问题描述
在NodeJS应用程序中同时使用@opentelemetry/plugin-https和aws-sdk时,opentelemetry插件会将traceparent标头添加到每个AWS请求中。如果不需要在aws-sdk中重试,则此方法很好。当aws-sdk重试请求时,可能会发生以下错误:
-
InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. -
SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
第一个AWS请求包含以下标头:
-
traceparent: '00-32c9b7adee1da37fad593ee38e9e479b-875169606368a166-01' -
Authorization: 'AWS4-HMAC-SHA256 Credential=<credential>,SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-target,Signature=<signature>'
请注意,SignedHeaders 不包括traceparent。
重试的请求包含以下标头:
-
traceparent: '00-c573e391a455a207469ffa4fb75b3cab-6f20c315628cfcc0-01' -
Authorization: AWS4-HMAC-SHA256 Credential=<credential>,SignedHeaders=host;traceparent;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-target,Signature=<signature>
请注意,SignedHeaders 确实包括traceparent。
在发送重试请求之前,@opentelemetry/plugin-https设置了新的traceparent标头,这使AWS请求的签名无效。
以下是重现此问题的代码(在达到导致重试的速率限制之前,您可能需要运行脚本几次):
const opentelemetry = require("@opentelemetry/api");
const { NodeTracerProvider } = require("@opentelemetry/node");
const { SimpleSpanProcessor } = require("@opentelemetry/tracing");
const { JaegerExporter } = require("@opentelemetry/exporter-jaeger");
const provider = new NodeTracerProvider({
plugins: {
https: {
enabled: true,path: "@opentelemetry/plugin-https"
}
}
});
const exporter = new JaegerExporter({ serviceName: "test" });
provider.addSpanProcessor(new SimpleSpanProcessor(exporter));
provider.register();
const AWS = require("aws-sdk");
const main = async () => {
const cwl = new AWS.CloudWatchLogs({ region: "us-east-1" });
const promises = new Array(100).fill(true).map(() => new Promise((resolve,reject) => {
cwl.describeLogGroups(function (err,data) {
if (err) {
console.log(err.name);
console.log("Got error:",err.message);
console.log("ERROR Request Authorization:");
console.log(this.request.httpRequest.headers.Authorization);
console.log("ERROR Request traceparent:");
console.log(this.request.httpRequest.headers.traceparent);
console.log("Retry count:",this.retryCount);
reject(err);
return;
}
resolve(data);
});
}));
const result = await Promise.all(promises);
console.log(result.length);
};
main().catch(console.error);
可能的解决方案:
- 忽略
@opentelemetry/plugin-https中所有对aws的呼叫。- 忽略对aws的调用将导致aws请求的所有跨度丢失。
- 将
traceparent标头添加到unsignableHeaders-aws-sdk中的AWS.Signers.V4.prototype.unsignableHeaders.push("traceparent");- 如果其他节点模块使用
aws-sdk的不同版本,那么更改原型似乎是很困难的事,也无法解决问题。
- 如果其他节点模块使用
还有其他解决方案可以使我保留AWS请求的跨度并保证所有AWS请求的签名都是正确的吗?
更新(2020年12月16日):
该问题似乎已在aws sdk v3
中解决以下代码引发正确的错误(ThrottlingException):
const opentelemetry = require("@opentelemetry/api");
const { NodeTracerProvider } = require("@opentelemetry/node");
const { SimpleSpanProcessor } = require("@opentelemetry/tracing");
const { JaegerExporter } = require("@opentelemetry/exporter-jaeger");
const { CloudWatchLogs } = require("@aws-sdk/client-cloudwatch-logs");
const provider = new NodeTracerProvider({
plugins: {
https: {
enabled: true,path: "@opentelemetry/plugin-https"
}
}
});
const exporter = new JaegerExporter({ serviceName: "test" });
provider.addSpanProcessor(new SimpleSpanProcessor(exporter));
provider.register();
const main = async () => {
const cwl = new CloudWatchLogs({ region: "us-east-1" });
const promises = new Array(100).fill(true).map(() => new Promise((resolve,reject) => {
cwl.describeLogGroups({ limit: 50 })
.then(resolve)
.catch((err) => {
console.log(err.name);
console.log("Got error:",err.message);
reject(err);
});
}));
const result = await Promise.all(promises);
console.log(result.length);
};
main().catch(console.error);
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)