[jira] [Created] (TINKERPOP-2698) IAM authentication failures with the

Mon, 31 Jan 2022 16:36:38 -0800 

Lyndon Bauto created TINKERPOP-2698:
---------------------------------------

             Summary: IAM authentication failures with the 
                 Key: TINKERPOP-2698
                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2698
             Project: TinkerPop
          Issue Type: Improvement
            Reporter: Lyndon Bauto


When authenticating with IAM auth using the channelizer here, 
[https://github.com/aws/amazon-neptune-gremlin-java-sigv4] if the access key or 
secret access key are incorrect, the user gets a 'NoHostsAvailable' exception, 
which is not very descriptive of the issue.

Looking deep into a very large stack trace in the log you can find:
{code:java}
YY/MM/DD HH:MM:SS [gremlin-driver-loop-1] ERROR 
driver.Handler$GremlinResponseHandler: Could not process the response
io.netty.handler.codec.http.websocketx.WebSocketClientHandshakeException: 
Invalid handshake response getStatus: 403 Forbidden
        at 
io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker13.verify(WebSocketClientHandshaker13.java:272)
        at 
io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker.finishHandshake(WebSocketClientHandshaker.java:302)
        at 
io.netty.handler.codec.http.websocketx.WebSocketClientProtocolHandshakeHandler.channelRead(WebSocketClientProtocolHandshakeHandler.java:93)
{code}
And further you can also find:
{code:java}
Caused by: org.apache.tinkerpop.gremlin.driver.exception.ConnectionException: 
Could not complete connection setup to the server. Ensure that SSL is correctly 
configured at both the client and the server. Ensure that client WebSocket 
handshake protocol matches the server. Ensure that the server is still 
reachable. 2 at 
org.apache.tinkerpop.gremlin.driver.SigV4WebSocketChannelizer.connected(SigV4WebSocketChannelizer.java:217)
 3 at 
org.apache.tinkerpop.gremlin.driver.Connection.<init>(Connection.java:120) 4 
... 8 more{code}
Neither of these things are that helpful except for the 403 forbidden. 

Most end users will have a hard to getting anywhere from here, I am suggesting 
we improve this by adding a better description in the error message and 
allowing an exception that indicates that the credentials are incorrect to 
bubble out.

This will require changes in TinkerPop and the IAM SigV4 channelizer.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to