Bug #15934

Can't create container request using SystemRootToken

Added by Peter Amstutz 7 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
API
Target version:
Start date:
01/02/2020
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

arvados-controller log:

{
  "PID": 130281,
  "RequestID": "req-1x0msubb95ljl1hl19ua",
  "level": "info",
  "msg": "response",
  "remoteAddr": "127.0.0.1:59748",
  "reqBytes": 452,
  "reqForwardedFor": "108.7.59.164",
  "reqHost": "ce8i5.arvadosapi.com",
  "reqMethod": "POST",
  "reqPath": "arvados/v1/container_requests",
  "reqQuery": "_profile=true&cluster_id=&container_request_given=true&ensure_unique_name=false&help=false",
  "respBody": "{\"errors\":[\"sql: no rows in result set\"]}\n",
  "respBytes": 42,
  "respStatus": "Forbidden",
  "respStatusCode": 403,
  "time": "2019-12-16T18:50:09.918600965Z",
  "timeToStatus": 0.001203,
  "timeTotal": 0.001214,
  "timeWriteBody": 1.1e-05
}

I'm using the SystemRootToken. I can create a container request with a regular token.


Subtasks

Task #15979: Review 15934-bad-token-error-messageResolvedPeter Amstutz

Associated revisions

Revision 7db3857d
Added by Tom Clegg 6 months ago

Merge branch '15934-bad-token-error-message'

fixes #15934

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <>

History

#1 Updated by Peter Amstutz 7 months ago

  • Description updated (diff)

#2 Updated by Peter Amstutz 7 months ago

  • Description updated (diff)

#3 Updated by Peter Amstutz 7 months ago

  • Description updated (diff)

#4 Updated by Tom Clegg 7 months ago

SystemRootToken is intended to be used by the system -- even an admin user should never be using it with user-level APIs. Since the system never creates its own container requests, this request doesn't need to succeed.

A better error message would be good, though.

#5 Updated by Peter Amstutz 7 months ago

Tom Clegg wrote:

SystemRootToken is intended to be used by the system -- even an admin user should never be using it with user-level APIs. Since the system never creates its own container requests, this request doesn't need to succeed.

A better error message would be good, though.

Yes, but it isn't being denied on purpose, it's a bug, I suspect it is a side effect of the SystemRootToken not being a "real" token in the database. This could just as easily fail on something that's a "legitimate" use of SystemRootToken.

#6 Updated by Peter Amstutz 7 months ago

  • Subject changed from Can't create container request to Can't create container request using SystemRootToken

#7 Updated by Peter Amstutz 7 months ago

  • Assigned To set to Tom Clegg

#8 Updated by Peter Amstutz 7 months ago

  • Category set to API

#9 Updated by Tom Clegg 7 months ago

  • Status changed from New to In Progress

Turns out this error message was returned by the "create container request" endpoint for any invalid token.

With this fix:
  • return an "invalid API token" message instead of "no rows in result set"
  • return 500 (not 403) if there is a problem validating the token (database not connected, etc.)

15934-bad-token-error-message @ ceabb42934ec7c462f9ae03531080a24819dee1a -- https://ci.arvados.org/view/Developer/job/developer-run-tests/1702/

#10 Updated by Peter Amstutz 6 months ago

Tom Clegg wrote:

Turns out this error message was returned by the "create container request" endpoint for any invalid token.

With this fix:
  • return an "invalid API token" message instead of "no rows in result set"
  • return 500 (not 403) if there is a problem validating the token (database not connected, etc.)

15934-bad-token-error-message @ ceabb42934ec7c462f9ae03531080a24819dee1a -- https://ci.arvados.org/view/Developer/job/developer-run-tests/1702/

LGTM.

#11 Updated by Anonymous 6 months ago

  • Status changed from In Progress to Resolved

#12 Updated by Peter Amstutz 6 months ago

  • Release set to 22

Also available in: Atom PDF