Worker and supervisor unable to auto annotate with models, 403 error

[aliu-dm]

My actions before raising this issue

• Read/searched the docs
• Searched past issues
• Checked that model is working on docker and nuclio
• Checked that members of the organization with other access levels can auto
• Upgraded CVAT and rechecked everything above

Similar issues seem to occur in #4860 and #4548

Expected Behaviour

Any user should be able to use automatic annotations in an organization, not just Owner and Maintainer

Current Behaviour

Only the owner and maintainers of an organization are able to use auto annotations, worker and supervisors receive the following error

Error: Request failed with status code 403. {"detail":"You do not have permission to perform this action."}.

Possible Solution

Steps to Reproduce (for bugs)

1. Set up auto annotations and add a model
2. Create an organization
3. Add another user as either a worker or supervisor
4. Add a new task in the organization with labels that the model can annotate
5. Have the other user try to auto annotate the task with the model

Context

I would like for other users in my organization to be allowed to auto annotate without giving them higher levels of privilege.

Your Environment

• Git hash commit (git log -1): b9abbce
• Docker version docker version (e.g. Docker 17.0.05): 20.10.17
• Are you using Docker Swarm or Kubernetes? No
• Operating System and version (e.g. Linux, Windows, MacOS): Ubuntu 22.04.1 LTS

[bsekachev]

Hi @aliu-dm

Are you trying to run automatic annotations on the whole task or for one frame only?

[aliu-dm]

Hi @bsekachev

For both a whole task and one frame only when in an organization. A normal user (not superuser) in their personal workspace can annotate a single frame, but not the whole task. When they try to annotate a whole task in their personal workspace they receive the same 403 error as above.

[bsekachev]

@aliu-dm

I was not able to reproduce your issue (I am on current develop branch). I created an organization and invited a user there who has the "user" role:

and this user is a worker in the organization:

Because of some reasons I unable to run nuclio functions now, but I didn't get any 403 permissions denied and my request was sent to nuclio-dashboard successfully.

I also can submit that the worker can not get a list of currently using this URL:
http://<cvat_url>/api/lambda/requests?org=cvat but it is expected as far as I remember and the user does not have any errors on the interface.

Theoretically you can catch this error after serverless response is received, but in this case could you please submit that you can see nuclio-dashboard calls in docker logs nuclio-dashboard when a worker tries to send the request?

For example in my case, I see the following:

