Project

General

Profile

Actions

Bug #22212

open

Improper user query federation

Added by Peter Amstutz 2 months ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
API
Target version:
Story points:
-

Description

lucasdipentima2@shell:~$ arv user list -c "none" -f '[["uuid", "in", ["tordo-j7d0g-anonymouspublic"]]]'
Error: request failed: https://jutro.arvadosapi.com/arvados/v1/users?cluster_id=&count=none&filters=%5B%5B%22uuid%22%2C%22in%22%2C%5B%22to
rdo-j7d0g-anonymouspublic%22%5D%5D%5D&limit=100&offset=0: 502 Bad Gateway: request failed: https://tordo.arvadosapi.com/arvados/v1/users?c
luster_id=&count=none&filters=%5B%5B%22uuid%22%2C%22in%22%2C%5B%22tordo-j7d0g-anonymouspublic%22%5D%5D%5D&forwarded_for=jutro-&include=&li
mit=100&offset=0: 401 Unauthorized: request failed: https://jutro.arvadosapi.com/arvados/v1/users?cluster_id=&count=none&filters=%5B%5B%22
uuid%22%2C%22in%22%2C%5B%22tordo-j7d0g-anonymouspublic%22%5D%5D%5D&forwarded_for=jutro-&limit=100&offset=0: 401 Unauthorized: //railsapi.i
nternal/arvados/v1/users?cluster_id=&count=none&filters=%5B%5B%22uuid%22%2C%22in%22%2C%5B%22tordo-j7d0g-anonymouspublic%22%5D%5D%5D&forwar
ded_for=jutro-jutro-&include=&limit=100&offset=0: 401 Unauthorized: Not logged in (req-1qhaiyjrrkmx1v1gag97)
lucasdipentima2@shell:~$ arv user list -c "none" -f '[["uuid", "in", ["jutro-j7d0g-anonymouspublic"]]]'                                   
{
 "items":[],
 "kind":"arvados#userList",
 "limit":100,
 "offset":0
}

There's two problems here:

1. The query was sent to tordo, who blindly sent it to jutro (which is the login cluster, and almost all requests to the user endpoint are proxied to the login cluster). jutro saw the "tordo" prefix and decided to federate the query back to tordo. I think this resulted in tordo sending the query back to jutro again but using a salted token that jutro didn't accept. However it doesn't look like forwarded_for was respected.

2. When federating the ["uuid", "in", [...]] case, it should check the uuid types and discard any uuids that don't match the user uuid pattern.


Related issues 1 (0 open1 closed)

Related to Arvados - Bug #22204: Projects & collections shared with groups causes errorsResolvedPeter AmstutzActions
Actions #1

Updated by Peter Amstutz 2 months ago

  • Description updated (diff)
Actions #2

Updated by Peter Amstutz 2 months ago

  • Related to Bug #22204: Projects & collections shared with groups causes errors added
Actions

Also available in: Atom PDF