Arvados

Note the linked ticket: is it possible the reason sharing links are broken is because the API token created for the link needs additional scopes? Namely "GET /arvados/v1/users/current" and "GET /arvados/v1/api_client_authorizations/current".

Brett Smith wrote in #note-8:

Note the linked ticket: is it possible the reason sharing links are broken is because the API token created for the link needs additional scopes? Namely "GET /arvados/v1/users/current" and "GET /arvados/v1/api_client_authorizations/current".

That is a very plausible explanation, just need to dig in and confirm it.

Jul 14 16:32:38 keep.pirca.arvadosapi.com keep-web⁴⁸⁰⁸: {"ClusterID":"pirca","PID":4808,"RequestID":"req-870r6vcymxshyedvg06x","level":"info","msg":"request","remoteAddr":"127.0.0.1:47936","reqBytes":0,"reqForwardedFor":"199.125.68.207","reqHost":"pirca-4zz18-8s77zjy4fnd115l.collections.pirca.arvadosapi.com","reqMethod":"GET","reqPath":"t=n58ac2q706i5pmzbmfitow0i0o0yy8v7yxnnsv9f5e2oqkfvl/_/","reqQuery":"","time":"2023-07-14T16:32:38.522752104Z"}

Jul 14 16:32:38 api.pirca.arvadosapi.com arvados-controller¹⁴³⁸⁴: {"ClusterID":"pirca","PID":14384,"RequestID":"req-e72snin9pr2kcyriqjno","level":"info","msg":"response","remoteAddr":"127.0.0.1:50644","reqBytes":0,"reqForwardedFor":"10.254.0.199","reqHost":"pirca.arvadosapi.com","reqMethod":"GET","reqPath":"arvados/v1/config","reqQuery":"","respBytes":13364,"respStatus":"OK","respStatusCode":200,"time":"2023-07-14T16:32:38.550378563Z","timeToStatus":0.003002,"timeTotal":0.003078,"timeWriteBody":0.000076,"tokenUUIDs":["v1 token ending in qkfvl"]}

Jul 14 16:32:38 api.pirca.arvadosapi.com arvados-controller¹⁴³⁸⁴: {"ClusterID":"pirca","PID":14384,"RequestID":"req-snr0pvomgtcl1je0433r","level":"info","msg":"response","remoteAddr":"127.0.0.1:50660","reqBytes":0,"reqForwardedFor":"10.254.0.199","reqHost":"pirca.arvadosapi.com","reqMethod":"GET","reqPath":"arvados/v1/users/current","reqQuery":"","respBody":"{\"errors\":[\"//railsapi.internal/arvados/v1/users/current: 401 Unauthorized: Not logged in (req-snr0pvomgtcl1je0433r)\"]}\n","respBytes":120,"respStatus":"Unauthorized","respStatusCode":401,"time":"2023-07-14T16:32:38.585373080Z","timeToStatus":0.032742,"timeTotal":0.032757,"timeWriteBody":0.000015,"tokenUUIDs":["v1 token ending in qkfvl"]}

Jul 14 16:32:38 keep.pirca.arvadosapi.com keep-web⁴⁸⁰⁸: {"ClusterID":"pirca","PID":4808,"RequestID":"req-870r6vcymxshyedvg06x","level":"info","msg":"response","remoteAddr":"127.0.0.1:47936","reqBytes":0,"reqForwardedFor":"199.125.68.207","reqHost":"pirca-4zz18-8s77zjy4fnd115l.collections.pirca.arvadosapi.com","reqMethod":"GET","reqPath":"t=n58ac2q706i5pmzbmfitow0i0o0yy8v7yxnnsv9f5e2oqkfvl/_/","reqQuery":"","respBody":"Not Found\n","respBytes":10,"respStatus":"Not Found","respStatusCode":404,"time":"2023-07-14T16:32:38.582244489Z","timeToStatus":0.059475,"timeTotal":0.059484,"timeWriteBody":0.000009}

Seems that the API server isn't accepting the token for some reason.

it's exactly the thing documented in #20249

need to decide if #20750 is a blocker or not.

Peter Amstutz wrote in #note-14:

need to decide if #20750 is a blocker or not.

I vote yes, at least for a fix going into a release. There's no indication in the Workbench 2 UI that you're revealing this information, and I can imagine scenarios where it's a very nasty surprise for some user. We should avoid putting ourselves and them in that situation.

If we do the 2nd note from https://dev.arvados.org/issues/20750#note-12 about special-casing api_client_authorizations/current then we don't need to change the token scopes at all, and this ticket can be closed without requiring any code changes.

This will be fixed by #20750 in Arvados 2.7, I am going to close this ticket because the fix won't require any Workbench 2 changes.