Bug #18299
closed
Remote user record cannot be retrieved by admin via federated query (counter-intuitive permission behavior)
Description
This issue is with getting user details of a list of UUIDs, where some of the UUIDs are from other clusters
Example query:
GET https://ce8i5.arvadosapi.com/arvados/v1/users
count=none
filters=[
[
"uuid",
"in",
[
"9tee4-tpzed-oyphd3jt7fhlhsy",
"ce8i5-tpzed-f7960quf4ivgbxb",
"ce8i5-tpzed-6oia07y9o4zvtl6"
]
]
]
Only the local users are returned. As a result, the groups UI falls back to showing UUIDs.
Updated by Tom Clegg over 2 years ago
- Subject changed from Federated user UUIDs don't return results in list query to Remote user record cannot be retrieved by admin via federated query (counter-intuitive permission behavior)
Looks like the reason the 9tee4 user is not returned is that (according to 9tee4) the 9tee4 user does not have permission to read the requesting ce8i5 user.
The ce8i5 user is an admin, and therefore can see all ce8i5 permission links even when they refer to users/objects on 9tee4 -- but 9tee4-ce8i5 is peer federation so 9tee4 does not respect a ce8i5 user's admin status when doing a federated query to look up those objects.
Confusing, but not a bug per se.
It might be more useful for ce8i5 to (optionally?) return its cached copy of the 9tee4 user record in such cases.
Updated by