Skip to content

Add auth cache in nginx for s3 endpoint#712

Open
mishaschwartz wants to merge 3 commits into
masterfrom
s3-auth-cache
Open

Add auth cache in nginx for s3 endpoint#712
mishaschwartz wants to merge 3 commits into
masterfrom
s3-auth-cache

Conversation

@mishaschwartz
Copy link
Copy Markdown
Collaborator

@mishaschwartz mishaschwartz commented Jun 1, 2026

Overview

Adds a cache for the s3 auth endpoint (that calls Twitcher's verify endpoint) so that repeated requests to the S3 store don't overwhelm twitcher and cause client connection issues if twitcher or nginx fails to properly authorize access to a resource.

This issue may arise if a client is processing a large S3 object in parallel by accessing different byte-ranges simultaneously. This results in many simultaneous requests to the same resource, each of which hits twitcher's verify endpoint. With this change, only the first request each minute will hit twitcher and the rest will only hit the cache.

Some implementation details to note:

  • responses are only cached for 1 minute to ensure that if a user's permissions are changed (on Magpie) their previous
    permissions expire quickly
  • the value of Magpie's cookie as well as the auth header is used as a cache key which allows us to cache cookie based
    and token-based authentication methods

Changes

Non-breaking changes

  • Adds cache

Breaking changes

  • None

Related Issue / Discussion

Additional Information

Note that this could be implemented for other endpoints as well (i.e. thredds).

CI Operations

birdhouse_daccs_configs_branch: master
birdhouse_skip_ci: false

@github-actions github-actions Bot added documentation Improvements or additions to documentation component/magpie Related to https://github.com/Ouranosinc/Magpie labels Jun 1, 2026
@crim-jenkins-bot
Copy link
Copy Markdown
Collaborator

crim-jenkins-bot commented Jun 1, 2026

E2E Test Results

DACCS-iac Pipeline Results

Build URL : http://daccs-jenkins.crim.ca:80/job/DACCS-iac-birdhouse/4312/
Result 🆘 ABORTED

BIRDHOUSE_DEPLOY_BRANCH : s3-auth-cache
DACCS_IAC_BRANCH : master
DACCS_CONFIGS_BRANCH : master
PAVICS_E2E_WORKFLOW_TESTS_BRANCH : master
PAVICS_SDI_BRANCH : master

DESTROY_INFRA_ON_EXIT : true
PAVICS_HOST : https://host-140-118.rdext.crim.ca

⚠️ Infrastructure deployment failed. ⚠️
Instance destroyed due to CI execution.
To debug, launch an instance manually with PR reference s3-auth-cache.

tlvu
tlvu approved these changes Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@tlvu tlvu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment thread birdhouse/components/s3/config/proxy/conf.extra-service.d/s3.conf.template Outdated
# of the same file in parallel (for example).
proxy_cache "s3_auth_cache";
proxy_cache_key "$request_uri:uri:$http_authorization:cache:$cookie_${MAGPIE_COOKIE_NAME}";
proxy_cache_valid 200 401 403 1m;
Copy link
Copy Markdown
Collaborator

@tlvu tlvu Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reasons someone would want a longer or shorter cache timeout than 1m? Worth to make it configurable?

Copy link
Copy Markdown
Collaborator Author

@mishaschwartz mishaschwartz Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that 1m is a reasonable default but it's always worth making things configurable

fmigneault
fmigneault reviewed Jun 2, 2026
View reviewed changes
Comment thread birdhouse/components/magpie/default.env
Comment thread birdhouse/components/s3/config/proxy/conf.extra-service.d/s3.conf.template
Comment thread birdhouse/components/s3/config/proxy/conf.extra-service.d/s3.conf.template
@mishaschwartz mishaschwartz requested a review from fmigneault June 3, 2026 13:07
@crim-jenkins-bot
Copy link
Copy Markdown
Collaborator

crim-jenkins-bot commented Jun 3, 2026

E2E Test Results

DACCS-iac Pipeline Results

Build URL : http://daccs-jenkins.crim.ca:80/job/DACCS-iac-birdhouse/4323/
ResultFAILURE

BIRDHOUSE_DEPLOY_BRANCH : s3-auth-cache
DACCS_IAC_BRANCH : master
DACCS_CONFIGS_BRANCH : master
PAVICS_E2E_WORKFLOW_TESTS_BRANCH : master
PAVICS_SDI_BRANCH : master

DESTROY_INFRA_ON_EXIT : true
PAVICS_HOST : https://host-140-118.rdext.crim.ca

PAVICS-e2e-workflow-tests Pipeline Results

Tests URL : http://daccs-jenkins.crim.ca:80/job/PAVICS-e2e-workflow-tests/job/master/845/

