Relay fails to get projects configs

konstantin-popov · June 25, 2021, 11:29am

Hello!
I’m trying to set up self-hosted sentry with a relay connected by kafka. After sending a test event (using python SDK) to the relay I see on logs following error:
2021-06-25T11:14:06Z [relay_server::actors::project_upstream] ERROR: error fetching project states: upstream request returned error 403 Forbidden.
tcpdump says that relay makes a POST /api/0/relays/projectconfigs/?version=2 HTTP/1.1 to upstream with body {"publicKeys":["<project_public_key>"],"fullConfig":true,"noCache":false} but upstream replies with 403 "Relay unauthorized for full config information". In sentry source a see that “fullConfig” can be given only to “internal” relay. Is there a way to register relay as “internal”? As far as I see on relay source it wants fullConfig if processing is enabled.

Relay config:

relay:
  mode: managed
  upstream: "<sentry_host>"
  host: 0.0.0.0
  port: 3000
  tls_port: ~
  tls_identity_path: ~
  tls_identity_password: ~
logging:
  level: DEBUG
processing:
  enabled: true
  kafka_config:
    - {name: "bootstrap.servers", value: "<host>"}
    - {name: "message.max.bytes", value: 50000000} # 50MB
    - {name: "security.protocol", value: "SASL_SSL"}
    - {name: "sasl.mechanisms", value: "SCRAM-SHA-512"}
    - {name: "sasl.username", value: "<user>"}
    - {name: "sasl.password", value: "<pass>"}
    - {name: "ssl.ca.location", value: "<crt_path>"}
  redis: redis://:<redis_pass>@<redis_host>:6379/0

BYK · June 25, 2021, 12:52pm

If it is possible to put Relay on the same subnet with Sentry, it will automatically register it as a internal relay. Otherwise you need to generate a key pair and add the public key to your sentry.conf.py file under the SENTRY_RELAY_WHITELIST_PK key:

github.com

getsentry/sentry/blob/e7528c51ba772262ad9f9b560ca89c7f36a2f978/src/sentry/conf/server.py#L2012

    
      
                  "filters": {"filetypes": ["pdb", "breakpad", "sourcebundle"]},
                  "is_public": True,
              },
          }
          
          
# Relay
          # List of PKs explicitly allowed by Sentry.  All relays here are always
          # registered as internal relays.
          # DEPRECATED !!! (18.May.2021) This entry has been deprecated in favour of
          # ~/.sentry/conf.yml (relay.static_auth)
          SENTRY_RELAY_WHITELIST_PK = [
              # NOTE (RaduW) This is the relay key for the relay instance used by devservices.
              # This should NOT be part of any production environment.
              # This key should match the key in /sentry/config/relay/credentials.json
              "SMSesqan65THCV6M4qs4kBzPai60LzuDn-xNsvYpuP8"
          ]
          
          
# When open registration is not permitted then only relays in the
          # list of explicitly allowed relays can register.
          SENTRY_RELAY_OPEN_REGISTRATION = True

Eh, just saw the deprecation notice, you can add them to your sentry/config.yml file as follows:

github.com/getsentry/sentry

feat(Relay): Implement static configuration for relay authentication

getsentry:master ← getsentry:feat/statically-configured-relays

opened 01:34PM - 20 May 21 UTC

RaduW

+251 -77

This PR adds the ability to support statically configured Relays. Statically co…nfigured Relays are Relays that do not need to do a registration challenge/response communication session before they are allowed to send requests to Relay Authenticated endpoints. Statically configured Relay are able to start operating immediately and can become functional even even if Sentry db is down.

konstantin-popov · June 25, 2021, 1:57pm

That worked, thanks!
Offtop: why are the settings moved to yml? Settings become static there and it makes it hard to configure sentry from environment.

BYK · June 28, 2021, 8:18am

Getting complex settings from env variables become error prone and hard to manage so we are gearing towards static configuration for the things we can. This allows us to define schemas, validate the config statically etc. It is a slow and ongoing process tho and I’m not sure if we ever will be able to get rid of sentry.conf.py file.

system · July 13, 2021, 8:18am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getsentry/relay not accepting config file On-Premise	6	2145	August 10, 2020
Relay authentication On-Premise	7	4209	July 15, 2021
Sentry Kafka SASL On-Premise	3	2655	September 1, 2021
Relay messages are not sent to AWS MSK's Kafka Topic On-Premise	3	2448	April 7, 2021
Relay 403 error On-Premise	4	2459	January 28, 2021

Relay fails to get projects configs

Related topics