Project

General

Profile

Actions

Bug #15934

closed

Can't create container request using SystemRootToken

Added by Peter Amstutz almost 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
API
Target version:
Start date:
01/02/2020
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

arvados-controller log:

{
  "PID": 130281,
  "RequestID": "req-1x0msubb95ljl1hl19ua",
  "level": "info",
  "msg": "response",
  "remoteAddr": "127.0.0.1:59748",
  "reqBytes": 452,
  "reqForwardedFor": "108.7.59.164",
  "reqHost": "ce8i5.arvadosapi.com",
  "reqMethod": "POST",
  "reqPath": "arvados/v1/container_requests",
  "reqQuery": "_profile=true&cluster_id=&container_request_given=true&ensure_unique_name=false&help=false",
  "respBody": "{\"errors\":[\"sql: no rows in result set\"]}\n",
  "respBytes": 42,
  "respStatus": "Forbidden",
  "respStatusCode": 403,
  "time": "2019-12-16T18:50:09.918600965Z",
  "timeToStatus": 0.001203,
  "timeTotal": 0.001214,
  "timeWriteBody": 1.1e-05
}

I'm using the SystemRootToken. I can create a container request with a regular token.


Subtasks 1 (0 open1 closed)

Task #15979: Review 15934-bad-token-error-messageResolvedPeter Amstutz01/02/2020

Actions
Actions #1

Updated by Peter Amstutz almost 3 years ago

  • Description updated (diff)
Actions #2

Updated by Peter Amstutz almost 3 years ago

  • Description updated (diff)
Actions #3

Updated by Peter Amstutz almost 3 years ago

  • Description updated (diff)
Actions #4

Updated by Tom Clegg almost 3 years ago

SystemRootToken is intended to be used by the system -- even an admin user should never be using it with user-level APIs. Since the system never creates its own container requests, this request doesn't need to succeed.

A better error message would be good, though.

Actions #5

Updated by Peter Amstutz almost 3 years ago

Tom Clegg wrote:

SystemRootToken is intended to be used by the system -- even an admin user should never be using it with user-level APIs. Since the system never creates its own container requests, this request doesn't need to succeed.

A better error message would be good, though.

Yes, but it isn't being denied on purpose, it's a bug, I suspect it is a side effect of the SystemRootToken not being a "real" token in the database. This could just as easily fail on something that's a "legitimate" use of SystemRootToken.

Actions #6

Updated by Peter Amstutz almost 3 years ago

  • Subject changed from Can't create container request to Can't create container request using SystemRootToken
Actions #7

Updated by Peter Amstutz almost 3 years ago

  • Assigned To set to Tom Clegg
Actions #8

Updated by Peter Amstutz almost 3 years ago

  • Category set to API
Actions #9

Updated by Tom Clegg almost 3 years ago

  • Status changed from New to In Progress

Turns out this error message was returned by the "create container request" endpoint for any invalid token.

With this fix:
  • return an "invalid API token" message instead of "no rows in result set"
  • return 500 (not 403) if there is a problem validating the token (database not connected, etc.)

15934-bad-token-error-message @ ceabb42934ec7c462f9ae03531080a24819dee1a -- developer-run-tests: #1702

Actions #10

Updated by Peter Amstutz almost 3 years ago

Tom Clegg wrote:

Turns out this error message was returned by the "create container request" endpoint for any invalid token.

With this fix:
  • return an "invalid API token" message instead of "no rows in result set"
  • return 500 (not 403) if there is a problem validating the token (database not connected, etc.)

15934-bad-token-error-message @ ceabb42934ec7c462f9ae03531080a24819dee1a -- developer-run-tests: #1702

LGTM.

Actions #11

Updated by Anonymous almost 3 years ago

  • Status changed from In Progress to Resolved
Actions #12

Updated by Peter Amstutz almost 3 years ago

  • Release set to 22
Actions

Also available in: Atom PDF