NOTEBOOK TEST RESULTS 
    
[2026-06-03T13:15:00.312Z] ============================= test session starts ==============================
[2026-06-03T13:15:00.312Z] platform linux -- Python 3.12.13, pytest-9.0.3, pluggy-1.6.0
[2026-06-03T13:15:00.312Z] rootdir: /home/jenkins/agent/workspace/PAVICS-e2e-workflow-tests_master
[2026-06-03T13:15:00.312Z] plugins: xdist-3.8.0, anyio-4.13.0, nbval-0.11.0, tornasync-0.6.0.post2, typeguard-4.5.1
[2026-06-03T13:15:00.312Z] collected 618 items
[2026-06-03T13:15:00.312Z] 
[2026-06-03T13:15:09.193Z] notebooks-auth/geoserver.ipynb ..................                        [  2%]
[2026-06-03T13:16:34.212Z] notebooks-auth/test_cowbird_jupyter.ipynb ........F.                     [  4%]
[2026-06-03T13:16:34.212Z] notebooks-auth/test_thredds.ipynb ...........                            [  6%]
[2026-06-03T13:18:06.372Z] pavics-sdi-master/docs/source/notebooks/CaSR_basic.ipynb ......          [  7%]
[2026-06-03T13:31:09.682Z] pavics-sdi-master/docs/source/notebooks/FAQ_dask_parallel.ipynb ..s..... [  8%]
[2026-06-03T13:32:46.121Z] .                                                                        [  8%]
[2026-06-03T13:32:47.062Z] pavics-sdi-master/docs/source/notebooks/WCS_example.ipynb ......         [  9%]
[2026-06-03T13:32:53.488Z] pavics-sdi-master/docs/source/notebooks/WFS_example.ipynb .....          [ 10%]
[2026-06-03T13:47:18.355Z] pavics-sdi-master/docs/source/notebooks/climex.ipynb ...........         [ 12%]
[2026-06-03T13:47:19.296Z] pavics-sdi-master/docs/source/notebooks/eccc-geoapi-climate-stations.ipynb . [ 12%]
[2026-06-03T13:47:29.587Z] ...............                                                          [ 14%]
[2026-06-03T13:47:42.172Z] pavics-sdi-master/docs/source/notebooks/eccc-geoapi-xclim.ipynb .....    [ 15%]
[2026-06-03T13:48:12.471Z] pavics-sdi-master/docs/source/notebooks/esgf-dap.ipynb ....              [ 16%]
[2026-06-03T13:48:30.804Z] pavics-sdi-master/docs/source/notebooks/forecasts.ipynb ......           [ 17%]
[2026-06-03T13:48:46.225Z] pavics-sdi-master/docs/source/notebooks/opendap.ipynb .......            [ 18%]
[2026-06-03T13:48:51.443Z] pavics-sdi-master/docs/source/notebooks/pavics_thredds.ipynb .....       [ 19%]
[2026-06-03T13:51:34.470Z] pavics-sdi-master/docs/source/notebooks/regridding.ipynb ............... [ 21%]
[2026-06-03T13:52:47.469Z] .............                                                            [ 23%]
[2026-06-03T13:52:53.334Z] pavics-sdi-master/docs/source/notebooks/rendering.ipynb ....             [ 24%]
[2026-06-03T13:52:55.114Z] pavics-sdi-master/docs/source/notebooks/subset-user-input.ipynb ........ [ 25%]
[2026-06-03T13:53:19.967Z] .................                                                        [ 28%]
[2026-06-03T13:53:29.383Z] pavics-sdi-master/docs/source/notebooks/subsetting.ipynb .....           [ 29%]
[2026-06-03T13:53:30.387Z] pavics-sdi-master/docs/source/notebook-components/weaver_example.ipynb . [ 29%]
[2026-06-03T13:53:47.880Z] .........                                                                [ 30%]
[2026-06-03T13:53:59.355Z] finch-main/docs/source/notebooks/dap_subset.ipynb ...........            [ 32%]
[2026-06-03T13:54:09.629Z] finch-main/docs/source/notebooks/finch-usage.ipynb ......                [ 33%]
[2026-06-03T13:54:11.009Z] PAVICS-landing-master/content/notebooks/climate_indicators/PAVICStutorial_ClimateDataAnalysis-1DataAccess.ipynb . [ 33%]
[2026-06-03T13:54:15.957Z] ....                                                                     [ 34%]
[2026-06-03T13:55:02.699Z] PAVICS-landing-master/content/notebooks/climate_indicators/PAVICStutorial_ClimateDataAnalysis-2Subsetting.ipynb . [ 34%]
[2026-06-03T13:56:31.655Z] ............                                                             [ 36%]
[2026-06-03T14:00:53.193Z] PAVICS-landing-master/content/notebooks/climate_indicators/PAVICStutorial_ClimateDataAnalysis-3Climate-Indicators.ipynb . [ 36%]
