Develop Reference

powershell script listing objects on azure blob container 403 This request is not authorized to perform this operation

I have generated a SAS token from azure with the intention of using it to access a container within the storage account. I have left all the permissions, got every one of them ticked. The token got generated and I am using the code snippet below.
$TLS12Protocol = [System.Net.SecurityProtocolType] 'Ssl3 , Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $TLS12Protocol
$ctx = New-AzStorageContext -StorageAccountName "my-storage-account" -sastoken "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
get-azstoragecontainer -container "my-container" -Context $ctx -Debug
I get the error below, and I'm unsure as to what I'm missing.
x-ms-version:2021-06-08
Accept:application/xml
User-Agent:AzurePowershell/v1.0.0,azsdk-net-Storage.Blobs/12.12.0 (.NET Framework 4.8.4515.0; Microsoft Windows 10.0.19044 )
x-ms-client-request-id:abb66a91-xxxx-43e9-9391-xxxxxxxx
x-ms-return-client-request-id:true
client assembly: Azure.Storage.Blobs
DEBUG: Response [abb66a91-xxxx-43e9-9391-xxxxxxxx] 200 OK (00.1s)
x-ms-request-id:88fd2933-101e-0062-749d-35abda000000
x-ms-client-request-id:abb66a91-xxxx-43e9-9391-xxxxxxxx
x-ms-version:2021-06-08
x-ms-meta-hdi_version:REDACTED
x-ms-lease-status:unlocked
x-ms-lease-state:available
x-ms-has-immutability-policy:false
x-ms-has-legal-hold:false
x-ms-immutable-storage-with-versioning-enabled:REDACTED
x-ms-default-encryption-scope:$account-encryption-key
x-ms-deny-encryption-scope-override:false
Content-Length:0
Date:Tue, 31 Jan 2023 09:54:59 GMT
ETag:"0x8DA81EFF05B25D0"
Last-Modified:Fri, 19 Oct 2022 19:34:35 GMT
Server:Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
DEBUG: Request [dt45454-3b50-4ede-a572-dtrtrt] GET https://xxxxxxx.blob.core.windows.net/my-container?sv=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x-ms-version:2021-06-08
Accept:application/xml
User-Agent:AzurePowershell/v1.0.0,azsdk-net-Storage.Blobs/12.12.0 (.NET Framework 4.8.4515.0; Microsoft Windows 10.0.19044 )
x-ms-client-request-id:dt45454-3b50-4ede-a572-dtrtrt
x-ms-return-client-request-id:true
client assembly: Azure.Storage.Blobs
DEBUG: Error response [dt45454-3b50-4ede-a572-dtrtrt] 403 This request is not authorized to perform this operation. (00.0s)
x-ms-request-id:fdsf7823f-101e-0062-079d-35abda1111
x-ms-client-request-id:dt45454-3b50-4ede-a572-dtrtrt
x-ms-version:2021-06-08
x-ms-error-code:AuthorizationFailure
Content-Length:246
Content-Type:application/xml
Date:Tue, 31 Jan 2023 09:54:59 GMT
Server:Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
Storage Account Name: my-storage-account
Name PublicAccess LastModified IsDeleted VersionId
---- ------------ ------------ --------- ---------
my-container 19/08/2022 14:34:35 +00:00
DEBUG: 09:54:57 - GetAzureStorageContainerCommand end processing, Start 0 remote calls. Finish 0 remote calls. Elapsed time 1148024.64 ms. Client operation id: Azure-Storage-PowerShell-.
DEBUG: AzureQoSEvent: Module: Az.Storage:4.6.0; CommandName: Get-AzStorageContainer; PSVersion: 5.1.19041.2364; IsSuccess: True; Duration: 00:00:00.1344053
DEBUG: Finish sending metric.
DEBUG: 09:54:57 - GetAzureStorageContainerCommand end processing.

The logs you've indicated above aren't errors; rather, they're logs debugging response you've been getting because of -DEBUG command. If you intend not to get any of such responses and to use the objects on azure blob container, you can remove -DEBUG and store the values of it into a variable. I used the same code as yours and got the below results without using debug:

Cabal update failure (return code: -9)