22.09.27 18:23:51.098 rd.platform.docker.runner (D) Executing {"command": "docker exec  nuclio-local-storage-reader /bin/sh -c \"/bin/cat /etc/nuclio/store/functions/nuclio/openvino-dextr.json\""}
22.09.27 18:23:51.214 rd.platform.docker.runner (D) Command executed successfully {"output": "eyJtZXRhZGF0YSI6eyJuYW1lIjoib3BlbnZpbm8tZGV4dHIiLCJuYW1lc3BhY2UiOiJudWNsaW8iLCJsYWJlbHMiOnsibnVjbGlvLmlvL3Byb2plY3QtbmFtZSI6ImN2YXQifSwiYW5ub3RhdGlvbnMiOnsiYW5pbWF0ZWRfZ2lmIjoiaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL2N2YXQtYWkvY3ZhdC8wZmJiMTlhZTM4NDZhMDE3ODUzZDUyZTE4N2YwY2UxNDlhZGNlZDdkL3NpdGUvY29udGVudC9lbi9pbWFnZXMvZGV4dHJfZXhhbXBsZS5naWYiLCJmcmFtZXdvcmsiOiJvcGVudmlubyIsImhlbHBfbWVzc2FnZSI6IlRoZSBpbnRlcmFjdG9yIGFsbG93cyB0byBnZXQgYSBtYXNrIG9mIGFuIG9iamVjdCB1c2luZyBpdHMgZXh0cmVtZSBwb2ludHMgKG1vcmUgb3IgZXF1YWwgdGhhbiA0KS4gWW91IGNhbiBhZGQgYSBwb2ludCBsZWZ0LWNsaWNraW5nIHRoZSBpbWFnZSIsIm1pbl9wb3NfcG9pbnRzIjoiNCIsIm5hbWUiOiJERVhUUiIsInNwZWMiOiIiLCJ0eXBlIjoiaW50ZXJhY3RvciJ9fSwic3BlYyI6eyJkZXNjcmlwdGlvbiI6IkRlZXAgRXh0cmVtZSBDdXQiLCJoYW5kbGVyIjoibWFpbjpoYW5kbGVyIiwicnVudGltZSI6InB5dGhvbjozLjYiLCJlbnYiOlt7Im5hbWUiOiJOVUNMSU9fUFlUSE9OX0VYRV9QQVRIIiwidmFsdWUiOiIvb3B0L251Y2xpby9jb21tb24vb3BlbnZpbm8vcHl0aG9uMyJ9XSwicmVzb3VyY2VzIjp7fSwiaW1hZ2UiOiJjdmF0L29wZW52aW5vLmRleHRyOmxhdGVzdCIsInRhcmdldENQVSI6NzUsInRyaWdnZXJzIjp7Im15SHR0cFRyaWdnZXIiOnsiY2xhc3MiOiIiLCJraW5kIjoiaHR0cCIsIm5hbWUiOiJteUh0dHBUcmlnZ2VyIiwibWF4V29ya2VycyI6Miwid29ya2VyQXZhaWxhYmlsaXR5VGltZW91dE1pbGxpc2Vjb25kcyI6MTAwMDAsImF0dHJpYnV0ZXMiOnsibWF4UmVxdWVzdEJvZHlTaXplIjozMzU1NDQzMn19fSwidm9sdW1lcyI6W3sidm9sdW1lIjp7Im5hbWUiOiJ2b2x1bWUtMSIsImhvc3RQYXRoIjp7InBhdGgiOiIvaG9tZS91c2VyL2N2YXQvc2VydmVybGVzcy9jb21