search

privacysandbox / aggregation-service

This repository contains instructions and scripts to set up and test the Privacy Sandbox Aggregation Service
Apache License 2.0
60 stars 31 forks source link

trying to use a new enrolled reporting origin, failed due to PRIVACY_BUDGET_AUTHORIZATION_ERROR #75

Open TomerGoldstein opened 2 days ago

TomerGoldstein commented 2 days ago

Hey! current state: reporting origin = "x" aggregation service version = 2.7.0

we dont have any issues in this situation, we send reports with reporting origin "x" and "attribution_report_to" :"x" to our aggregation service and get all the decoded aggregated results

new state:

we are sending reports with reporting origin "y" and attribution_report_to "y" to the same exact service with the same deployment params exactly and we get the following error:

"result_info": {
        "return_code": "PRIVACY_BUDGET_AUTHORIZATION_ERROR",
        "return_message": "com.google.aggregate.adtech.worker.exceptions.AggregationJobProcessException: Aggregation service is not authorized to call privacy budget service. This could happen if the createJob API job_paramaters.attribution_report_to does not match the one registered at enrollment. Please verify and contact support if needed. \n com.google.aggregate.adtech.worker.aggregation.concurrent.ConcurrentAggregationProcessor.consumePrivacyBudgetUnits(ConcurrentAggregationProcessor.java:446) \n com.google.aggregate.adtech.worker.aggregation.concurrent.ConcurrentAggregationProcessor.process(ConcurrentAggregationProcessor.java:326) \n com.google.aggregate.adtech.worker.WorkerPullWorkService.run(WorkerPullWorkService.java:143)\nThe root cause is: com.google.scp.operator.cpio.distributedprivacybudgetclient.TransactionEngine$TransactionEngineException: PRIVACY_BUDGET_CLIENT_UNAUTHORIZED \n com.google.scp.operator.cpio.distributedprivacybudgetclient.TransactionEngineImpl.createTransactionEngineException(TransactionEngineImpl.java:213) \n com.google.scp.operator.cpio.distributedprivacybudgetclient.TransactionEngineImpl.proceedToNextPhase(TransactionEngineImpl.java:68) \n com.google.scp.operator.cpio.distributedprivacybudgetclient.TransactionEngineImpl.executeDistributedPhase(TransactionEngineImpl.java:206)",

we where under the impression that if we enroll a new domain / reporting origin the aggregation service should know how to decode it without getting new deployment params such as the aws coordinators, are we mistaken? did we miss something?

what should we do to solve this issue? thanks!

nlrussell commented 1 day ago

Hi @TomerGoldstein, can you please email aggregation-service-support@google.com with your reporting origins so I can double-check their onboarding status?