I got that error when trying to use cabal update
below were the results of cabal update -v3
Downloading the latest package list from hackage.haskell.org
Sending:
GET /packages/archive/00-index.tar.gz HTTP/1.1
Host: hackage.haskell.org
User-Agent: cabal-install/1.16.0.2
Creating new connection to hackage.haskell.org
Received:
HTTP/1.1 301 Moved Permanently
Server: nginx/1.6.2
Date: Thu, 13 Nov 2014 00:14:21 GMT
Content-Type: text/plain; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: /packages/index.tar.gz
Content-Length: 0
301 - redirect
Redirecting to http://hackage.haskell.org/packages/index.tar.gz ...
Sending:
GET /packages/index.tar.gz HTTP/1.1
Host: hackage.haskell.org
User-Agent: cabal-install/1.16.0.2
Recovering connection to hackage.haskell.org
Received:
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 13 Nov 2014 00:14:21 GMT
Content-Type: application/x-gzip
Content-Length: 8090775
Connection: keep-alive
Content-MD5: bae2f93619ba845eff2f3bd544714c2c
ETag: "bae2f93619ba845eff2f3bd544714c2c"
Last-Modified: Wed, 12 Nov 2014 23:04:10 GMT
Downloaded to /root/.cabal/packages/hackage.haskell.org/00-index.tar.gz
Updating the index cache file...
cabal update: /usr/hs/tools/cabal-1.16.0.2 failure (return code=-9)
haskell was installed from justhub
Does anyone have any idea why it failed? I looked for the return code of -9 but there's no information.
Update
Thanks Reid (and user5402),
Checked the dmesg and that's definitely because it's out of memory
Out of memory: Kill process 32626 (cabal-1.16.0.2) score 711 or sacrifice child
Will upgrade the machine and try again, not sure how much would cabal-install need though, I'm on a 512MB RAM system

The value -9 probably means a child process died to SIGKILL, which in turn was probably sent by the OOM killer. Checking the output of dmesg can confirm this. If that's the case, one needs to turn up the RAM available. (based on this comment).

512Mb of RAM is not enough. Instead of upgrading machine you can enable swap.
On ubuntu do following steps:
sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
It will add you 4G swap file, that will prevent killing from OS.

Couchdb Logging

Due to application requirements, I have an externally accessible CouchDB instance. I would like to see what IP addresses are attempting to authenticate with my database. By checking the couchdb.log file, I can see failed authentication attempts. They look similar to this.
[Mon, 29 Sep 2014 13:43:32 GMT] [info] [<0.28472.7>] 127.0.0.1 - - GET
/offline_master/ 401
However, no matter where I connect from, it seems that the IP address that is logged is always 127.0.0.1. Am I mis-understanding how this works? I would really like to see the IP address that is attempting to connect.

The 127.0.0.1 is the address couchDB is bound to. It's there because you can set up couchdb to respond differently depending on what host name is being used.
The only way to get the client ip address is by turning the logging level to "debug". You can do this in the configuration page in futon.
You get records like this (client IP is on 1st line):
[Tue, 30 Sep 2014 00:14:27 GMT] [debug] [<0.451.4>] 'GET' / {1,1} from "192.168.1.52"
Headers: [{'Accept',"*/*"},
{'Host',"localhost:5984"},
{'User-Agent',"curl/7.30.0"}]
[Tue, 30 Sep 2014 00:14:27 GMT] [debug] [<0.451.4>] OAuth Params: []
[Tue, 30 Sep 2014 00:14:27 GMT] [info] [<0.451.4>] 127.0.0.1 - - GET / 200
Be careful with this. The debug logs are extremely verbose. It doesn't take long to fill up a hard drive.
It is possible to set log levels by module. The module you need to set is couch_httpd. Set the default for the rest to "error" or "fatal".
See: 3.6.2 Per module logging

Custom logging in couch.log from couchapp?

Is it possible to write in the couchdb server log (the one defined by default.ini or local.ini in [log]) from a couchapp? (But from somewhere else than a view)
If that's not possible, maybe there's a workaround which would allow to log successful or unsuccessful authentication attemps in the couchdb server log? I'd like to process this server side and would like to avoid logging all httpd activity and grepping for user logging patterns, which doesn't seem to be easy or pretty...
Cheers,
Jun

A year later I find that it was in fact possible to log from views (or lists or any Javascript Design Doc functions) using the log() function: http://docs.couchdb.org/en/1.6.1/query-server/javascript.html#log
log(message)
Log a message to the CouchDB log (at the INFO level).
Arguments:
message – Message to be logged
function(doc){
log('Procesing doc ' + doc['_id']);
emit(doc['_id'], null);
}
After the map function has run, the following line can be found in CouchDB logs (e.g. at /var/log/couchdb/couch.log):
[Sat, 03 Nov 2012 17:38:02 GMT] [info] [<0.7543.0>] OS Process #Port<0.3289> Log :: Processing doc 8d300b86622d67953d102165dbe99467
Who would have guessed :)

