trafficcontrol icon indicating copy to clipboard operation
trafficcontrol copied to clipboard

Published 20 hours ago verified publisher icon apache

/jobs Tenancy check erroneously fails

Open ocket8888 opened this issue 2 years ago • 0 comments

This Bug Report affects these Traffic Control components:

  • Traffic Ops

Current behavior:

When a user in the root Tenant (possibly any Tenant, untested) attempts to create a new "Job" via a POST request to /jobs (APIv4.0 verified), the endpoint responds with a 404 Not Found response with an accompanying error-level Alert saying that the user was rejected access on the basis of Tenancy.

Expected behavior:

Rejecting a request due to insufficient permissions should be a 403 Forbidden response, not 404 Not Found. Also, Tenancy checks should work.

It's possible, though, that the Tenancy check isn't actually failing, and the error message is just incorrect due to copypasta. Further research needs to be done.

Steps to reproduce:

Request (done in developer environment)

Note that both the user and the "dev" Delivery Service are in the root Tenant.

POST /api/4.0/jobs HTTP/1.1
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Cookie:  ...
Content-Length: 125

{"deliveryService": "dev", "invalidationType": "REFRESH", "regex": "/.*", "startTime": "2022-12-14T00:00:00Z", "ttlHours": 5}

(replace the startTime date with whatever "tomorrow" is when you're reading this)

Response 
HTTP/1.1 404 Not Found
Content-Encoding: gzip
Content-Type: application/json
Permissions-Policy: interest-cohort=()
Set-Cookie: ...
Vary: Accept-Encoding
Whole-Content-Sha512: ...
X-Server-Name: traffic_ops_golang/
Date: Tue, 13 Dec 2022 21:16:02 GMT
Content-Length: 97

{
	"alerts": [
		{
			"text": "failed to authorize based on tenancy",
			"level": "error"
		}
	]
}

ocket8888 avatar Dec 13 '22 21:12 ocket8888