Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNOW-1507358: OSCP validation fails if hostname is not provided #1980

Closed
vinodseshadri opened this issue Jun 26, 2024 · 3 comments · May be fixed by #1981
Closed

SNOW-1507358: OSCP validation fails if hostname is not provided #1980

vinodseshadri opened this issue Jun 26, 2024 · 3 comments · May be fixed by #1981
Assignees
@sfc-gh-dszmolka
Labels
question status-triage_done Initial triage done, will be further handled by the driver team

Comments

@vinodseshadri
Copy link

Python version

Python 3.10.12

Operating system and processor architecture

Linux-5.10.215-203.850.amzn2.x86_64-x86_64-with-glibc2.26

Installed packages

snowflake-conector-python==3.11.0

What did you do?

Write a simple connection code to any **private link** snowflake .

Shown below:


from snowflake import connector as sf

ctx = sf.connect(user = "xxxx",
                 account = "xxxxx.us-east-1.privatelink",
                 region = "us-east-1"
                 private_key = pkb,
                 database = "xxxx",
                 schema = "xxxxx",
                 warehouse = "xxxxx" )

What did you expect to see?

Expected

Connection created successfully.

Actual

Instead it timed out with JWT token

Debug Logs result
In the debug logs, the below can be seen

DEBUG:snowflake.connector.ocsp_snowflake: Failed to get OCSP response cache from http://oscp.snowflakecomputing.com/ocsp_response_cache.json

Can you set logging to DEBUG and collect the logs?

import logging
import os

for logger_name in ('snowflake.connector',):
    logger = logging.getLogger(logger_name)
    logger.setLevel(logging.DEBUG)
    ch = logging.StreamHandler()
    ch.setLevel(logging.DEBUG)
    ch.setFormatter(logging.Formatter('%(asctime)s - %(threadName)s %(filename)s:%(lineno)d - %(funcName)s() - %(levelname)s - %(message)s'))
    logger.addHandler(ch)
@github-actions github-actions bot changed the title OSCP validation fails if hostname is not provided SNOW-1507358: OSCP validation fails if hostname is not provided Jun 26, 2024
@vinodseshadri vinodseshadri mentioned this issue Jun 26, 2024
Open
7 tasks
@sfc-gh-dszmolka sfc-gh-dszmolka self-assigned this Jun 27, 2024
@sfc-gh-dszmolka
Copy link
Contributor

hi - thanks for raising this issue. neither the configuration, nor the error message looks right here.
the driver should not even try to go to the public OCSP Cache Server (ocsp.snowflakecomputing.com) if the connection configuration is correct. That's the whole idea behind private link - traffic does not go to any public endpoint.

can you please try the following:

  • lose the region from your configuration, only use account = "xxxxx.us-east-1.privatelink",
  • make double sure that the accountname.us-east-1.privatelink.snowflakecomputing.com hostname actually resolves to the VPCE IP(s) when doing a dig, host, nslookup, etc. from the host you're running the PythonConnector. This is important. This hostname should not resolve to the public LB IP's. If it does, you have a DNS configuration problem.
  • if it still does not work, please use the logging suggested here and share the full logs (of course account , JWT, other sensitive data sanitized) If you don't want to share it here publicly, you can raise a Support Case to work 1:1 with a Support Engineer.

@sfc-gh-dszmolka sfc-gh-dszmolka added question status-triage_done Initial triage done, will be further handled by the driver team and removed bug needs triage labels Jun 27, 2024
@vinodseshadri
Copy link
Author

vinodseshadri commented Jun 27, 2024
edited
Loading

  • lose the region from your configuration, only use account = "xxxxx.us-east-1.privatelink",

Still fails . Based on what is present in construct_hostname I believe it shouldn't matter.

  • make double sure that the accountname.us-east-1.privatelink.snowflakecomputing.com hostname actually resolves to the VPCE IP(s) when doing a dig, host, nslookup, etc. from the host you're running the PythonConnector. This is important. This hostname should not resolve to the public LB IP's. If it does, you have a DNS configuration problem.

Yes it does resolve to internal AWS VPCE IPs

  • if it still does not work, please use the logging suggested here and share the full logs (of course account , JWT, other sensitive data sanitized) If you don't want to share it here publicly, you can raise a Support Case to work 1:1 with a Support Engineer.

I am not sure if I could do that. But would try raising a support ticket.
But I do believe the issue is in the python SDK since SYSTEM$ALLOWLIST_PRIVATELINK gives back the right ocsp (the one with the private link) and I can access that with curl with no issues.

BTW if I give host name as part of sf.connect to xxxxx.us-east-1.privatelink.snowflakecomputing.com it works fine

@sfc-gh-dszmolka
Copy link
Contributor

thank you for testing. I strongly suggest continuing this in a Support Case because we will definitely need logs.

Many of our users use the Python Connector successfully in the private link setup so we'll need to figure out what is different in your case and logs are essential for that. I understand those can't be shared here, that's no problem. Thank you in advance !
(closing this one out in favour for the Support Case but still will monitor this ticket so if anything comes up, do comment please)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-dszmolka sfc-gh-dszmolka

Labels
question status-triage_done Initial triage done, will be further handled by the driver team
Projects
None yet
Milestone
No milestone
2 participants
@vinodseshadri @sfc-gh-dszmolka