tb24ifX0sInZvbHVtZU1vdW50Ijp7Im5hbWUiOiJ2b2x1bWUtMSIsIm1vdW50UGF0aCI6Ii9vcHQvbnVjbGlvL2NvbW1vbiJ9fV0sImJ1aWxkIjp7ImltYWdlIjoiY3ZhdC9vcGVudmluby5kZXh0ciIsImJhc2VJbWFnZSI6Im9wZW52aW5vL3VidW50dTE4X3J1bnRpbWU6MjAyMC4yIiwiZGlyZWN0aXZlcyI6eyJwb3N0Q29weSI6W3sia2luZCI6IlJVTiIsInZhbHVlIjoiY3VybCAtTyBodHRwczovL2Rvd25sb2FkLjAxLm9yZy9vcGVudmlub3Rvb2xraXQvbW9kZWxzX2NvbnRyaWIvY3ZhdC9kZXh0cl9tb2RlbF92MS56aXAifSx7ImtpbmQiOiJSVU4iLCJ2YWx1ZSI6InVuemlwIGRleHRyX21vZGVsX3YxLnppcCJ9LHsia2luZCI6IlJVTiIsInZhbHVlIjoicGlwMyBpbnN0YWxsIC1VIHBpcCBcdTAwMjZcdTAwMjYgcGlwMyBpbnN0YWxsIHdoZWVsIFBpbGxvdyJ9XSwicHJlQ29weSI6W3sia2luZCI6IlVTRVIiLCJ2YWx1ZSI6InJvb3QifSx7ImtpbmQiOiJXT1JLRElSIiwidmFsdWUiOiIvb3B0L251Y2xpbyJ9LHsia2luZCI6IlJVTiIsInZhbHVlIjoibG4gLXMgL3Vzci9iaW4vcGlwMyAvdXNyL2Jpbi9waXAifV19LCJjb2RlRW50cnlUeXBlIjoiaW1hZ2UiLCJ0aW1lc3RhbXAiOjE2NTg4MjQyNDF9LCJwbGF0Zm9ybSI6eyJhdHRyaWJ1dGVzIjp7Im1vdW50TW9kZSI6InZvbHVtZSIsInJlc3RhcnRQb2xpY3kiOnsibWF4aW11bVJldHJ5Q291bnQiOjMsIm5hbWUiOiJhbHdheXMifX19LCJyZWFkaW5lc3NUaW1lb3V0U2Vjb25kcyI6NjAsInNlY3VyaXR5Q29udGV4dCI6e30sImV2ZW50VGltZW91dCI6IjMwcyJ9LCJzdGF0dXMiOnsic3RhdGUiOiJyZWFkeSIsImh0dHBQb3J0Ijo0OTE3Nn19\n", "stderr": "", "exitCode": 0}
22.09.27 18:23:51.215          dashboard.server (D) Handled request {"requestID": "3bdf3a1891b9/XleE4Goroa-000008", "requestMethod": "GET", "requestPath": "/api/functions/openvino-dextr", "requestHeaders": {"Accept":["*/*"],"Accept-Encoding":["gzip, deflate"],"Connection":["close"],"User-Agent":["python-requests/2.26.0"],"X-Nuclio-Function-Namespace":["nuclio"],"X-Nuclio-Invoke-Via":["domain-name"],"X-Nuclio-Project-Name":["cvat"]}, "requestBody": "", "responseStatus": 200, "responseTime": "117.025892ms"}

