Local development server

[Rukhsar-Khan]

I'm testing Rekall Agent Server under a local development deployment, not in the google cloud. When I'm trying to curl on a REST endpoint I always get the error message "You do not have a required permission" although I'm minting a token in the same way I used to mint in the google cloud instance and that worked well.

[scudette]

In order for the token to work you need two conditions to be true:

1. The token must delegate the correct role (e.g. Investigator is required for launching flows).
2. The user that delegated the role must have the role already assigned to them (i.e. a user which does not have a role can not mint a token that delegates that role)

When using the dev app engine server, the SDK allows you to impersonate any email account for testing purposes, and you can also say "make it an admin" to be an app engine admin user. Being an app engine admin is like a super user privilege - Rekall will let that user can do anything without needing roles to be granted (including launching flows). So you might not notice that the user does not have the Investigator role (which means they can not delegate it).

You should grant your test user the required roles (Investigator on the client) You should also add the Approver role to be able to grant the Investigator role (even to itself). Then log out and the SDK will show the login screen again. Untick the admin checkbox and then login. The Rekall application will then treat the user as a normal authenticated user. If you try to access a client you will be forced through the approver workflow and need to grant approval etc.

Now if you generate a token, this should just work with curl.