[2026-06-03T14:02:14.652Z] .....s                                                                   [ 37%]
[2026-06-03T14:02:15.223Z] PAVICS-landing-master/content/notebooks/climate_indicators/PAVICStutorial_ClimateDataAnalysis-4Ensembles.ipynb . [ 37%]
[2026-06-03T14:02:21.964Z] ..                                                                       [ 38%]
[2026-06-03T14:02:34.174Z] PAVICS-landing-master/content/notebooks/climate_indicators/PAVICStutorial_ClimateDataAnalysis-5Visualization.ipynb . [ 38%]
[2026-06-03T14:03:34.763Z] .........                                                                [ 39%]
[2026-06-03T14:03:49.657Z] PAVICS-landing-master/content/notebooks/climate_indicators/PAVICStutorial_ClimateDataAnalysis-6Regridding_Conversion.ipynb . [ 39%]
[2026-06-03T14:05:40.359Z] ...                                                                      [ 40%]
[2026-06-03T14:05:40.359Z] PAVICS-landing-master/content/notebooks/hydrology/PAVICStutorial_Hydrology-01_Intro.ipynb . [ 40%]
[2026-06-03T14:05:45.131Z] ....                                                                     [ 41%]
[2026-06-03T14:05:50.408Z] PAVICS-landing-master/content/notebooks/hydrology/PAVICStutorial_Hydrology-02_Calibration.ipynb . [ 41%]
[2026-06-03T14:06:01.056Z] .....                                                                    [ 42%]
[2026-06-03T14:06:06.330Z] PAVICS-landing-master/content/notebooks/hydrology/PAVICStutorial_Hydrology-03_Watershed_properties.ipynb . [ 42%]
[2026-06-03T14:06:15.645Z] .............                                                            [ 44%]
[2026-06-03T14:06:22.214Z] PAVICS-landing-master/content/notebooks/hydrology/PAVICStutorial_Hydrology-04_Time_series_analysis.ipynb . [ 44%]
[2026-06-03T14:06:23.250Z] ......                                                                   [ 45%]
[2026-06-03T14:06:34.067Z] raven-main/docs/source/notebooks/Region_selection.ipynb .........        [ 47%]
[2026-06-03T14:06:36.613Z] raven-main/docs/source/notebooks/Subset_climate_data_over_watershed.ipynb . [ 47%]
[2026-06-03T14:07:04.088Z] ......                                                                   [ 48%]
[2026-06-03T14:07:05.999Z] RavenPy-main/docs/notebooks/00_Introduction_to_JupyterLab.ipynb ......   [ 49%]
[2026-06-03T14:07:16.386Z] RavenPy-main/docs/notebooks/01_Getting_watershed_boundaries.ipynb ...... [ 50%]
[2026-06-03T14:07:16.386Z] ..                                                                       [ 50%]
[2026-06-03T14:07:24.525Z] RavenPy-main/docs/notebooks/02_Extract_geographical_watershed_properties.ipynb . [ 50%]
[2026-06-03T14:07:28.028Z] .............                                                            [ 52%]
[2026-06-03T14:08:29.590Z] RavenPy-main/docs/notebooks/03_Extracting_forcing_data.ipynb ........... [ 54%]
[2026-06-03T14:08:29.590Z]                                                                          [ 54%]
[2026-06-03T14:08:36.654Z] RavenPy-main/docs/notebooks/04_Emulating_hydrological_models.ipynb ..... [ 55%]
[2026-06-03T14:08:46.959Z] ...............                                                          [ 57%]
[2026-06-03T14:08:52.815Z] RavenPy-main/docs/notebooks/05_Advanced_RavenPy_configuration.ipynb .... [ 58%]
[2026-06-03T14:09:01.680Z] .........                                                                [ 59%]
[2026-06-03T14:09:15.666Z] RavenPy-main/docs/notebooks/06_Raven_calibration.ipynb ......            [ 60%]
[2026-06-03T14:09:23.768Z] RavenPy-main/docs/notebooks/07_Making_and_using_hotstart_files.ipynb ... [ 61%]
[2026-06-03T14:09:26.174Z] ...                                                                      [ 61%]
[2026-06-03T14:09:32.863Z] RavenPy-main/docs/notebooks/08_Getting_and_bias_correcting_CMIP6_data.ipynb . [ 61%]
[2026-06-03T14:10:27.993Z] ............sss                                                          [ 64%]
[2026-06-03T14:10:34.567Z] RavenPy-main/docs/notebooks/09_Hydrological_impacts_of_climate_change.ipynb . [ 64%]
