Bug #17150
Updated by Javier BĂ©rtoli about 4 years ago
SystemRootToken accepts only alphanumeric characters or it fails to communicate with controller. Tests show that:
* "changeme_system_root_token_changeme_system": fails
* "change" passes
* "badtoken00badtoken00badtoken00badtoken00b" passes
* changemeasystemarootatokenachangemeasystechangemeasystemarootatokenachangemeasyste" passes
Original report, for reference:
"pvanheus in gitter":https://gitter.im/arvados/community?at=5fb54daa74152347c2410c15 mentioned having issues with a fresh install of Arvados using the formula. His original issue (missing @crunch-dispatch-local@'s config file) was solved adding the file, but evidenced an issue using the @SystemRootToken@.
I could reproduce the issue in a freshly installed Arvados cluster:
Relevant section of Arvados' @config.yml@
<pre>
Clusters:
arva2:
SystemRootToken: "changeme_system_root_token"
ManagementToken: "changeme_management_token"
</pre>
h2. Fails
Using these parameters:
<pre>
export ARVADOS_API_HOST=arva2.arv.local:443
export ARVADOS_API_HOST_INSECURE=true
export ARVADOS_API_TOKEN=changeme_system_root_token
</pre>
I can't query Arvados
<pre>
root@arva2:~# curl -q\
--insecure \
-H "Authorization: OAuth2 $ARVADOS_API_TOKEN" \
https://$ARVADOS_API_HOST/arvados/v1/collections
</pre>
I get
<pre>
{"errors":["Not logged in (req-zdh06tyffy1r1qmipp33)"],"error_token":"1605793145+18c3488a"}
</pre>
In @/var/www/arvados-api/current/log/production.log@
<pre>
{"method":"GET","path":"/arvados/v1/collections","format":"*/*","controller":"Arvados::V1::CollectionsController","action":"index","status":401,"duration":1.18,"view":0.22,"db":0.0,"request_id":"req-zhstydjocopp1ddt7nj7","client_ipaddr":"127.0.0.1","client_auth":null,"params":{},"@timestamp":"2020-11-19T13:41:48.493440858Z","@version":"1","message":"[401] GET /arvados/v1/collections (Arvados::V1::CollectionsController#index)"}
</pre>
and in @journalctl -f@
<pre>
Nov 19 13:41:48 arva2 arvados-controller[1070]: {"PID":1070,"RequestID":"req-zhstydjocopp1ddt7nj7","level":"info","msg":"request","remoteAddr":"127.0.0.1:33138","reqBytes":0,"reqForwardedFor":"127.0.0.1","reqHost":"arva2.arv.local","reqMethod":"GET","reqPath":"arvados/v1/collections","reqQuery":"","time":"2020-11-19T13:41:48.487492882Z"}
Nov 19 13:41:48 arva2 arvados-controller[1070]: {"PID":1070,"RequestID":"req-zhstydjocopp1ddt7nj7","level":"info","msg":"response","remoteAddr":"127.0.0.1:33138","reqBytes":0,"reqForwardedFor":"127.0.0.1","reqHost":"arva2.arv.local","reqMethod":"GET","reqPath":"arvados/v1/collections","reqQuery":"","respBody":"{\"errors\":[\"Not logged in (req-zhstydjocopp1ddt7nj7)\"],\"error_token\":\"1605793308+2a226ffd\"}","respBytes":91,"respStatus":"Unauthorized","respStatusCode":401,"time":"2020-11-19T13:41:48.494689236Z","timeToStatus":0.006851,"timeTotal":0.007199,"timeWriteBody":0.000348}
</pre>
h2. Passes
If I change the credentials to the ones I get in Workbench's UI, the query succeeeds:
<pre>
export ARVADOS_API_TOKEN=v2/arva2-gj3su-sxldaz37f8h28un/szqnavhypc5wit9k3xrjhlen3ewj504w3f4heb3qc50c6qh6w
root@arva2:~# curl -q\
--insecure \
-H "Authorization: OAuth2 $ARVADOS_API_TOKEN" \
https://$ARVADOS_API_HOST/arvados/v1/collections
</pre>
I get
<pre>
{"kind":"arvados#collectionList","etag":"","self_link":"","offset":0,"limit":100,"items":[{"href":"/collections/arva2-4zz18-8cykjg5gyxfiv4f","kind":"arvados#collection","etag":"pspmj2vb9voo69q6qy87k7wt","uuid":"arva2-4zz18-8cykjg5gyxfiv4f","owner_uuid":"arva2-tpzed-000000000000000","created_at":"2020-11-19T10:59:40.534588000Z","modified_by_client_uuid":null,"modified_by_user_uuid":"arva2-tpzed-000000000000000","modified_at":"2020-11-19T10:59:40.534969000Z","name":"empty collection","description":null,"properties":{},"portable_data_hash":"d41d8cd98f00b204e9800998ecf8427e+0","replication_desired":null,"replication_confirmed":null,"replication_confirmed_at":null,"storage_classes_desired":["default"],"storage_classes_confirmed":[],"storage_classes_confirmed_at":null,"delete_at":null,"trash_at":null,"is_trashed":false,"version":1,"current_version_uuid":"arva2-4zz18-8cykjg5gyxfiv4f","preserve_version":false,"file_count":0,"file_size_total":0}],"items_available":1}
</pre>
In @/var/www/arvados-api/current/log/production.log@
<pre>
{"method":"GET","path":"/arvados/v1/collections","format":"*/*","controller":"Arvados::V1::CollectionsController","action":"index","status":200,"duration":9.31,"view":0.27,"db":3.5,"request_id":"req-1opkrw7usorjm1cj50q6","client_ipaddr":"127.0.0.1","client_auth":"arva2-gj3su-sxldaz37f8h28un","params":{},"@timestamp":"2020-11-19T13:45:05.088265297Z","@version":"1","message":"[200] GET /arvados/v1/collections (Arvados::V1::CollectionsController#index)"}
</pre>
and in @journalctl -f@
<pre>
Nov 19 13:45:05 arva2 arvados-controller[1070]: {"PID":1070,"RequestID":"req-1opkrw7usorjm1cj50q6","level":"info","msg":"request","remoteAddr":"127.0.0.1:33144","reqBytes":0,"reqForwardedFor":"127.0.0.1","reqHost":"arva2.arv.local","reqMethod":"GET","reqPath":"arvados/v1/collections","reqQuery":"","time":"2020-11-19T13:45:05.068032762Z"}
Nov 19 13:45:05 arva2 arvados-controller[1070]: {"PID":1070,"RequestID":"req-1opkrw7usorjm1cj50q6","level":"info","msg":"response","remoteAddr":"127.0.0.1:33144","reqBytes":0,"reqForwardedFor":"127.0.0.1","reqHost":"arva2.arv.local","reqMethod":"GET","reqPath":"arvados/v1/collections","reqQuery":"","respBytes":972,"respStatus":"OK","respStatusCode":200,"time":"2020-11-19T13:45:05.089663139Z","timeToStatus":0.021186,"timeTotal":0.021624,"timeWriteBody":0.000438}
</pre>