Bug #21907: Uncached permission lookup in keep-web when handling s3 request - Arvados

Actions

Copy link

Bug #21907

open

Uncached permission lookup in keep-web when handling s3 request

Added by Tom Clegg 15 days ago. Updated 13 days ago.

Status:

New

Priority:

Normal

Assigned To:

Brett Smith

Category:

Keep

Target version:

Development 2024-07-03 sprint

Story points:

Release:

Arvados 3.0

Release relationship:

Auto

Description

In arvados:source:services/keep-web/s3.go

        if len(key) == 27 && key[5:12] == "-gj3su-" {
                // Access key is the UUID of an Arvados token, secret                                                                                         
                // key is the secret part.                                                                                                                    
                ctx := arvados.ContextWithAuthorization(r.Context(), "Bearer "+h.Cluster.SystemRootToken)
                err = client.RequestAndDecodeContext(ctx, &aca, "GET", "arvados/v1/api_client_authorizations/"+key, nil, nil)
                secret = aca.APIToken
        } else {
                // Access key and secret key are both an entire                                                                                               
                // Arvados token or OIDC access token.                                                                                                        
                ctx := arvados.ContextWithAuthorization(r.Context(), "Bearer "+unescapeKey(key))
                err = client.RequestAndDecodeContext(ctx, &aca, "GET", "arvados/v1/api_client_authorizations/current", nil, nil)
                secret = key
        }