[BUG] `server/tests/lib/nl/bad_words_test.py::TestBadWords::test_validate_prod ` fails for non-ACL'd users

Question

[BUG] `server/tests/lib/nl/bad_words_test.py::TestBadWords::test_validate_prod ` fails for non-ACL'd users

wittrock opened this issue 4 months ago · 0 comments

wittrock commented 4 months ago

Describe the bug

Running test_validate_prod fails if a user isn't ACL'd to gs://datcom-website-config

To Reproduce

Steps to reproduce the behavior:

clone datacommonsorg/website, don't log into gcloud
./run_tests.sh --setup_python
./run_tests.sh -a
observe test failure:

E           google.api_core.exceptions.Forbidden: 403 GET https://storage.googleapis.com/storage/v1/b/datcom-website-config/o?projection=noAcl&prefix=nl_bad_words.txt&prettyPrint=false: wittrock@google.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).

.env/lib/python3.11/site-packages/google/cloud/_http/__init__.py:494: Forbidden

I notice that gsutil acl get returns the same:

wittrock@wittrock3 datacommons/website (master *) » gsutil acl get gs://datcom-website-config
AccessDeniedException: 403 wittrock@google.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist).

Expected behavior

Tests should all pass, or be skipped if not applicable.

Screenshots

Additional context

Should gs://datcom-website-config be world-readable? The description it has (This is a global config bucket shared by all website instances.) makes it seem like it should be. If it shouldn't be world-readable, would you take a PR to skip the test for non-ACL'd users?