@nmanovic
Do you have any ideas about that?

According to .rego file I also do not see any specific restrictions for an organization:

package lambda
import data.utils

# input: {
#     "scope": <"list"|"view"|"call:online"|"call:offline"> or null,
#     "auth": {
#         "user": {
#             "id": <num>,
#             "privilege": <"admin"|"business"|"user"|"worker"> or null
#         },
#         "organization": {
#             "id": <num>,
#             "owner": {
#                 "id": <num>
#             },
#             "user": {
#                 "role": <"owner"|"maintainer"|"supervisor"|"worker"> or null
#             }
#         } or null,
#     }
# }

default allow = false
allow {
    utils.is_admin
}

allow {
    input.scope == utils.LIST
}

allow {
    input.scope == utils.VIEW
}

allow {
    input.scope == utils.CALL_ONLINE
    utils.has_perm(utils.WORKER)
}

allow {
    input.scope == utils.CALL_OFFLINE
    utils.has_perm(utils.BUSINESS)
}

Also we have the following test scope:

test_scope_CALL_ONLINE_context_ORGANIZATION_ownership_NONE_privilege_USER_membership_WORKER {
    allow with input as {"scope": "call:online", "auth": {"user": {"id": 94, "privilege": "user"}, "organization": {"id": 163, "owner": {"id": 275}, "user": {"role": "worker"}}}, "resource": null}
}

[nmanovic]

@aliu-dm , you need to add business group for your users. CALL_OFFLINE means to run a task for the whole task. Only users with the business role can do that.

[aliu-dm]

@nmanovic I've just updated a worker in the organization to be a part of the business group, so they have both user and business roles. When they are assigned a task, they can auto annotate both the task and a frame within a job in that task. But, if they are only assigned a job, they are unable to auto annotate that each frame. When a worker is not in the business group and assigned a task and assigned a task, they can only auto annotate a frame within a job in that task as you have indicated. On another note, I see in the documentation here a TBD for system roles, would it be possible to get something up there in the near future as I do not know what the access for the other roles entail?

