return different status code for internode communication (#17655)

mc admin trace -a will be able to quickly show 401 Unauthorized header to pinpoint trivial issues between nodes, such as wrong root credentials and skewed time.
2024-07-21 18:35:07 +00:00 · 2023-07-15 02:34:55 +01:00 · 2023-07-15 02:34:55 +01:00 · df29d25e6b
parent 3e196fa7b3
commit df29d25e6b
2 changed files with 13 additions and 5 deletions
--- a/cmd/jwt.go
+++ b/cmd/jwt.go
@ -46,6 +46,8 @@ var (
 	errAccessKeyDisabled  = errors.New("The access key you provided is disabled")
 	errAuthentication     = errors.New("Authentication failed, check your access credentials")
 	errNoAuthToken        = errors.New("JWT token missing")
+	errSkewedAuthTime     = errors.New("Skewed authenticationdate/time")
+	errMalformedAuth      = errors.New("Malformed authentication input")
 )

 // cachedAuthenticateNode will cache authenticateNode results for given values up to ttl.
--- a/cmd/storage-rest-server.go
+++ b/cmd/storage-rest-server.go
@ -56,9 +56,15 @@ type storageRESTServer struct {
 }

 func (s *storageRESTServer) writeErrorResponse(w http.ResponseWriter, err error) {
-	if errors.Is(err, errDiskStale) {
+	err = unwrapAll(err)
+	switch err {
+	case errDiskStale:
 		w.WriteHeader(http.StatusPreconditionFailed)
-	} else {
+	case errFileNotFound, errFileVersionNotFound:
+		w.WriteHeader(http.StatusNotFound)
+	case errInvalidAccessKeyID, errAccessKeyDisabled, errNoAuthToken, errMalformedAuth, errAuthentication, errSkewedAuthTime:
+		w.WriteHeader(http.StatusUnauthorized)
+	default:
 		w.WriteHeader(http.StatusForbidden)
 	}
 	w.Write([]byte(err.Error()))
@ -74,7 +80,7 @@ func storageServerRequestValidate(r *http.Request) error {
 		if err == jwtreq.ErrNoTokenInRequest {
 			return errNoAuthToken
 		}
-		return err
+		return errMalformedAuth
 	}

 	claims := xjwt.NewStandardClaims()
@ -94,7 +100,7 @@ func storageServerRequestValidate(r *http.Request) error {
 	requestTimeStr := r.Header.Get("X-Minio-Time")
 	requestTime, err := time.Parse(time.RFC3339, requestTimeStr)
 	if err != nil {
-		return err
+		return errMalformedAuth
 	}
 	utcNow := UTCNow()
 	delta := requestTime.Sub(utcNow)
@ -102,7 +108,7 @@ func storageServerRequestValidate(r *http.Request) error {
 		delta *= -1
 	}
 	if delta > DefaultSkewTime {
-		return fmt.Errorf("client time %v is too apart with server time %v", requestTime, utcNow)
+		return errSkewedAuthTime
 	}

 	return nil