Bug #15938
open
[API] requesting collections via POST with _method=GET returns one result
Description
While working on #15672, I realized that WB2 when asking for favorite objects uses POST with _method=GET because to overcome some cases when there's a lot of filter data.
When doing this to fetch favorite collections, the result it gets from the API server isn't a resource list but a single (and seemingly random) collection object. The other kinds of objects work fine: links, container requests, etc.
I've been able to get a minimal test case using curl against my local arvbox, removing all the filtering the problem keeps happening:
$ curl 'https://192.168.1.125:8000/arvados/v1/collections' -H 'Authorization: Bearer <arvados_token>' -H 'Content-Type: multipart/form-data' --data-binary $'Content-Disposition: form-data; name="_method"\r\n\r\nGET\r\n'
...which results in:
{"created_at":"2019-12-17T14:04:47.628389607Z","delete_at":null,"etag":"9whksbxjumb7wzsrxn7kygal7","is_trashed":false,"kind":"arvados#collection","manifest_text":"","modified_at":"2019-12-17T14:04:47.628648000Z","modified_by_client_uuid":"xzky2-ozdt8-bz5croxbsshueoi","modified_by_user_uuid":"xzky2-tpzed-x8ebto05d30uwzv","name":"","owner_uuid":"xzky2-tpzed-x8ebto05d30uwzv","portable_data_hash":"d41d8cd98f00b204e9800998ecf8427e+0","properties":{},"replication_confirmed":null,"replication_confirmed_at":null,"replication_desired":null,"storage_classes_confirmed":[],"storage_classes_confirmed_at":"0001-01-01T00:00:00.000000000Z","storage_classes_desired":["default"],"trash_at":null,"unsigned_manifest_text":"","uuid":"xzky2-4zz18-4fv6i2lo4c0r8xv"}
Updated by Lucas Di Pentima over 4 years ago
I've connected to the arvbox instance's shell to repeat the curl command but pointing to the RailsAPI URL directly and it seems that we can rule out the controller, as I'm getting the same kind of answer.
Updated by Lucas Di Pentima over 4 years ago
From chat with Tom: It seems that's a controller issue. The previous curl command wasn't working right, the following works OK when directed to RailsAPI but doesn't when directed to the controller:
$ curl 'https://192.168.1.125:8000/arvados/v1/collections' -H 'Authorization: Bearer <arvados_token>' -X POST --form _method=GET
{"created_at":"2019-12-17T15:05:39.799414569Z","delete_at":null,"etag":"5oczjccml48kmdefga4wwckpi","is_trashed":false,"kind":"arvados#collection","manifest_text":"","modified_at":"2019-12-17T15:05:39.799746000Z","modified_by_client_uuid":"xzky2-ozdt8-bz5croxbsshueoi","modified_by_user_uuid":"xzky2-tpzed-x8ebto05d30uwzv","name":"","owner_uuid":"xzky2-tpzed-x8ebto05d30uwzv","portable_data_hash":"d41d8cd98f00b204e9800998ecf8427e+0","properties":{},"replication_confirmed":null,"replication_confirmed_at":null,"replication_desired":null,"storage_classes_confirmed":[],"storage_classes_confirmed_at":"0001-01-01T00:00:00.000000000Z","storage_classes_desired":["default"],"trash_at":null,"unsigned_manifest_text":"","uuid":"xzky2-4zz18-ycw0esohlc09yqd"}
Updated by Lucas Di Pentima over 4 years ago
The arvbox instance is running from 8eda8735d7a36f3752f1d426cad1fb0002b30cca
Updated by Tom Clegg over 4 years ago
According to https://doc.arvados.org/master/api/requests.html: "As a special case, a POST with the query parameter _method=GET will be treated as a GET request." Setting _method=GET in a form in the request body isn't documented/supported. It seems like RailsAPI accepts it, but controller doesn't. If wb2 is the first client to rely on this (which seems to be the case) I'd prefer to fix wb2 rather than add support in controller.
Updated by Lucas Di Pentima over 4 years ago
I'm fixing WB2 to use POST only when necessary, and testing it with _method=GET on the query string I'm seeing that workflows and groups (and maybe others) behave just like the case of collections with _method=GET passed as form data. OTOH, collections works OK when passing _method=GET on the query string.
Update: Tried both groups and collections directly against RailsAPI passing _method=GET by query string and both behaved incorrectly:
root@4e64c83a032c:/# curl 'http://localhost:8004/arvados/v1/groups?_method=GET' -H 'Authorization: Bearer <arvados_token>' -X POST | jq .
{
"href": "/groups/xzky2-j7d0g-7klhj19sj4ge3vc",
"kind": "arvados#group",
"etag": "dwic0qvb99sggga1hpkpj9uvd",
"uuid": "xzky2-j7d0g-7klhj19sj4ge3vc",
"owner_uuid": "xzky2-tpzed-x8ebto05d30uwzv",
"created_at": "2019-12-17T17:51:29.298287957Z",
...
}
Then, I tried both collections and groups passing _method=GET via form directly to RailsAPI, both behaved correctly:
root@4e64c83a032c:/# curl 'http://localhost:8004/arvados/v1/groups' -H 'Authorization: Bearer <arvados_token>' -X POST --form _method=GET | jq .
{
"kind": "arvados#groupList",
"etag": "",
"self_link": "",
"offset": 0,
"limit": 100,
"items": [
{
"href": "/groups/xzky2-j7d0g-dvervkeoynqhj2i",
"kind": "arvados#group",
"etag": "4t3tgop246205ddlw6b5gljbo",
"uuid": "xzky2-j7d0g-dvervkeoynqhj2i",
"owner_uuid": "xzky2-tpzed-x8ebto05d30uwzv",
"created_at": "2019-12-17T17:53:32.277488000Z",
"modified_by_client_uuid": "xzky2-ozdt8-bz5croxbsshueoi",
"modified_by_user_uuid": "xzky2-tpzed-x8ebto05d30uwzv",
...
}
Updated by