Bug #15934
closed
Can't create container request using SystemRootToken
Description
arvados-controller log:
{
"PID": 130281,
"RequestID": "req-1x0msubb95ljl1hl19ua",
"level": "info",
"msg": "response",
"remoteAddr": "127.0.0.1:59748",
"reqBytes": 452,
"reqForwardedFor": "108.7.59.164",
"reqHost": "ce8i5.arvadosapi.com",
"reqMethod": "POST",
"reqPath": "arvados/v1/container_requests",
"reqQuery": "_profile=true&cluster_id=&container_request_given=true&ensure_unique_name=false&help=false",
"respBody": "{\"errors\":[\"sql: no rows in result set\"]}\n",
"respBytes": 42,
"respStatus": "Forbidden",
"respStatusCode": 403,
"time": "2019-12-16T18:50:09.918600965Z",
"timeToStatus": 0.001203,
"timeTotal": 0.001214,
"timeWriteBody": 1.1e-05
}
I'm using the SystemRootToken. I can create a container request with a regular token.
Updated by Tom Clegg over 4 years ago
SystemRootToken is intended to be used by the system -- even an admin user should never be using it with user-level APIs. Since the system never creates its own container requests, this request doesn't need to succeed.
A better error message would be good, though.
Updated by Peter Amstutz over 4 years ago
Tom Clegg wrote:
SystemRootToken is intended to be used by the system -- even an admin user should never be using it with user-level APIs. Since the system never creates its own container requests, this request doesn't need to succeed.
A better error message would be good, though.
Yes, but it isn't being denied on purpose, it's a bug, I suspect it is a side effect of the SystemRootToken not being a "real" token in the database. This could just as easily fail on something that's a "legitimate" use of SystemRootToken.
Updated by Peter Amstutz over 4 years ago
- Subject changed from Can't create container request to Can't create container request using SystemRootToken
Updated by Tom Clegg over 4 years ago
- Status changed from New to In Progress
Turns out this error message was returned by the "create container request" endpoint for any invalid token.
With this fix:- return an "invalid API token" message instead of "no rows in result set"
- return 500 (not 403) if there is a problem validating the token (database not connected, etc.)
15934-bad-token-error-message @ ceabb42934ec7c462f9ae03531080a24819dee1a -- developer-run-tests: #1702
Updated by Peter Amstutz over 4 years ago
Tom Clegg wrote:
Turns out this error message was returned by the "create container request" endpoint for any invalid token.
With this fix:
- return an "invalid API token" message instead of "no rows in result set"
- return 500 (not 403) if there is a problem validating the token (database not connected, etc.)
15934-bad-token-error-message @ ceabb42934ec7c462f9ae03531080a24819dee1a -- developer-run-tests: #1702
LGTM.
Updated by Anonymous over 4 years ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|7db3857d78a099108c3204c25294a5aec1f3a3bc.