Project

General

Profile

Bug #18936

Updated by Ward Vandewege about 2 years ago

Workbench 1 appends the anonymous user token in a "reader token" to each GET request to make sure that content shared with the anonymous user is available to authenticated users, even if not shared with explicitly with them. 

 Controller just appends any reader tokens received to the token list for the request.  

 API uses reader_tokens for GET requests in (services/api/app/controllers/application_controller.rb). 

 But it also does something else; in services/api/app/middlewares/arvados_api_token.rb it seems that if the primary session token is not valid, the first working reader token is used instead. 

 Workbench 2 does not use reader_tokens (which means authenticated users can not access data only shared with the anonymous user!). 

 Nothing else in our codebase appears to use reader_tokens. 

 Our documentation does not mention reader_tokens. 

 It would be simpler to automatically consider the anonymous token (IF it is not blank in the configuation file, which indicates the cluster should not allow for anonymous data access, ever) for all read requests in the token validation code, in addition to any token supplied. The anonymous token has a predictable UUID, so there is no reason to pass it around. 

 This also means we can remove the controller and API code that handles reader_tokens. Maybe log a warning if a reader token is used (though, as long as WB1 is around, that's going to generate a lot of noise in the logs)?

Back