Project

General

Profile

Bug #17150

Updated by Javier BĂ©rtoli over 3 years ago

SystemRootToken accepts only alphanumeric characters or it fails to communicate with controller. Tests show that: 

 * "changeme_system_root_token_changeme_system": fails 
 * "change" passes 
 * "badtoken00badtoken00badtoken00badtoken00b" passes 
 * changemeasystemarootatokenachangemeasystechangemeasystemarootatokenachangemeasyste" passes 


 Original report, for reference: 

 "pvanheus in gitter":https://gitter.im/arvados/community?at=5fb54daa74152347c2410c15 mentioned having issues with a fresh install of Arvados using the formula. His original issue (missing @crunch-dispatch-local@'s config file) was solved adding the file, but evidenced an issue using the @SystemRootToken@. 

 I could reproduce the issue in a freshly installed Arvados cluster: 

 Relevant section of Arvados' @config.yml@ 
 <pre> 
 Clusters: 
   arva2: 

     SystemRootToken: "changeme_system_root_token" 
     ManagementToken: "changeme_management_token" 
 </pre> 

 h2. Fails 

 Using these parameters: 
 <pre> 
 export ARVADOS_API_HOST=arva2.arv.local:443 
 export ARVADOS_API_HOST_INSECURE=true 
 export ARVADOS_API_TOKEN=changeme_system_root_token 
 </pre> 

 I can't query Arvados 
 <pre> 
 root@arva2:~# curl -q\ 
    --insecure \ 
    -H "Authorization: OAuth2 $ARVADOS_API_TOKEN" \ 
   https://$ARVADOS_API_HOST/arvados/v1/collections 
 </pre> 
 I get 
 <pre> 
 {"errors":["Not logged in (req-zdh06tyffy1r1qmipp33)"],"error_token":"1605793145+18c3488a"} 
 </pre> 
 In @/var/www/arvados-api/current/log/production.log@ 
 <pre> 
 {"method":"GET","path":"/arvados/v1/collections","format":"*/*","controller":"Arvados::V1::CollectionsController","action":"index","status":401,"duration":1.18,"view":0.22,"db":0.0,"request_id":"req-zhstydjocopp1ddt7nj7","client_ipaddr":"127.0.0.1","client_auth":null,"params":{},"@timestamp":"2020-11-19T13:41:48.493440858Z","@version":"1","message":"[401] GET /arvados/v1/collections (Arvados::V1::CollectionsController#index)"} 
 </pre> 
 and in @journalctl -f@ 
 <pre> 
 Nov 19 13:41:48 arva2 arvados-controller[1070]: {"PID":1070,"RequestID":"req-zhstydjocopp1ddt7nj7","level":"info","msg":"request","remoteAddr":"127.0.0.1:33138","reqBytes":0,"reqForwardedFor":"127.0.0.1","reqHost":"arva2.arv.local","reqMethod":"GET","reqPath":"arvados/v1/collections","reqQuery":"","time":"2020-11-19T13:41:48.487492882Z"} 
 Nov 19 13:41:48 arva2 arvados-controller[1070]: {"PID":1070,"RequestID":"req-zhstydjocopp1ddt7nj7","level":"info","msg":"response","remoteAddr":"127.0.0.1:33138","reqBytes":0,"reqForwardedFor":"127.0.0.1","reqHost":"arva2.arv.local","reqMethod":"GET","reqPath":"arvados/v1/collections","reqQuery":"","respBody":"{\"errors\":[\"Not logged in (req-zhstydjocopp1ddt7nj7)\"],\"error_token\":\"1605793308+2a226ffd\"}","respBytes":91,"respStatus":"Unauthorized","respStatusCode":401,"time":"2020-11-19T13:41:48.494689236Z","timeToStatus":0.006851,"timeTotal":0.007199,"timeWriteBody":0.000348} 
 </pre> 

 h2. Passes 

 If I change the credentials to the ones I get in Workbench's UI, the query succeeeds: 
 <pre> 
 export ARVADOS_API_TOKEN=v2/arva2-gj3su-sxldaz37f8h28un/szqnavhypc5wit9k3xrjhlen3ewj504w3f4heb3qc50c6qh6w 

 root@arva2:~# curl -q\ 
    --insecure \ 
    -H "Authorization: OAuth2 $ARVADOS_API_TOKEN" \ 
   https://$ARVADOS_API_HOST/arvados/v1/collections 
 </pre> 
 I get 
 <pre> 
 {"kind":"arvados#collectionList","etag":"","self_link":"","offset":0,"limit":100,"items":[{"href":"/collections/arva2-4zz18-8cykjg5gyxfiv4f","kind":"arvados#collection","etag":"pspmj2vb9voo69q6qy87k7wt","uuid":"arva2-4zz18-8cykjg5gyxfiv4f","owner_uuid":"arva2-tpzed-000000000000000","created_at":"2020-11-19T10:59:40.534588000Z","modified_by_client_uuid":null,"modified_by_user_uuid":"arva2-tpzed-000000000000000","modified_at":"2020-11-19T10:59:40.534969000Z","name":"empty collection","description":null,"properties":{},"portable_data_hash":"d41d8cd98f00b204e9800998ecf8427e+0","replication_desired":null,"replication_confirmed":null,"replication_confirmed_at":null,"storage_classes_desired":["default"],"storage_classes_confirmed":[],"storage_classes_confirmed_at":null,"delete_at":null,"trash_at":null,"is_trashed":false,"version":1,"current_version_uuid":"arva2-4zz18-8cykjg5gyxfiv4f","preserve_version":false,"file_count":0,"file_size_total":0}],"items_available":1} 
 </pre> 
 In @/var/www/arvados-api/current/log/production.log@ 
 <pre> 
 {"method":"GET","path":"/arvados/v1/collections","format":"*/*","controller":"Arvados::V1::CollectionsController","action":"index","status":200,"duration":9.31,"view":0.27,"db":3.5,"request_id":"req-1opkrw7usorjm1cj50q6","client_ipaddr":"127.0.0.1","client_auth":"arva2-gj3su-sxldaz37f8h28un","params":{},"@timestamp":"2020-11-19T13:45:05.088265297Z","@version":"1","message":"[200] GET /arvados/v1/collections (Arvados::V1::CollectionsController#index)"} 
 </pre> 
 and in @journalctl -f@ 
 <pre> 
 Nov 19 13:45:05 arva2 arvados-controller[1070]: {"PID":1070,"RequestID":"req-1opkrw7usorjm1cj50q6","level":"info","msg":"request","remoteAddr":"127.0.0.1:33144","reqBytes":0,"reqForwardedFor":"127.0.0.1","reqHost":"arva2.arv.local","reqMethod":"GET","reqPath":"arvados/v1/collections","reqQuery":"","time":"2020-11-19T13:45:05.068032762Z"} 
 Nov 19 13:45:05 arva2 arvados-controller[1070]: {"PID":1070,"RequestID":"req-1opkrw7usorjm1cj50q6","level":"info","msg":"response","remoteAddr":"127.0.0.1:33144","reqBytes":0,"reqForwardedFor":"127.0.0.1","reqHost":"arva2.arv.local","reqMethod":"GET","reqPath":"arvados/v1/collections","reqQuery":"","respBytes":972,"respStatus":"OK","respStatusCode":200,"time":"2020-11-19T13:45:05.089663139Z","timeToStatus":0.021186,"timeTotal":0.021624,"timeWriteBody":0.000438} 
 </pre>

Back