Project

General

Profile

Actions

Bug #17150

closed

SystemRootToken with non-alphanumeric characters silently fails

Added by Javier Bértoli about 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Tests
Target version:
Start date:
11/24/2020
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

SystemRootToken accepts only alphanumeric characters or it fails to communicate with controller. Tests show that:

  • "changeme_system_root_token_changeme_system": fails
  • "change" passes
  • "badtoken00badtoken00badtoken00badtoken00b" passes
  • changemeasystemarootatokenachangemeasystechangemeasystemarootatokenachangemeasyste" passes

Original report, for reference:

pvanheus in gitter mentioned having issues with a fresh install of Arvados using the formula. His original issue (missing crunch-dispatch-local's config file) was solved adding the file, but evidenced an issue using the SystemRootToken.

I could reproduce the issue in a freshly installed Arvados cluster:

Relevant section of Arvados' config.yml

Clusters:
  arva2:

    SystemRootToken: "changeme_system_root_token" 
    ManagementToken: "changeme_management_token" 

Fails

Using these parameters:

export ARVADOS_API_HOST=arva2.arv.local:443
export ARVADOS_API_HOST_INSECURE=true
export ARVADOS_API_TOKEN=changeme_system_root_token

I can't query Arvados

root@arva2:~# curl -q\
   --insecure \
   -H "Authorization: OAuth2 $ARVADOS_API_TOKEN" \
  https://$ARVADOS_API_HOST/arvados/v1/collections

I get
{"errors":["Not logged in (req-zdh06tyffy1r1qmipp33)"],"error_token":"1605793145+18c3488a"}

In /var/www/arvados-api/current/log/production.log
{"method":"GET","path":"/arvados/v1/collections","format":"*/*","controller":"Arvados::V1::CollectionsController","action":"index","status":401,"duration":1.18,"view":0.22,"db":0.0,"request_id":"req-zhstydjocopp1ddt7nj7","client_ipaddr":"127.0.0.1","client_auth":null,"params":{},"@timestamp":"2020-11-19T13:41:48.493440858Z","@version":"1","message":"[401] GET /arvados/v1/collections (Arvados::V1::CollectionsController#index)"}

and in journalctl -f
Nov 19 13:41:48 arva2 arvados-controller[1070]: {"PID":1070,"RequestID":"req-zhstydjocopp1ddt7nj7","level":"info","msg":"request","remoteAddr":"127.0.0.1:33138","reqBytes":0,"reqForwardedFor":"127.0.0.1","reqHost":"arva2.arv.local","reqMethod":"GET","reqPath":"arvados/v1/collections","reqQuery":"","time":"2020-11-19T13:41:48.487492882Z"}
Nov 19 13:41:48 arva2 arvados-controller[1070]: {"PID":1070,"RequestID":"req-zhstydjocopp1ddt7nj7","level":"info","msg":"response","remoteAddr":"127.0.0.1:33138","reqBytes":0,"reqForwardedFor":"127.0.0.1","reqHost":"arva2.arv.local","reqMethod":"GET","reqPath":"arvados/v1/collections","reqQuery":"","respBody":"{\"errors\":[\"Not logged in (req-zhstydjocopp1ddt7nj7)\"],\"error_token\":\"1605793308+2a226ffd\"}","respBytes":91,"respStatus":"Unauthorized","respStatusCode":401,"time":"2020-11-19T13:41:48.494689236Z","timeToStatus":0.006851,"timeTotal":0.007199,"timeWriteBody":0.000348}

Passes

If I change the credentials to the ones I get in Workbench's UI, the query succeeeds:

export ARVADOS_API_TOKEN=v2/arva2-gj3su-sxldaz37f8h28un/szqnavhypc5wit9k3xrjhlen3ewj504w3f4heb3qc50c6qh6w

root@arva2:~# curl -q\
   --insecure \
   -H "Authorization: OAuth2 $ARVADOS_API_TOKEN" \
  https://$ARVADOS_API_HOST/arvados/v1/collections

I get
{"kind":"arvados#collectionList","etag":"","self_link":"","offset":0,"limit":100,"items":[{"href":"/collections/arva2-4zz18-8cykjg5gyxfiv4f","kind":"arvados#collection","etag":"pspmj2vb9voo69q6qy87k7wt","uuid":"arva2-4zz18-8cykjg5gyxfiv4f","owner_uuid":"arva2-tpzed-000000000000000","created_at":"2020-11-19T10:59:40.534588000Z","modified_by_client_uuid":null,"modified_by_user_uuid":"arva2-tpzed-000000000000000","modified_at":"2020-11-19T10:59:40.534969000Z","name":"empty collection","description":null,"properties":{},"portable_data_hash":"d41d8cd98f00b204e9800998ecf8427e+0","replication_desired":null,"replication_confirmed":null,"replication_confirmed_at":null,"storage_classes_desired":["default"],"storage_classes_confirmed":[],"storage_classes_confirmed_at":null,"delete_at":null,"trash_at":null,"is_trashed":false,"version":1,"current_version_uuid":"arva2-4zz18-8cykjg5gyxfiv4f","preserve_version":false,"file_count":0,"file_size_total":0}],"items_available":1}

In /var/www/arvados-api/current/log/production.log
{"method":"GET","path":"/arvados/v1/collections","format":"*/*","controller":"Arvados::V1::CollectionsController","action":"index","status":200,"duration":9.31,"view":0.27,"db":3.5,"request_id":"req-1opkrw7usorjm1cj50q6","client_ipaddr":"127.0.0.1","client_auth":"arva2-gj3su-sxldaz37f8h28un","params":{},"@timestamp":"2020-11-19T13:45:05.088265297Z","@version":"1","message":"[200] GET /arvados/v1/collections (Arvados::V1::CollectionsController#index)"}

and in journalctl -f
Nov 19 13:45:05 arva2 arvados-controller[1070]: {"PID":1070,"RequestID":"req-1opkrw7usorjm1cj50q6","level":"info","msg":"request","remoteAddr":"127.0.0.1:33144","reqBytes":0,"reqForwardedFor":"127.0.0.1","reqHost":"arva2.arv.local","reqMethod":"GET","reqPath":"arvados/v1/collections","reqQuery":"","time":"2020-11-19T13:45:05.068032762Z"}
Nov 19 13:45:05 arva2 arvados-controller[1070]: {"PID":1070,"RequestID":"req-1opkrw7usorjm1cj50q6","level":"info","msg":"response","remoteAddr":"127.0.0.1:33144","reqBytes":0,"reqForwardedFor":"127.0.0.1","reqHost":"arva2.arv.local","reqMethod":"GET","reqPath":"arvados/v1/collections","reqQuery":"","respBytes":972,"respStatus":"OK","respStatusCode":200,"time":"2020-11-19T13:45:05.089663139Z","timeToStatus":0.021186,"timeTotal":0.021624,"timeWriteBody":0.000438}


Subtasks 1 (0 open1 closed)

Task #17164: Review 17150-system-root-tokenResolvedJavier Bértoli11/24/2020

Actions

Related issues 1 (0 open1 closed)

Related to Arvados - Task #17146: [salt][provision] Modify the script to run salt-call in info mode instead of debug modeResolvedJavier Bértoli11/24/2020

Actions
Actions

Also available in: Atom PDF