authorization error on lookup_identifying_member_info

[ahelsing]

Niky is trying to do a bulk upload of email addresses from the portal, and getting a bunch of authorization errors doing lookup_identifying_member_info.

She says it only happens when she includes a 'new' portal user. But this may mean only when she includes someone like RRB@clemson.edu, who has a mixed case email address.

The portal sends that email address all lowercase. Does chapi correctly handle that address coming in the query as lowercase, but mixed case in the DB?

We only see these errors in the last few days.

Sample errors:

04/15/2014 11:33:02:INFO    :chapi:SA: nriga@bbn.com: Invoked lookup_project_members Options {'_dummy': 'null'} Arguments {'project_urn': 'urn:publicid:IDN+ch.geni.net+project+NetSec'}
04/15/2014 11:33:02:INFO    :chapi:SA: nriga@bbn.com: Result from lookup_project_members: {'output': '', 'code': 0, 'value': [{'PROJECT_MEMBER': u'urn:publicid:IDN+ch.geni.net+user+nriga', 'PROJECT_ROLE': u'LEAD', 'PROJECT_MEMBER_UID': '762e2515-1b42-4474-9f87-6885e33724e6'}]}
04/15/2014 11:33:02:INFO    :amsoil:[mav1] Called: <lookup_identifying_member_info>
04/15/2014 11:33:02:INFO    :chapi:MA: nriga@bbn.com: Invoked lookup_identifying_member_info Options {'filter': ['_GENI_IDENTIFYING_MEMBER_UID', 'MEMBER_EMAIL'], 'match': {'MEMBER_EMAIL': ['y.zhu61@csuohio.edu', 'n.ruffing@vikes.csuohio.edu', 'lulu.terrill@gmail.com']}, '_dummy': 'null'} Arguments {}
04/15/2014 11:33:02:ERROR   :amsoil:[mav1] [AUTHORIZATION] AUTHORIZATION_ERROR (Caller not authorized to call method lookup_identifying_member_info with options {'filter': ['_GENI_IDENTIFYING_MEMBER_UID', 'MEMBER_EMAIL'], 'match': {'MEMBER_EMAIL': ['y.zhu61@csuohio.edu', 'n.ruffing@vikes.csuohio.edu', 'lulu.terrill@gmail.com']}, '_dummy': 'null'} arguments {} queries [u'ME.MAY_LOOKUP_IDENTIFYING_MEMBER_INFO_urn_publicid_IDN_ch_geni_net_user_yzhu61<-CALLER', 'ME.MAY_LOOKUP_IDENTIFYING_MEMBER_INFO<-CALLER'])
04/15/2014 11:33:02:INFO    :chapi:MA: nriga@bbn.com: Result from lookup_identifying_member_info: {'output': "[AUTHORIZATION] AUTHORIZATION_ERROR (Caller not authorized to call method lookup_identifying_member_info with options {'filter': ['_GENI_IDENTIFYING_MEMBER_UID', 'MEMBER_EMAIL'], 'match': {'MEMB...

Imported from trac ticket #269, created by ahelsing on 04-15-2014 at 14:54, last modified: 04-17-2014 at 15:01

[ahelsing]

member_authoritypolicy.json lists assertions: "ME.IS$PROJECT_LEADAND$SEARCHING_BYEMAIL<-CALLER", "ME.IS$PROJECT_ADMINAND$SEARCHING_BY_EMAIL<-CALLER",

and policies: "ME.MAY_$METHOD<-ME.IS_PROJECT_LEAD_AND_SEARCHINGEMAIL", "ME.MAY$METHOD<-ME.IS_PROJECT_ADMIN_AND_SEARCHING_EMAIL",

I don't know how this stuff works anymore, but I believe that the missing assertion is supposed to be added by guard_utils.assert_shares_project(), where it is called ME.IS_LEAD_AND_SEARCHING_EMAIL<-CALLER

So 2 things: 1) How is assert_shares_project called for this API method invocation? 2) There appears to be a mismatch in the name of the assertion/policy

Trac comment by ahelsing on 04-15-2014 at 14:55

[ahelsing]

2 issues:

1. SEARCHING_EMAIL vs SEARCHING_BY_EMAIL. So even if we generated the right assertion, it would not have satisfied the policy.
2. The assertion/binding should be about the caller - that is, is the caller a project lead or project admin. The code was checking whether the subject (person you are looking up) was a project lead or project admin

Trac comment by ahelsing on 04-17-2014 at 14:52