Bug #3391
open
[Workbench] Can see job information but cannot access output collection
Added by Abram Connelly over 10 years ago.
Updated over 3 years ago.
Description
I am not the owner of the job, but I can see job qr1hi-8i9sb-agcnphf8im1aegp from the jobs page. When trying to access the log information, I get a fiddlesticks error message:
API request URL
https://qr1hi.arvadosapi.com/arvados/v1/collections/4c1a8038ae7fcb167c8274855dd7e7e6+89
API response
{
":errors":[
"Path not found"
],
":error_token":"1406571185+5104d817"
}
The problem here is that having access to read a Job record doesn't mean you can read the collection containing the job log. Either the log collection needs to automatically owned by the same project as the job (so that being able to read the project, which grants the ability read the job, also grants the ability to read the job) or permission to read the collection needs to be implicit through the job record "log" field of the collection (possibly a security risk if the log field isn't properly protected by API server from malicious updating to otherwise unowned collections.)
Fix by making the "show log" link non-clickable (and look non-clickable) when the log page is unreadable.
(It is desirable to support cases where a readable object has a reference to an unreadable object. The solution is to make it possible for the non-reading user to understand what's happening, and for a user who controls the sharing to anticipate when other users will get into this situation, and correct it if they choose to.)
- Subject changed from Can see job information but cannot access output collection to [Workbench] Can see job information but cannot access output collection
- Category set to Workbench
- Target version set to Arvados Future Sprints
- Target version deleted (
Arvados Future Sprints)
Also available in: Atom
PDF
Updated by 
Updated by