can others chime in if any more feedback is needed.

Hopefully @martint @dain or @electrum can move this to merge

mosabua avatar May 09 '24 19:05 mosabua