Bug #15934
closedCan't create container request using SystemRootToken
100%
Description
arvados-controller log:
{ "PID": 130281, "RequestID": "req-1x0msubb95ljl1hl19ua", "level": "info", "msg": "response", "remoteAddr": "127.0.0.1:59748", "reqBytes": 452, "reqForwardedFor": "108.7.59.164", "reqHost": "ce8i5.arvadosapi.com", "reqMethod": "POST", "reqPath": "arvados/v1/container_requests", "reqQuery": "_profile=true&cluster_id=&container_request_given=true&ensure_unique_name=false&help=false", "respBody": "{\"errors\":[\"sql: no rows in result set\"]}\n", "respBytes": 42, "respStatus": "Forbidden", "respStatusCode": 403, "time": "2019-12-16T18:50:09.918600965Z", "timeToStatus": 0.001203, "timeTotal": 0.001214, "timeWriteBody": 1.1e-05 }
I'm using the SystemRootToken. I can create a container request with a regular token.
Updated by Tom Clegg about 5 years ago
SystemRootToken is intended to be used by the system -- even an admin user should never be using it with user-level APIs. Since the system never creates its own container requests, this request doesn't need to succeed.
A better error message would be good, though.
Updated by Peter Amstutz about 5 years ago
Tom Clegg wrote:
SystemRootToken is intended to be used by the system -- even an admin user should never be using it with user-level APIs. Since the system never creates its own container requests, this request doesn't need to succeed.
A better error message would be good, though.
Yes, but it isn't being denied on purpose, it's a bug, I suspect it is a side effect of the SystemRootToken not being a "real" token in the database. This could just as easily fail on something that's a "legitimate" use of SystemRootToken.
Updated by Peter Amstutz about 5 years ago
- Subject changed from Can't create container request to Can't create container request using SystemRootToken
Updated by Tom Clegg about 5 years ago
- Status changed from New to In Progress
Turns out this error message was returned by the "create container request" endpoint for any invalid token.
With this fix:- return an "invalid API token" message instead of "no rows in result set"
- return 500 (not 403) if there is a problem validating the token (database not connected, etc.)
15934-bad-token-error-message @ ceabb42934ec7c462f9ae03531080a24819dee1a -- developer-run-tests: #1702
Updated by Peter Amstutz about 5 years ago
Tom Clegg wrote:
Turns out this error message was returned by the "create container request" endpoint for any invalid token.
With this fix:
- return an "invalid API token" message instead of "no rows in result set"
- return 500 (not 403) if there is a problem validating the token (database not connected, etc.)
15934-bad-token-error-message @ ceabb42934ec7c462f9ae03531080a24819dee1a -- developer-run-tests: #1702
LGTM.
Updated by Anonymous about 5 years ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|7db3857d78a099108c3204c25294a5aec1f3a3bc.