[2026-06-03T14:10:42.056Z] ....                                                                     [ 65%]
[2026-06-03T14:11:26.258Z] RavenPy-main/docs/notebooks/10_Data_assimilation.ipynb ........          [ 66%]
[2026-06-03T14:11:37.493Z] RavenPy-main/docs/notebooks/11_Climatological_ESP_forecasting.ipynb .... [ 67%]
[2026-06-03T14:12:05.842Z] ....                                                                     [ 67%]
[2026-06-03T14:12:15.838Z] RavenPy-main/docs/notebooks/12_Performing_hindcasting_experiments.ipynb . [ 67%]
[2026-06-03T14:12:25.957Z] .......                                                                  [ 69%]
[2026-06-03T14:12:54.890Z] RavenPy-main/docs/notebooks/Assess_probabilistic_flood_risk.ipynb ...... [ 70%]
[2026-06-03T14:12:54.890Z] .                                                                        [ 70%]
[2026-06-03T14:13:04.887Z] RavenPy-main/docs/notebooks/Comparing_hindcasts_and_ESP_forecasts.ipynb . [ 70%]
[2026-06-03T14:13:24.684Z] .......                                                                  [ 71%]
[2026-06-03T14:13:32.826Z] RavenPy-main/docs/notebooks/Distributed_hydrological_modelling.ipynb ... [ 72%]
[2026-06-03T14:13:52.307Z] ....                                                                     [ 72%]
[2026-06-03T14:14:05.848Z] RavenPy-main/docs/notebooks/Hydrological_realtime_forecasting.ipynb .... [ 73%]
[2026-06-03T14:14:12.398Z] ..                                                                       [ 73%]
[2026-06-03T14:14:22.859Z] RavenPy-main/docs/notebooks/Managing_Jupyter_Environments.ipynb ...      [ 74%]
[2026-06-03T14:14:53.008Z] RavenPy-main/docs/notebooks/Perform_Regionalization.ipynb .......        [ 75%]
[2026-06-03T14:14:59.686Z] RavenPy-main/docs/notebooks/Running_HMETS_with_CANOPEX_dataset.ipynb ... [ 75%]
[2026-06-03T14:15:17.210Z] ..........                                                               [ 77%]
[2026-06-03T14:15:42.131Z] RavenPy-main/docs/notebooks/Sensitivity_analysis.ipynb ......            [ 78%]
[2026-06-03T14:15:47.959Z] RavenPy-main/docs/notebooks/time_series_analysis.ipynb ...........       [ 80%]
[2026-06-03T14:15:56.088Z] RavenPy-main/docs/notebooks/paper/Perform_a_climate_change_impact_study_on_a_watershed.ipynb . [ 80%]
[2026-06-03T14:20:15.933Z] .............Fxxxxxx                                                     [ 83%]
[2026-06-03T14:20:17.963Z] xhydro-main/docs/notebooks/pavics_notebooks/climate_change.ipynb ....... [ 84%]
[2026-06-03T14:20:43.915Z] .........................                                                [ 88%]
[2026-06-03T14:20:56.137Z] xhydro-main/docs/notebooks/pavics_notebooks/hydrological_modelling_raven_distributed.ipynb . [ 88%]
[2026-06-03T14:21:08.247Z] ..................FFFFFFFF                                               [ 93%]
[2026-06-03T14:22:13.564Z] xhydro-main/docs/notebooks/pavics_notebooks/pmp.ipynb .................. [ 95%]
[2026-06-03T14:22:43.850Z] ..........                                                               [ 97%]
[2026-06-03T14:22:46.286Z] notebooks/hummingbird.ipynb ..........                                   [ 99%]
[2026-06-03T14:25:35.434Z] notebooks/stress-tests.ipynb .....                                       [100%]
[2026-06-03T14:25:35.434Z] 
[2026-06-03T14:25:35.434Z] =================================== FAILURES ===================================

fmigneault
fmigneault approved these changes Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@fmigneault fmigneault left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All good :shipit:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tlvu tlvu tlvu approved these changes

@fmigneault fmigneault fmigneault approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

component/magpie Related to https://github.com/Ouranosinc/Magpie documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mishaschwartz @crim-jenkins-bot @tlvu @fmigneault