Project

General

Profile

Actions

Bug #16923

closed

workbench getting token with untrusted client

Added by Peter Amstutz about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Story points:
-
Release relationship:
Auto

Description

Trying to share a collection as an ordinary user, but I see (on the view collection page, in wb1):

Sharing and permissions
Your API token is not authorized to manage collection sharing links.

1. Why? I see a request like this in the api server logs when loading https://workbench.tordo.arvadosapi.com/collections/tordo-4zz18-aam8gchmw53n426:

[req-7rl47pzbw1vscbqsdcj1] Error 1601328087+69320957: 403
{"method":"GET","path":"/arvados/v1/api_client_authorizations","format":"json","controller":"Arvados::V1::ApiClientAuthorizationsController","action":"index","status":403,"duration":5.63,"view":0.3,"db":1.75,"request_id":"req-7rl47pzbw1vscbqsdcj1","client_ipaddr":"10.253.0.41","client_auth":"ce8i5-gj3su-sqfolnetlyfrzpr","params":{"reader_tokens":"[\"v2/STRIPPED/STRIPPED\"]","_method":"GET","filters":"[[\"scopes\",\"=\",[\"GET /arvados/v1/collections/tordo-4zz18-aam8gchmw53n426\",\"GET /arvados/v1/collections/tordo-4zz18-aam8gchmw53n426/\",\"GET /arvados/v1/keep_services/accessible\"]]]","limit":"9223372036854775807","offset":"0"},"@timestamp":"2020-09-28T21:21:27.270244973Z","@version":"1","message":"[403] GET /arvados/v1/api_client_authorizations (Arvados::V1::ApiClientAuthorizationsController#index)"}

and in the controller logs:

Sep 28 22:06:25 tordo.arvadosapi.com arvados-controller[5343]: {"PID":5343,"RequestID":"req-6pwv2sl9s7y8ujz85v36","level":"info","msg":"response","remoteAddr":"127.0.0.1:35598","reqBytes":123,"reqForwardedFor":"10.253.0.41","reqHost":"tordo.arvadosapi.com","reqMethod":"POST","reqPath":"arvados/v1/collections/tordo-4zz18-aam8gchmw53n426","reqQuery":"","respBody":"{\"errors\":[\"request failed: http://localhost:8004/arvados/v1/collections/tordo-4zz18-aam8gchmw53n426?reader_tokens=%5B%22v2%2FSTRIPPED%2FSTRIPPED%22%5D: 404 Not Found: Path not found (req-6pwv2sl9s7y8ujz85v36)\"]}\n","respBytes":274,"respStatus":"Not Found","respStatusCode":404,"time":"2020-09-28T22:06:25.148905629Z","timeToStatus":0.012382,"timeTotal":0.012397,"timeWriteBody":0.000014}

2. Sharing appears to be undocumented, if this is a config issue, we need to document that better


Subtasks 1 (0 open1 closed)

Task #16938: Review 16923-auth-api-clientResolvedWard Vandewege10/01/2020Actions

Related issues

Related to Arvados - Feature #16919: [doc] [federation] Document the two types of federation betterResolvedPeter AmstutzActions
Actions #1

Updated by Peter Amstutz about 4 years ago

  • Subject changed from Cannot make sharing links when is to Cannot make sharing links when client is not trusted
Actions #2

Updated by Peter Amstutz about 4 years ago

  • Description updated (diff)
Actions #3

Updated by Peter Amstutz about 4 years ago

I have discovered two issues.

  1. In the LoginCluster configuration, a user goes to tordo, is redirected to ce8i5 for login, with return_to set to tordo workbench. This means the token is associated with the tordo workbench api_client, not ce8i5. So the default behavior of trusting a cluster's workbench doesn't apply (it knows to trust ce8i5, but not tordo).
  2. In arvbox, it uses the "test" login method, which uses the username/password authorization method. This method doesn't have a return_to, it provides a fake return_to called "https://none.invalid". This means when using test, pam, or LDAP authentication, it gets the "none.invalid" api_client, which is not trusted (unless explicitly configured).

For issue 1, this is actually working as intended. I think the only solution is to fix the configuration and documentation.

For issue 2, the url in createAPIClientAuthorization should be trusted by default, and tweak the bogus URL to indicate what is going on.

Actions #4

Updated by Peter Amstutz about 4 years ago

  • Subject changed from Cannot make sharing links when client is not trusted to workbench getting token with untrusted client
Actions #5

Updated by Peter Amstutz about 4 years ago

  • Assigned To set to Peter Amstutz
  • Status changed from New to In Progress
Actions #6

Updated by Peter Amstutz about 4 years ago

  • Related to Feature #16919: [doc] [federation] Document the two types of federation better added
Actions #8

Updated by Peter Amstutz about 4 years ago

Whoops, messed that last one up. Updated:

16923-auth-api-client arvados|7301e68e41869fd5931ef0b0f80890aa1220938d

developer-run-tests: #2128

Actions #9

Updated by Ward Vandewege about 4 years ago

Peter Amstutz wrote:

16923-auth-api-client @ arvados|0dc94486b18b8797d3970eb9a982a7c9de3ada88

developer-run-tests: #2126

  • In Arvados_arch.svg, the lines between 'cli tools' and 'workbench' on to the 4 boxes on the next line are confusing; cli tools can also connect to arv-ws and git, and workbench definitely talks to keep-web. Can we somehow indicate that the cli tools and workbench talk to all four boxes?
  • missing 'and Workbench2' between 'Workbench1' and 'are trusted' in the comment in the config reference:
+      # When the token is returned to a client, the token itself may
+      # be restricted from manipulating other tokens based on whether
+      # the client is "trusted" or not.  The local Workbench1 are
+      # trusted by default, but if this is a LoginCluster, you
+      # probably want to include the Workbench instances in the
+      # federation in this list.

Otherwise, LGMT, thanks!

Actions #10

Updated by Peter Amstutz about 4 years ago

  • Status changed from In Progress to Resolved
Actions #11

Updated by Peter Amstutz about 4 years ago

  • Release set to 25
Actions

Also available in: Atom PDF