@bsekachev I can see similar logs as shown below, I've redacted the name of the function I used but it is basically the same as the yolov5 model with some modifications so I could use my own trained model

22.09.27 19:03:56.780 rd.platform.docker.runner (D) Executing {"command": "docker exec  nuclio-local-storage-reader /bin/sh -c \"/bin/cat /etc/nuclio/store/functions/nuclio/[function-name].json\""}
22.09.27 19:03:56.894 rd.platform.docker.runner (D) Command executed successfully {"output": "eyJtZXRhZGF0YSI6eyJuYW1lIjoiZG0teW9sb3Y1LXAxLXYwIiwibmFtZXNwYWNlIjoibnVjbGlvIiwibGFiZWxzIjp7Im51Y2xpby5pby9wcm9qZWN0LW5hbWUiOiJjdmF0In0sImFubm90YXRpb25zIjp7ImZyYW1ld29yayI6InB5dG9yY2giLCJuYW1lIjoiWU9MT3Y1IHYwIiwic3BlYyI6IltcbiAgeyBcImlkXCI6IDAsIFwibmFtZVwiOiBcIm1ldGVvclwiIH0sXG4gIHsgXCJpZFwiOiAxLCBcIm5hbWVcIjogXCJzbWVhcmluZ1wiIH0sXG4gIHsgXCJpZFwiOiAyLCBcIm5hbWVcIjogXCJzcHJpbmdiYWNrXCIgfSxcbiAgeyBcImlkXCI6IDMsIFwibmFtZVwiOiBcImRpdm90XCIgfSxcbiAgeyBcImlkXCI6IDQsIFwibmFtZVwiOiBcInJvbGxlclwiIH0sXG4gIHsgXCJpZFwiOiA1LCBcIm5hbWVcIjogXCJkcmFnZ2luZ1wiIH0sXG4gIHsgXCJpZFwiOiA2LCBcIm5hbWVcIjogXCJkZWJyaXNcIiB9LFxuICB7IFwiaWRcIjogNywgXCJuYW1lXCI6IFwib3V0b2Zwb3dkZXJcIiB9XG5dXG4iLCJ0eXBlIjoiZGV0ZWN0b3IifX0sInNwZWMiOnsiZGVzY3JpcHRpb24iOiJZT0xPdjUgZnJvbSBQeVRvcmNoLCB2MCBvZiBQMSBtb2RlbCIsImhhbmRsZXIiOiJtYWluOmhhbmRsZXIiLCJydW50aW1lIjoicHl0aG9uOjMuNiIsInJlc291cmNlcyI6eyJyZXF1ZXN0cyI6eyJjcHUiOiIyNW0iLCJtZW1vcnkiOiIxTWkifX0sImltYWdlIjoiY3ZhdC9weXRvcmNoLnlvbG8tdjUudjA6bGF0ZXN0IiwidGFyZ2V0Q1BVIjo3NSwidHJpZ2dlcnMiOnsibXlIdHRwVHJpZ2dlciI6eyJjbGFzcyI6IiIsImtpbmQiOiJodHRwIiwibmFtZSI6Im15SHR0cFRyaWdnZXIiLCJtYXhXb3JrZXJzIjoyLCJ3b3JrZXJBdmFpbGFiaWxpdHlUaW1lb3V0TWlsbGlzZWNvbmRzIjoxMDAwMCwiYXR0cmlidXRlcyI6eyJtYXhSZXF1ZXN0Qm9keVNpemUiOjMzNTU0NDMyfX19LCJ2b2x1bWVzIjpbeyJ2b2x1bWUiOnsibmFtZSI6InZvbHVtZS0xIiwiaG9zdFBhdGgiOnsicGF0aCI6Ii9ob21lL2RtZXRhbC9Eb2N1bWVudHMvY3ZhdC9zZXJ2ZXJsZXNzL2NvbW1vbiJ9fSwidm9sdW1lTW91bnQiOnsibmFtZSI6InZvbHVtZS0xIiwibW91bnRQYXRoIjoiL29wdC9udWNsaW8vY29tbW9uIn19XSwiYnVpbGQiOnsiaW1hZ2UiOiJjdmF0L3B5dG9yY2gueW9sby12NS52MCIsImJhc2VJbWFnZSI6InVsdHJhbHl0aWNzL3lvbG92NTpsYXRlc3QtY3B1IiwiZGlyZWN0aXZlcyI6eyJwcmVDb3B5IjpbeyJraW5kIjoiVVNFUiIsInZhbHVlIjoicm9vdCJ9LHsia2luZCI6IlJVTiIsInZhbHVlIjoiYXB0IHVwZGF0ZSBcdTAwMjZcdTAwMjYgYXB0IGluc3RhbGwgLS1uby1pbnN0YWxsLXJlY29tbWVuZHMgLXkgbGliZ2xpYjIuMC0wIn0seyJraW5kIjoiV09SS0RJUiIsInZhbHVlIjoiL29wdC9udWNsaW8ifV19LCJjb2RlRW50cnlUeXBlIjoiaW1hZ2UiLCJ0aW1lc3RhbXAiOjE2NjM4Njc0NzF9LCJwbGF0Zm9ybSI6eyJhdHRyaWJ1dGVzIjp7Im1vdW50TW9kZSI6InZvbHVtZSIsInJlc3RhcnRQb2xpY3kiOnsibWF4aW11bVJldHJ5Q291bnQiOjMsIm5hbWUiOiJhbHdheXMifX19LCJyZWFkaW5lc3NUaW1lb3V0U2Vjb25kcyI6MTIwLCJzZWN1cml0eUNvbnRleHQiOnt9LCJldmVudFRpbWVvdXQiOiIzMHMifSwic3RhdHVzIjp7InN0YXRlIjoicmVhZHkiLCJodHRwUG9ydCI6NDk2NDQsImludGVybmFsSW52b2NhdGlvblVybHMiOlsiMTcyLjE3LjAuODo4MDgwIl19fQ==\n", "stderr": "", "exitCode": 0}
22.09.27 19:03:56.896          dashboard.server (D) Handled request {"requestID": "23c544397655/Dv3wA2Fni9-000440", "requestMethod": "GET", "requestPath": "/api/functions/[function-name]", "requestHeaders": {"Accept":["application/json, text/plain, */*"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-US,en;q=0.9"],"Connection":["close"],"Cookie":["[redacted]"],"Referer":["http://10.101.30.95:8070/projects/cvat/functions"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"],"X-Nuclio-Function-Enrich-Apigateways":["true"],"X-Nuclio-Function-Namespace":["nuclio"],"X-Nuclio-Project-Name":["cvat"]}, "requestBody": "", "responseStatus": 200, "responseTime": "115.545176ms"}

