Unexpected HTTP Responses
If you get unexpected HTTP response codes while using or integrating with Gateway, use these tips to troubleshoot the cause of the responses. An example of an unexpected response is if permission is denied (HTTP 403) on an object believed to be accessible.
Tip
Enabling Swarm Storage audit logs (Configuring External Logging) allows tracking all requests the Gateway sends related to a client request.
Request ID in Responses
To aid with tracking transactions, all Gateway HTTP responses contain a header with the request ID. This request ID is also recorded in the Gateway's server log file and the audit log file. Searching the server log file for a given request ID shows the processing steps that took place during the handling of the request.
These are three examples where the request ID is found in a client response:
SCSP Response Header
Gateway-Request-Id: 375400C95338546F
S3 Response Header
x-amz-request-id: 375400C95338546F
S3 Error Response Body
<RequestId>375400C95338546F</RequestId>
Request ID in Logs
Log Level
You must enable debug-level logging on Gateway to see these log entries. See Gateway Logging.
Search for the request ID in the Gateway server log:
The search results from the log show:
Request URI and whether an Authorization or cookie header is on the request
Action being performed, such as CreateDomain, GetObject
Owner of the context for the request
Merged Policy document used to evaluate authorization
LDAP search filter used for user or group lookups
Reason for the HTTP response
The merged Policy is normally a combination of the root, domain, and bucket policies. An example log entry showing the context owner and a merged Policy document is:
When using the Policy conditions, such as the Referer header restrictions, the merged Policy that is logged is the one used to evaluate permissions for the request. Check the condition statements to see which is being used if the expected portion of the Policy is not displaying.
Additional error details are contained with the HTTP response header Gateway-ErrorDetails
and are also logged in the Gateway server log. An example of this type of log message is:
In the previous example, the user george, the full LDAP DN is given, is not allowed to perform the requested action within the /reports bucket because he is not the owner, john, and because there is no Policy that grants him permission.
If necessary for application debugging, the Gateway can dump the HTTP request headers received with each request. To enable request header logging, add the following setting to the gateway.cfg
file and restart the Gateway process:
Tip
Use debug sparingly! It can produce a significant amount of extra information in the server log, including security-related Authorization and Cookie headers.
An example of the request headers in the log output is:
© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.