-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Thredds Deny Recursive permission not working as intended on "old upgraded" server. #632
Comments
I'm running the same server version https://hirondelle.crim.ca/twitcher/ows/proxy/thredds/catalog/birdhouse/testdata/secure/catalog.html Attempting the download via https://hirondelle.crim.ca/twitcher/ows/proxy/thredds/fileServer/birdhouse/testdata/secure/tasmax_Amon_MPI-ESM-MR_rcp45_r2i1p1_200601-200612.nc also causes the forbidden access. What does the Also, check if the Those are the only thing I can think of that would cause different behaviors. |
What happens if you click the ❔ button. Is it ❌ or ✅ ? |
Ok. That's really weird. All seems correct. |
OK. I will also try to replicate the Magpie DB from prod to my test VM that is currently fresh and do not have the bug. If I can reproduce the error on my test VM, this means the trigger for the bug is in the DB data and not in the code, or rather the code did not handle a special case on data that has been upgraded multiples times. |
Very weird, not able to replicate this on my test VM. I don't have all the large production data on my test VM, but this should really not matter. I'll continue to investigate. |
Describe the bug
I am not supposed to be able to browse this link https://pavics.ouranos.ca/twitcher/ows/proxy/thredds/catalog/birdhouse/testdata/secure/catalog.html?dataset=birdhouse/testdata/secure/tasmax_Amon_MPI-ESM-MR_rcp45_r2i1p1_200601-200612.nc since the path "/birdhouse/testdata/secure" has "Deny, Recursive" permission set on it.
On only that, I was able to download the .nc raw file. The only path that actually has a "Deny, Recursive" permission working is "Opendap" path on that file. All other paths I can access.
Jenkins was passing on production server all this time because the notebook only checks for the Opendap path and the Opendap path is the only path being "denied" as expected.
The weirder problem is I deployed a fresh server on the exact same birdhouse-deploy commit and "Deny, Recursive" was able to block everything, ex: https://lvu8.ouranos.ca/twitcher/ows/proxy/thredds/catalog/birdhouse/testdata/secure/catalog.html?dataset=birdhouse/testdata/secure/tasmax_Amon_MPI-ESM-MR_rcp45_r2i1p1_200601-200612.nc (exact same file, just fresh server).
So it seems that on a production server where we have done many DB upgrades, some "cruft" is left behind and confused Twitcher/Magpie? Another difference is on the production server we have 800+ users whereas my fresh test server only has 3 users (admin, anonymous, authtest).
Found accidentally when testing for bird-house/birdhouse-deploy#478.
To Reproduce
Steps to reproduce the behavior:
Deploy the stack at this commit bird-house/birdhouse-deploy@eefea61
Expected behavior
Should get "Access to service is forbidden" for this link https://pavics.ouranos.ca/twitcher/ows/proxy/thredds/catalog/birdhouse/testdata/secure/catalog.html?dataset=birdhouse/testdata/secure/tasmax_Amon_MPI-ESM-MR_rcp45_r2i1p1_200601-200612.nc
Screenshots
Correct behavior on my fresh server
Wrong behavior on production server
Magpie config on production server is properly set to "Deny, Recursive"
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: