在NodeJS 应用程序中同时使用@opentelemetry/plugin-https和时,opentelemetry 插件会将标头添加到每个 AWS 请求。如果不需要在. 当 aws-sdk 重试请求时,可能会发生以下错误:aws-sdktraceparentaws-sdk
InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
第一个 AWS 请求包含以下标头:
traceparent: '00-32c9b7adee1da37fad593ee38e9e479b-875169606368a166-01'Authorization: 'AWS4-HMAC-SHA256 Credential=<credential>, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-target, Signature=<signature>'
请注意,SignedHeaders 不包括traceparent.
重试请求包含以下标头:
traceparent: '00-c573e391a455a207469ffa4fb75b3cab-6f20c315628cfcc0-01'Authorization: AWS4-HMAC-SHA256 Credential=<credential>, SignedHeaders=host;traceparent;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-target, Signature=<signature>
请注意,SignedHeaders 确实包括traceparent.
在发送重试请求之前,会@opentelemetry/plugin-https设置新的traceparent标头,这会使 AWS 请求的签名无效。
这是重现问题的代码(您可能需要运行脚本几次才能达到导致重试的速率限制):
const opentelemetry = require("@opentelemetry/api");
const { NodeTracerProvider } = require("@opentelemetry/node");
const { SimpleSpanProcessor } = require("@opentelemetry/tracing");
const { JaegerExporter } = require("@opentelemetry/exporter-jaeger");
const provider = new NodeTracerProvider({
plugins: {
https: {
enabled: true,
path: "@opentelemetry/plugin-https"
}
}
});
const exporter = new JaegerExporter({ serviceName: "test" });
provider.addSpanProcessor(new SimpleSpanProcessor(exporter));
provider.register();
const AWS = require("aws-sdk");
const main = async () => {
const cwl = new AWS.CloudWatchLogs({ region: "us-east-1" });
const promises = new Array(100).fill(true).map(() => new Promise((resolve, reject) => {
cwl.describeLogGroups(function (err, data) {
if (err) {
console.log(err.name);
console.log("Got error:", err.message);
console.log("ERROR Request Authorization:");
console.log(this.request.httpRequest.headers.Authorization);
console.log("ERROR Request traceparent:");
console.log(this.request.httpRequest.headers.traceparent);
console.log("Retry count:", this.retryCount);
reject(err);
return;
}
resolve(data);
});
}));
const result = await Promise.all(promises);
console.log(result.length);
};
main().catch(console.error);
可能的解决方案:
- 忽略所有对 aws 的调用
@opentelemetry/plugin-https。- 忽略对 aws 的调用将导致丢失所有对 aws 请求的跨度。
- 将
traceparent标题添加unsignableHeaders到aws-sdk-AWS.Signers.V4.prototype.unsignableHeaders.push("traceparent");- 更改原型似乎是一种 hack,并且如果另一个节点模块使用不同版本的
aws-sdk.
- 更改原型似乎是一种 hack,并且如果另一个节点模块使用不同版本的
是否有另一种解决方案可以让我保留 aws 请求的跨度并保证所有 aws 请求的签名都是正确的?
更新(16.12.2020):
该问题似乎已在aws sdk v3中得到解决
以下代码会引发正确的错误 (ThrottlingException):
const opentelemetry = require("@opentelemetry/api");
const { NodeTracerProvider } = require("@opentelemetry/node");
const { SimpleSpanProcessor } = require("@opentelemetry/tracing");
const { JaegerExporter } = require("@opentelemetry/exporter-jaeger");
const { CloudWatchLogs } = require("@aws-sdk/client-cloudwatch-logs");
const provider = new NodeTracerProvider({
plugins: {
https: {
enabled: true,
path: "@opentelemetry/plugin-https"
}
}
});
const exporter = new JaegerExporter({ serviceName: "test" });
provider.addSpanProcessor(new SimpleSpanProcessor(exporter));
provider.register();
const main = async () => {
const cwl = new CloudWatchLogs({ region: "us-east-1" });
const promises = new Array(100).fill(true).map(() => new Promise((resolve, reject) => {
cwl.describeLogGroups({ limit: 50 })
.then(resolve)
.catch((err) => {
console.log(err.name);
console.log("Got error:", err.message);
reject(err);
});
}));
const result = await Promise.all(promises);
console.log(result.length);
};
main().catch(console.error);