Page MenuHomeSoftware Heritage

Check and fix HAL-preprod `forbidden` error
Started, Work in Progress, HighPublic

Description

When testing with hal-preprod, I get the following error on the interface page:

SWORD SWH response: Forbidden

Event Timeline

moranegg triaged this task as Normal priority.Nov 5 2019, 10:42 AM
moranegg created this task.

I have tested today at 11.20 with the same error on HAL's platform.
@ardumont : can you check what the logs say about that?
I think it's about the client credentials, they use the HAL prod credentials and they are listed as HAL preprod client.

logs confirm 403 responses (forbidden access) [1]. They are using the wrong credentials.

I did not remember exactly the detail so here is a quote [2]

HTTP 403 provides a distinct error case from HTTP 401; while HTTP 401 is returned when the client has not authenticated, and implies that a successful response may be returned following valid authentication, HTTP 403 is returned when the client is not permitted access to the resource despite providing authentication such as insufficient permissions of the authenticated account.

[1] Logs excerpt coming from kibana:

	Time	message
	2020-09-17T11:24:21.563	2020-09-17 09:24:21 [1015935] gunicorn.access:INFO 127.0.0.1 - hal-preprod [17/Sep/2020:09:24:21 +0000] "POST /1/hal/ HTTP/1.1" 403 285 "-" "-"
	2020-09-17T11:24:21.562	[17/Sep/2020 09:24:21] WARNING [django.request:228] Forbidden: /1/hal/
	2020-09-17T11:24:21.562	2020-09-17 09:24:21 [1015935] django.request:WARNING Forbidden: /1/hal/
	2020-09-17T11:24:21.239	2020-09-17 09:24:21 [1015935] swh.core.config:INFO Loading config file /etc/softwareheritage/deposit/server.yml
	2020-09-17T11:24:21.227	2020-09-17 09:24:21 [1015935] swh.core.config:INFO Loading config file /etc/softwareheritage/global.ini
	2020-09-17T11:20:17.808	2020-09-17 09:20:17 [1015933] gunicorn.access:INFO 127.0.0.1 - hal-preprod [17/Sep/2020:09:20:17 +0000] "POST /1/hal/ HTTP/1.1" 403 285 "-" "-"
	2020-09-17T11:20:17.806	2020-09-17 09:20:17 [1015933] django.request:WARNING Forbidden: /1/hal/
	2020-09-17T11:20:17.805	[17/Sep/2020 09:20:17] WARNING [django.request:228] Forbidden: /1/hal/
	2020-09-17T11:20:17.318	2020-09-17 09:20:17 [1015933] swh.core.config:INFO Loading config file /etc/softwareheritage/deposit/server.yml
	2020-09-17T11:20:17.302	2020-09-17 09:20:17 [1015933] swh.core.config:INFO Loading config file /etc/softwareheritage/global.ini

source: http://kibana0.internal.softwareheritage.org:5601/goto/ba9cdc6e272f0183549ddede406b4ac8

[2] https://en.wikipedia.org/wiki/HTTP_403#Specification

I've sent an email (@ardumont in CC) to Bruno and Yannick about this error and about T2611.

ardumont added a comment.EditedSep 22 2020, 3:59 PM

The hal-preprod credentials are correct, we double checked with @moranegg.

It hit me during the second pass... (but we can see it in the logs already /1/hal/)

They are using the hal-preprod user but they try to access the hal collection... That's forbidden.

hal-preprod user can access the hal-preprod collection, not another client collection.

The logs need to be improved so the error and the cause of the error are displayed because i'm pretty sure this behavior is coded in the deposit...

ardumont changed the task status from Open to Work in Progress.Sep 22 2020, 3:59 PM

The logs need to be improved so the error and the cause of the error are displayed because i'm pretty sure this behavior is coded in the deposit...

T2626

moranegg raised the priority of this task from Normal to High.Wed, Sep 30, 11:28 AM
moranegg moved this task from In progress to Tests and validation on the SWORD deposit board.

heads up on this, we have nothing more to do on swh side.

And a priori, discussing with @moranegg yesterday about it, work has been done
on the hal side.

ardumont removed ardumont as the assignee of this task.Thu, Oct 1, 6:23 PM
ardumont added a subscriber: ardumont.