Actions
Bug #22212
openImproper user query federation
Story points:
-
Description
lucasdipentima2@shell:~$ arv user list -c "none" -f '[["uuid", "in", ["tordo-j7d0g-anonymouspublic"]]]' Error: request failed: https://jutro.arvadosapi.com/arvados/v1/users?cluster_id=&count=none&filters=%5B%5B%22uuid%22%2C%22in%22%2C%5B%22to rdo-j7d0g-anonymouspublic%22%5D%5D%5D&limit=100&offset=0: 502 Bad Gateway: request failed: https://tordo.arvadosapi.com/arvados/v1/users?c luster_id=&count=none&filters=%5B%5B%22uuid%22%2C%22in%22%2C%5B%22tordo-j7d0g-anonymouspublic%22%5D%5D%5D&forwarded_for=jutro-&include=&li mit=100&offset=0: 401 Unauthorized: request failed: https://jutro.arvadosapi.com/arvados/v1/users?cluster_id=&count=none&filters=%5B%5B%22 uuid%22%2C%22in%22%2C%5B%22tordo-j7d0g-anonymouspublic%22%5D%5D%5D&forwarded_for=jutro-&limit=100&offset=0: 401 Unauthorized: //railsapi.i nternal/arvados/v1/users?cluster_id=&count=none&filters=%5B%5B%22uuid%22%2C%22in%22%2C%5B%22tordo-j7d0g-anonymouspublic%22%5D%5D%5D&forwar ded_for=jutro-jutro-&include=&limit=100&offset=0: 401 Unauthorized: Not logged in (req-1qhaiyjrrkmx1v1gag97) lucasdipentima2@shell:~$ arv user list -c "none" -f '[["uuid", "in", ["jutro-j7d0g-anonymouspublic"]]]' { "items":[], "kind":"arvados#userList", "limit":100, "offset":0 }
There's two problems here:
1. The query was sent to tordo, who blindly sent it to jutro (which is the login cluster, and almost all requests to the user
endpoint are proxied to the login cluster). jutro saw the "tordo" prefix and decided to federate the query back to tordo. I think this resulted in tordo sending the query back to jutro again but using a salted token that jutro didn't accept. However it doesn't look like forwarded_for
was respected.
2. When federating the ["uuid", "in", [...]]
case, it should check the uuid types and discard any uuids that don't match the user uuid pattern.
Updated by Peter Amstutz 2 months ago
- Related to Bug #22204: Projects & collections shared with groups causes errors added
Actions