Closed nbastin closed 7 years ago
Could you please try this again with an empty list for the "credentials" argument?
I can successfully invoke this method using tools/client.py
, which appears to send an empty credentials list. If your call succeeds with an empty credential list, maybe there's a bug in the credential handling with respect to this method.
Should have mentioned that I tried that first. It has the same problem:
>>> req_data = xmlrpclib.dumps((1, '10c88fc8-9d57-4971-8820-5b14323557f5', 0, [], {}), methodname="get_requests_for_context")
>>> s = requests.Session()
>>> s.mount(url, CH2.GCU.TLSHttpAdapter())
>>> cert = (context.cf.cert, context.cf.key)
>>> resp = s.post(url, req_data, cert=cert, verify=False, headers=CH2.headers())
>>> PP(xmlrpclib.loads(resp.content)[0][0])
{'code': 2,
'output': "[AUTHORIZATION] AUTHORIZATION_ERROR (Caller not authorized to call method get_requests_for_context with options {} arguments {'context_type': 1, 'context_id': '10c88fc8-9d57-4971-8820-5b14323557f5', 'status': 0} queries [u'ME.MAY_GET_REQUESTS_FOR_CONTEXT_urn_publicid_IDN_ch_geni_net_project_vts_infra<-CALLER', 'ME.MAY_GET_REQUESTS_FOR_CONTEXT<-CALLER'])",
'value': None}
This is a bug in the authorization engine. It worked for me above because I was using an operator account and succeeding because operators are explicitly allowed.
The policy assertions for get_requests_for_context
are left unbound because $REQUEST_ID
and $REQUEST_ROLE
are unavailable at the binding phase. We need extra clauses to accommodate the PROJECT_URN
subject_type to populate both $REQUEST_ID
and $REQUEST_ROLE
.
Other calls may be similarly broken as well.
Given the following request data:
(
context.ucred_api3
is a property that generates the user credential in v3 format, and I am the lead of the project in question)I get an authorization error:
get_pending_requests_for_user
works fine, so I can mostly work around the problem for common use cases, but if there's a way I could get this call to work that would be useful.