Bug #15936

[keep-web] document single-origin collections behavior

Added by Peter Amstutz 7 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
-
Release relationship:
Auto

Description

Workbench2 is making a PROPFIND request which is failing, here's the keep-web log:

{
  "RequestID": "req-z655yiv6e6hz5wx8ey5s",
  "level": "info",
  "msg": "response",
  "remoteAddr": "127.0.0.1:36912",
  "reqBytes": 0,
  "reqForwardedFor": "108.7.59.164",
  "reqHost": "collections.ce8i5.arvadosapi.com",
  "reqMethod": "PROPFIND",
  "reqPath": "c=ce8i5-4zz18-tnb40vgk9em05h4",
  "reqQuery": "",
  "respBody": "",
  "respBytes": 0,
  "respStatus": "Not Found",
  "respStatusCode": 404,
  "time": "2019-12-16T20:49:20.099508402Z",
  "timeToStatus": 0.013435,
  "timeTotal": 0.01344,
  "timeWriteBody": 5e-06
}

Associated revisions

Revision 2d7d3f55
Added by Peter Amstutz 7 months ago

Merge branch '15936-use-webdavdownload' refs #15936

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <>

History

#1 Updated by Peter Amstutz 7 months ago

  • Status changed from New to In Progress

#2 Updated by Peter Amstutz 7 months ago

  • Target version changed from 2020-01-02 Sprint to 2020-01-15 Sprint

#3 Updated by Peter Amstutz 7 months ago

  • Status changed from In Progress to New
  • Description updated (diff)

#4 Updated by Peter Amstutz 7 months ago

  • Description updated (diff)

#5 Updated by Peter Amstutz 7 months ago

  • Description updated (diff)

#6 Updated by Peter Amstutz 7 months ago

  • Description updated (diff)

#7 Updated by Tom Clegg 7 months ago

Is ce8i5-4zz18-tnb40vgk9em05h4 readable using the same token? I'm not sure what behavior you were expecting here...

#8 Updated by Peter Amstutz 7 months ago

Tom Clegg wrote:

Is ce8i5-4zz18-tnb40vgk9em05h4 readable using the same token? I'm not sure what behavior you were expecting here...

Yes, it is readable by that token.

I was expecting successful PROPFIND response, or an error being logged to explain what aspect of the configuration is preventing it from returning a response.

This works:

curl -v -X PROPFIND https://collections.ce8i5.arvadosapi.com/c=ce8i5-4zz18-tnb40vgk9em05h4/t=zzzzzzzzzzzzzzzzzzzzzzzzzzzzz

This doesn't work:

curl -v -H "Authorization: Bearer zzzzzzzzzzzzzzzzzzzzzzzzzzzzz" -X PROPFIND https://collections.ce8i5.arvadosapi.com/c=ce8i5-4zz18-tnb40vgk9em05h4

This works:

curl -v -H "Authorization: Bearer zzzzzzzzzzzzzzzzzzzzzzzzzzzzz" -X PROPFIND https://download.ce8i5.arvadosapi.com/c=ce8i5-4zz18-tnb40vgk9em05h4

Since these are different virtual hosts of the same keep-web instance, this seems related to the security policies of WebDAV vs WebDAVDownload endpoints.

This is with the following services configuration:

      WebDAV:
        ExternalURL: https://collections.ce8i5.arvadosapi.com/
        InternalURLs:
          "http://localhost:9002": {}
      WebDAVDownload:
        ExternalURL: https://download.ce8i5.arvadosapi.com

#9 Updated by Tom Clegg 7 months ago

The docs say "if you don't have a wildcard DNS entry, then just use https://collections.* and https://download.* as WebDAV and WebDAVDownload URLs; keep-web will treat both as downloads."

In reality, with this config, keep-web doesn't force a download -- it just ignores your credentials (so it only serves anonymously-accessible content) at https://collections.*. This seems like a useful behavior so I'm thinking we should fix the documentation to match the behavior (and make WB2 aware of it), rather than change the behavior to match the docs. Or, a third "inline content, but no auth" endpoint might be better -- that way the config you have now could be flagged as an error, which would be much more sysadmin-friendly.

If you don't configure a WebDAV (non-download) URL at all, Workbench1 does the right thing: it always links to the WebDAVDownload URL, and indicates to the user that preview isn't possible.

I think you get the behavior described in the docs ("everything is a download") if you use the same ExternalURL for both WebDAV and WebDAVDownload, although a WB1 user might be surprised that both "preview" and "download" links result in a download.

IDK whether WB2 tries to predict whether preview is possible.

#10 Updated by Peter Amstutz 7 months ago

  • Target version changed from 2020-01-15 Sprint to 2020-01-02 Sprint
  • Status changed from New to In Progress
  • Subject changed from keep-web PROPFIND 404 to [keep-web] document single-origin collections behavior

#11 Updated by Peter Amstutz 7 months ago

  • Assigned To set to Peter Amstutz
  • Subject changed from [keep-web] document single-origin collections behavior to [keep-web] document single-origin collections behavior

#12 Updated by Peter Amstutz 6 months ago

  • Status changed from In Progress to Resolved

#13 Updated by Peter Amstutz 5 months ago

  • Release set to 22

Also available in: Atom PDF