I'm pretty sure you can't write to couch.log from a view, it's a sandboxed system.
Getting a record of connections to the server is possible though. Here's a dump from my couch.log, with an HTTP error in there:
/
[Sat, 13 Sep 2014 08:18:57 GMT] [info] [<0.160.0>] Opening index for db: test idx: _design/ivet sig: "f6b64ef8593e23cac644c13b895b7607"
[Sat, 13 Sep 2014 08:18:57 GMT] [info] [<0.121.0>] 127.0.0.1 - - GET /test/_design/ivet/_view/medicationWHP/foobar?include_docs=true 200
[Sat, 13 Sep 2014 08:18:57 GMT] [info] [<0.121.0>] 127.0.0.1 - - GET /test/_design/ivet/_view/medicationWHP/foobar?include_docs=true 500
[Sat, 13 Sep 2014 08:18:57 GMT] [error] [<0.121.0>] httpd 500 error response:
{"error":"json_encode","reason":"{bad_term,{key,null}}"}
[Sat, 13 Sep 2014 08:19:05 GMT] [info] [<0.36.0>] Apache CouchDB has started on http://127.0.0.1:5984/
You can see it has the VERB PATH CODE format for each line, so you can filter that for whatever you need. (Unauthorized is 401) You can also access the log through /_log. Details on that are here:
http://docs.couchdb.org/en/latest/api/server/common.html#log
To get all that information, you'll need to have the log level set to info. You can do this at the config screen in futon.
To do it server-side, you'd probably need to use node.js or something like that. Just have it consume the /_log endpoint, and filter each line by the HTTP response code.

CrmSvcUtil.exe throwing a 401 unauthorized error

I have a crm 2011 instance running on a box that is joined to a domain.
I'm trying to run crmsvcutil from outside the domain using the following.
CrmSvcUtil.exe /out:Xrm.cs /url:http://crm.mydomain.com/MSCRMDEV/XRMServices/2011/OrganizationData.svc/ /domain:MYDOMAIN /u:mydomain\username /p:mypassword /namespace:Xrm /serviceContextName:XrmServiceContext
This generates the following error
CrmSvcUtil.exe Error: 0 : Exiting program with exit code 2 due to exception : System.InvalidOperationException: Metadata contains a reference that cannot be resolved: 'http://crm.mydomain.com/XRMServices/2011/OrganizationData.svc/?wsdl'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Description.MetadataExchangeClient.MetadataLocationRetriever.DownloadMetadata(TimeoutHelper timeoutHelper)
at System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper timeoutHelper)
--- End of inner exception stack trace ---
at System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper timeoutHelper)
at System.ServiceModel.Description.MetadataExchangeClient.ResolveNext(ResolveCallState resolveCallState)
at System.ServiceModel.Description.MetadataExchangeClient.GetMetadata(MetadataRetriever retriever)
at Microsoft.Xrm.Sdk.Client.ServiceMetadataUtility.RetrieveServiceEndpointMetadata(Type contractType, Uri serviceUri, Boolean checkForSecondary)
at Microsoft.Xrm.Sdk.Client.ServiceConfiguration1..ctor(Uri serviceUri, Boolean checkForSecondary)
at Microsoft.Xrm.Sdk.Client.ServiceConfiguration1..ctor(Uri serviceUri)
at Microsoft.Xrm.Sdk.Client.OrganizationServiceConfiguration.AdjustServiceEndpoint(Uri serviceUri)
at Microsoft.Xrm.Sdk.Client.OrganizationServiceConfiguration..ctor(Uri serviceUri)
at Microsoft.Xrm.Sdk.Client.ServiceConfigurationFactory.CreateConfiguration[TService](Uri serviceUri)
at Microsoft.Crm.Services.Utility.SdkMetadataProviderService.CreateOrganizationServiceEndpoint()
at Microsoft.Crm.Services.Utility.SdkMetadataProviderService.Microsoft.Crm.Services.Utility.IMetadataProviderService.LoadMetadata()
at Microsoft.Crm.Services.Utility.CrmSvcUtil.Run()
at Microsoft.Crm.Services.Utility.CrmSvcUtil.Main(String[] args)
The trace from Fiddler
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Length: 0
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Mon, 06 Aug 2012 00:44:07 GMT
Proxy-Support: Session-Based-Authentication
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
The user/pass are that of a domain admin which is also a crm admin. What am I missing?
The interesting thing to note is that the URL in the error message does not contain the ORG name
'http://crm.mydomain.com/XRMServices/2011/OrganizationData.svc' <--- missing the org name here
from IIS logs I see a 401.5 which is "An ISAPI extension or CGI application denied the request":
2012-08-12 16:50:03 192.168.230.201 GET /MYORGNAME/XRMServices/2011/OrganizationData.svc wsdl+OnBeginRequest:08/12/2012-16:50:03.527+LogEntries:0+SqlCalls:0+SqlCallsMs:0+GC:1+OnEndRequest:16:50:03.528 80 - 192.168.230.201 - 401 5 0 3
2012-08-12 16:50:03 192.168.230.201 GET /XRMServices/2011/OrganizationData.svc wsdl+OnBeginRequest:08/12/2012-16:50:03.538+LogEntries:0+SqlCalls:0+SqlCallsMs:0+GC:1+OnEndRequest:16:50:03.538 80 - 192.168.230.201 - 401 5 0 4

I think you can easily solve your problem by following these instructions : http://blog.thinketg.com/blog/ben-klopfer/strongly-typed-code-file-generation-with-crmsvcutilexe-for-crm-2011-ifd-configurations-code
Regards,
Kévin