Issues
- S3 service access key validation errorNAS-114771Resolved issue: NAS-114771Muhammad Rehan
- At boot, alert emails are sometimes send before the network interface is online (and never arrive because of this)NAS-113541Resolved issue: NAS-113541Triage Team
- Failed to Boot; KDB: debugger backends: ddbNAS-113022Resolved issue: NAS-113022Triage Team
- Unable to revoke certificate from OpenVPN Server Service accessNAS-111163Resolved issue: NAS-111163Rehan Yousaf
- loader.efi modified the size of EFI_STAGING_SIZE, preventing VMware from starting the systemNAS-110858Resolved issue: NAS-110858Triage Team
- Task manager shows vmware.periodic_snapshot_task_begin every 10 minutesNAS-109831Resolved issue: NAS-109831Vladimir Vinogradenko
- Operation not permitted accessing snapshots in jailed datasetNAS-109829Resolved issue: NAS-109829Triage Team
- Jail table unusably smallNAS-109796Resolved issue: NAS-109796Triage Team
- Recycle bin not working after upgrade from FreeNAS 11.3-U5 to TrueNAS Core 12.0 or laterNAS-109721Resolved issue: NAS-109721Triage Team
- System core files were found in /var/db/system/coresNAS-109708Resolved issue: NAS-109708Triage Team
- Unscheduled System RebootNAS-109558Resolved issue: NAS-109558Triage Team
- [EFAULT] Failed to set NT password for knen: Username not found!NAS-109529Resolved issue: NAS-109529Triage Team
- Cannot join Active Directory in TrueNAS-12.1-MASTER-202102080538NAS-109519Resolved issue: NAS-109519Triage Team
- free space issueNAS-109508Resolved issue: NAS-109508Triage Team
- top -m io command shows no read/write metrics under 12.0NAS-109419Resolved issue: NAS-109419Ryan Moeller
- System core files were found: winbindd.coreNAS-109415Resolved issue: NAS-109415Triage Team
- Update U2 No more SMB accessNAS-109392Resolved issue: NAS-109392Triage Team
- Gmail OAuth not reliableNAS-109343Resolved issue: NAS-109343Triage Team
- TrueNAS 12.0-U1.1 freezes (on two systems)NAS-109320Resolved issue: NAS-109320Triage Team
- OpenStack Swift auth_version verification failsNAS-109311Resolved issue: NAS-109311Damian Szidiropulosz
- TrueNAS 12.0-U1.1 - nginx stopping after restart, webUI not accessibleNAS-109297Resolved issue: NAS-109297Triage Team
- exclusive sleep mutex CAM device lockNAS-109296Resolved issue: NAS-109296Alexander Motin
- Reporing graphs are blank, but history is availableNAS-109295Resolved issue: NAS-109295Triage Team
- TrueNAS Upgrade Constant RebootingNAS-109294Resolved issue: NAS-109294Triage Team
- error jailNAS-109293Resolved issue: NAS-109293Triage Team
- .Mov files corrupted after moving to NAS driveNAS-109287Resolved issue: NAS-109287Triage Team
- SMB share is unavailable because it uses a locked datasetNAS-109273Resolved issue: NAS-109273Waqar Ahmed
- ARC demand_metadata graph errorNAS-109254Resolved issue: NAS-109254Vladimir Vinogradenko
- TrueNAS incorrectly considers OpenZFS 2 datasets as lockedNAS-109248Resolved issue: NAS-109248Triage Team
- Unable to create fusion pool with raid-z2NAS-109247Resolved issue: NAS-109247Triage Team
- Unlocking zpool fails after accidently removing the SLOG deviceNAS-109229Resolved issue: NAS-109229William Gryzbowski
- After update to TrueNAS-12.0-U1.1 replication failedNAS-109227Resolved issue: NAS-109227Triage Team
- Page Faults and General protection faults post Truenas-12-release upgradeNAS-109224Resolved issue: NAS-109224Triage Team
- Drive Replacement failure using GUINAS-109214Resolved issue: NAS-109214Triage Team
- user account can not attach to mapped dirsNAS-109195Resolved issue: NAS-109195Triage Team
- Drives not showing assigned to poolNAS-109184Resolved issue: NAS-109184Triage Team
- Disk usage sorting is alphaneumeric, not by actual space usedNAS-109183Resolved issue: NAS-109183Rehan Yousaf
- Replication Task does not honour Run AutomaticallyNAS-109181Resolved issue: NAS-109181Vladimir Vinogradenko
- Replicated Encrypted DatasetNAS-109180Resolved issue: NAS-109180Triage Team
- I can't connect with an user accountNAS-109179Resolved issue: NAS-109179Triage Team
- UI Error - Dashboard memory usage chart values mixed upNAS-109163Resolved issue: NAS-109163Triage Team
- Every time I restart TrueNAS I see aerror messagesNAS-109161Resolved issue: NAS-109161Triage Team
