Inconsistent get_principal_access result

Question

Inconsistent get_principal_access result

Closed this issue 5 years ago · 4 comments

In the QE environment a user insights-qa has 2 different result sets coming back from a call to get_principal_access when called externally via 3scale and when called internally from a pod. The user is a member of the "Catalog Administrators" group and has a "Catalog Administrator" role.
When doing an external access we get back this ACL
{:permission=>"catalog:portfolios:write", :resourceDefinitions=>[{:attributeFilter=>{:key=>"id", :operation=>"equal", :value=>"*"}}]}
This one is missing when being accessed internally from the pod.

To Reproduce
Steps to reproduce the behavior:

Call get_principal_access for insights-qa externally
Call get_principal_access from a pod and pass in x-rh-identity with the following base64 string

"eyJpZGVudGl0eSI6eyJpbnRlcm5hbCI6eyJhdXRoX3RpbWUiOjAsImF1dGhfdHlwZSI6ImJhc2ljLWF1dGgiLCJvcmdfaWQiOiIxMTc4OTc3MiJ9LCJh Y2NvdW50X251bWJlciI6IjYwODk3MTkiLCJ1c2VyIjp7ImZpcnN0X25hbWUiOiJKZWZmIiwibGFzdF9uYW1lIjoiTmVlZGxlIiwiaXNfaW50ZXJuYWwiOmZhbHNlLCJpc19hY3R pdmUiOnRydWUsImxvY2FsZSI6ImVuX1VTIiwiaXNfb3JnX2FkbWluIjp0cnVlLCJ1c2VybmFtZSI6Imluc2lnaHRzLXFhIiwiZW1haWwiOiJqbmVlZGxlK3FhQHJlZGhhdC5jb2 0ifSwidHlwZSI6IlVzZXIifSwiZW50aXRsZW1lbnRzIjp7Imluc2lnaHRzIjp7ImlzX2VudGl0bGVkIjp0cnVlfSwib3BlbnNoaWZ0Ijp7ImlzX2VudGl0bGVkIjp0cnVlfSwic 21hcnRfbWFuYWdlbWVudCI6eyJpc19lbnRpdGxlZCI6ZmFsc2V9LCJoeWJyaWRfY2xvdWQiOnsiaXNfZW50aXRsZWQiOnRydWV9fX0="

Compare the results and check for catalog:portfolios:write with *
See error

Expected behavior
The result should be same in both internal and external call

Answer 1 · 2019-06-28T15:38:43.000Z

This is the difference list

diff direct.txt from_pod.txt 
1,2d0
< {:permission=>"catalog:portfolios:write", :resourceDefinitions=>[{:attributeFilter=>{:key=>"id", :operation=>"equal", :value=>"102"}}]}
< {:permission=>"catalog:portfolios:write", :resourceDefinitions=>[{:attributeFilter=>{:key=>"id", :operation=>"equal", :value=>"104"}}]}
3a2,3
> {:permission=>"catalog:portfolios:write", :resourceDefinitions=>[{:attributeFilter=>{:key=>"id", :operation=>"equal", :value=>"613"}}]}
> {:permission=>"catalog:portfolios:write", :resourceDefinitions=>[{:attributeFilter=>{:key=>"id", :operation=>"equal", :value=>"615"}}]}
5,7d4
< {:permission=>"catalog:portfolios:write", :resourceDefinitions=>[{:attributeFilter=>{:key=>"id", :operation=>"equal", :value=>"265"}}]}
< {:permission=>"catalog:portfolios:write", :resourceDefinitions=>[{:attributeFilter=>{:key=>"id", :operation=>"equal", :value=>"313"}}]}
< {:permission=>"catalog:portfolios:write", :resourceDefinitions=>[{:attributeFilter=>{:key=>"id", :operation=>"equal", :value=>"*"}}]}

Answer 2 · 2019-06-28T18:33:33.000Z

I tried to reproduce this bug but was unable. I compared the results from external 3scale to both a port-forwarded request & a curl from a pod.

curl -X GET   'http://rbac.rbac-qa.svc:8080/api/rbac/v1/access/?application=catalog&limit=200'   -H 'Accept: */*'   -H 'x-rh-identity: eyJpZGVudGl0eSI6eyJpbnRlcm5hbCI6eyJhdXRoX3RpbWUiOjAsImF1dGhfdHlwZSI6ImJhc2ljLWF1dGgiLCJvcmdfaWQiOiIxMTc4OTc3MiJ9LCJh Y2NvdW50X251bWJlciI6IjYwODk3MTkiLCJ1c2VyIjp7ImZpcnN0X25hbWUiOiJKZWZmIiwibGFzdF9uYW1lIjoiTmVlZGxlIiwiaXNfaW50ZXJuYWwiOmZhbHNlLCJpc19hY3R pdmUiOnRydWUsImxvY2FsZSI6ImVuX1VTIiwiaXNfb3JnX2FkbWluIjp0cnVlLCJ1c2VybmFtZSI6Imluc2lnaHRzLXFhIiwiZW1haWwiOiJqbmVlZGxlK3FhQHJlZGhhdC5jb2 0ifSwidHlwZSI6IlVzZXIifSwiZW50aXRsZW1lbnRzIjp7Imluc2lnaHRzIjp7ImlzX2VudGl0bGVkIjp0cnVlfSwib3BlbnNoaWZ0Ijp7ImlzX2VudGl0bGVkIjp0cnVlfSwic 21hcnRfbWFuYWdlbWVudCI6eyJpc19lbnRpdGxlZCI6ZmFsc2V9LCJoeWJyaWRfY2xvdWQiOnsiaXNfZW50aXRsZWQiOnRydWV9fX0='

All responses returned the same result.

However, when looking at the logs I can see that pagination by increments of 10 were taking place. Since this response is derived data (not just a straight DB look-up) I am wondering if perhaps you may be seeing some subtle ordering issue that needs to be resolved.

Could you check whether you see the discrepancy if you ask with a limit >= the count so you get all access objects with a single request? If you do not see the discrepancy then you could then work-around this in the short-term by increasing the limit. If you do see the discrepancy then please confirm the local cluster service URL your hitting.

Answer 3 · 2019-06-28T20:20:31.000Z

@chambridge I tried with different limits but couldn't re-create the problem. Before I would see this ACL was missing
{:permission=>"catalog:portfolios:write", :resourceDefinitions=>[{:attributeFilter=>{:key=>"id", :operation=>"equal", :value=>"*"}}]}

And it comes from the Catalog Administrators role. Are you able to see the above ACL show up?

Answer 4 · 2019-07-01T13:15:37.000Z

@mkanoor Yes, I was always able to see the above ACL.