- NFSv3 UDP stop to workNAS-109152Resolved issue: NAS-109152Triage Team
- nullfs folder does not mount into nfsNAS-109151Resolved issue: NAS-109151Triage Team
- System hangs frequently when replication runsNAS-109146Resolved issue: NAS-109146Triage Team
- The graphs don't workNAS-109131Resolved issue: NAS-109131Triage Team
- replicated encrypted volumes cannot be unlockedNAS-109129Resolved issue: NAS-109129Triage Team
- TrueNAS 12.0-U1 kernel panic when deleting a datasetNAS-109116Resolved issue: NAS-109116Triage Team
- boot time increase after 10g nic upgradeNAS-109106Resolved issue: NAS-109106Triage Team
- TrueNAS crash after VolumeStatus errorNAS-109105Resolved issue: NAS-109105Triage Team
S3 service access key validation error
Description
Problem/Justification
Impact
Details
Details
Assignee
Reporter
Impact
Time remaining
Components
Priority
LowKatalon Platform
Katalon Platform
Activity
Bug Clerk February 25, 2022 at 12:20 AM
Bug Clerk February 21, 2022 at 10:44 PM
22.02.1 PR: https://github.com/truenas/middleware/pull/8328
John C February 18, 2022 at 2:07 PMEdited
Requesting this be reopened. This is incorrect regarding the current upstream validation and test cases for both the mc client and the minio server. I suspect there is some confusion between my use of "access key"-- by that I mean the secret key, rather than what is sometimes called the "AccessKeyID".
The linked issue seems to be discussing regex for the AccessKeyID. The actual secret key has no such limitations, and as of the current release the AccessKeyID seems to have no restrictions either.
The current upstream validation can be seen here, starting on line 37, and the only validity check it performs is that min length is 8.
You can also see their config test here which uses a secret key of 'minio1#23', currently also rejected by the TrueNAS S3 service.
testCases := []struct {
hostURL string
....
}
hostURL: "https://minio:minio1#23@localhost:9000",
accessKey: "minio",
secretKey: "minio1#23",The upstream minio server uses the same validation:
// IsAccessKeyValid - validate access key for right length.
func IsAccessKeyValid(accessKey string) bool {
return len(accessKey) >= accessKeyMinLen
}
// IsSecretKeyValid - validate secret key for right length.
func IsSecretKeyValid(secretKey string) bool {
return len(secretKey) >= secretKeyMinLen
}Valid S3 access keys are thus a subset of all valid minio secret keys. Merely making TrueNAS S3 compatible would want '[\w+=,.@-]+' as a validator, while the least restrictive minio-compatible validator would simply enforce minimum length 8.
If it is correct to resubmit as a separate bug, I can do so-- not sure on protocol here. Thanks!
Muhammad Rehan February 17, 2022 at 9:15 PM
@John C we use minio for S3 which actually has less restrictive permissions then AWS S3 requirements as can be seen here https://github.com/minio/mc/issues/2298#issuecomment-340722058. I'm closing this as this is desired upstream behaviour..
Bonnie Follweiler February 11, 2022 at 1:49 PM
Thank you @John C .
I have moved this ticket in to our queue to review.
An engineering representative will update with any further questions or details in the near future.
When enabling the S3 service and attempting to input an access key, the validator rejects characters that are valid in AWS S3.
In /usr/local/lib/python3.7/site-packages/middlewared/plugins/s3.py, the following lines are the validation code:
52 @accepts(Dict(
53 's3_update',
54 Str('bindip'),
55 Int('bindport', validators=[Range(min=1, max=65535)]),
56 Int('console_bindport', validators=[Range(min=1, max=65535)]),
57 Str('access_key', validators=[Match("^\w+$", explanation="Should onl
y contain alphanumeric characters")],
58 max_length=20),
59 Str('secret_key', validators=[Match("^\w+$", explanation="Should onl
y contain alphanumeric characters")],
60 max_length=40),
However, this is more restrictive than the actual S3 access keys. AWS provides regex validation code for its key ID and secret keys, which is shown below (Perl compatible):
grep -RP '(?<
[A-Z0-9])' *
grep -RP '(?<
[A-Za-z0-9/+=])' *
In order to match the syntax of the actual S3 service, this validator should be updated.
Others have reported this issue in the forums here.