[hadign20]

@aliu-dm , you need to add business group for your users. CALL_OFFLINE means to run a task for the whole task. Only users with the business role can do that.

Hello,

Can you please let me know how to create a business gropu?

Thanks

[alex4men]

I also have this issue. I have a user, from an organisation with worker role, who is a member of a user group in the admin panel. If I only assign a job to this user — he couldn't use AI Tools (Detection error occurred Error: Request failed with status code 403. {"detail":"You do not have permission to perform this action."}.), but when I assign him a task — he could use AI Tools in a Job from the task's job list, regardless of assignment of the Job.
In the docker logs cvat_opa for the first case I got this output:

{"client_addr":"172.23.0.14:58834","level":"info","msg":"Received request.","req_id":1,"req_method":"POST","req_path":"/v1/data/lambda/allow","time":"2022-10-03T21:16:58Z"}
{"decision_id":"b60d83e0-1af6-454f-a08b-3c8071b76e90","input":{"auth":{"organization":{"id":1,"owner":{"id":1},"user":{"role":"worker"}},"user":{"id":2,"privilege":"user"}},"resource":null,"scope":"call:online"},"labels":{"id":"4c237a78-9aa2-4ac2-b3fc-2fdf3336f7d6","version":"0.34.2"},"level":"info","metrics":{"counter_server_query_cache_hit":0,"timer_rego_input_parse_ns":191104,"timer_rego_query_compile_ns":243735,"timer_rego_query_eval_ns":1105722,"timer_rego_query_parse_ns":153940,"timer_server_handler_ns":1854593},"msg":"Decision Log","path":"lambda/allow","requested_by":"172.23.0.14:58834","result":true,"time":"2022-10-03T21:16:58Z","timestamp":"2022-10-03T21:16:58.987289321Z","type":"openpolicyagent.org/decision_logs"}
{"client_addr":"172.23.0.14:58834","level":"info","msg":"Sent response.","req_id":1,"req_method":"POST","req_path":"/v1/data/lambda/allow","resp_bytes":68,"resp_duration":3.006393,"resp_status":200,"time":"2022-10-03T21:16:58Z"}
{"client_addr":"172.23.0.14:58844","level":"info","msg":"Received request.","req_id":2,"req_method":"POST","req_path":"/v1/data/tasks/allow","time":"2022-10-03T21:16:58Z"}
{"decision_id":"a74fe108-9527-4814-ad24-94cc759886fd","input":{"auth":{"organization":{"id":1,"owner":{"id":1},"user":{"role":"worker"}},"user":{"id":2,"privilege":"user"}},"resource":{"assignee":{"id":null},"id":45,"organization":{"id":1},"owner":{"id":1},"project":{"assignee":{"id":null},"organization":{"id":1},"owner":{"id":1}}},"scope":"view:data"},"labels":{"id":"4c237a78-9aa2-4ac2-b3fc-2fdf3336f7d6","version":"0.34.2"},"level":"info","metrics":{"counter_server_query_cache_hit":0,"timer_rego_input_parse_ns":119374,"timer_rego_query_compile_ns":171227,"timer_rego_query_eval_ns":2044740,"timer_rego_query_parse_ns":108374,"timer_server_handler_ns":2570123},"msg":"Decision Log","path":"tasks/allow","requested_by":"172.23.0.14:58844","result":false,"time":"2022-10-03T21:16:58Z","timestamp":"2022-10-03T21:16:58.993655752Z","type":"openpolicyagent.org/decision_logs"}
{"client_addr":"172.23.0.14:58844","level":"info","msg":"Sent response.","req_id":2,"req_method":"POST","req_path":"/v1/data/tasks/allow","resp_bytes":69,"resp_duration":3.055348,"resp_status":200,"time":"2022-10-03T21:16:58Z"}

And for the second case I got:

{"client_addr":"172.23.0.14:39008","level":"info","msg":"Received request.","req_id":20,"req_method":"POST","req_path":"/v1/data/lambda/allow","time":"2022-10-03T21:22:15Z"}
{"decision_id":"dece6b85-7ace-45b8-9d6e-5c1e0ca5e5d0","input":{"auth":{"organization":{"id":1,"owner":{"id":1},"user":{"role":"worker"}},"user":{"id":2,"privilege":"user"}},"resource":null,"scope":"call:online"},"labels":{"id":"4c237a78-9aa2-4ac2-b3fc-2fdf3336f7d6","version":"0.34.2"},"level":"info","metrics":{"counter_server_query_cache_hit":1,"timer_rego_input_parse_ns":89256,"timer_rego_query_eval_ns":769446,"timer_server_handler_ns":930060},"msg":"Decision Log","path":"lambda/allow","requested_by":"172.23.0.14:39008","result":true,"time":"2022-10-03T21:22:15Z","timestamp":"2022-10-03T21:22:15.803919801Z","type":"openpolicyagent.org/decision_logs"}
{"client_addr":"172.23.0.14:39008","level":"info","msg":"Sent response.","req_id":20,"req_method":"POST","req_path":"/v1/data/lambda/allow","resp_bytes":68,"resp_duration":1.425058,"resp_status":200,"time":"2022-10-03T21:22:15Z"}
{"client_addr":"172.23.0.14:39018","level":"info","msg":"Received request.","req_id":21,"req_method":"POST","req_path":"/v1/data/tasks/allow","time":"2022-10-03T21:22:15Z"}
{"decision_id":"0152b756-b4bf-491e-a817-856552198c23","input":{"auth":{"organization":{"id":1,"owner":{"id":1},"user":{"role":"worker"}},"user":{"id":2,"privilege":"user"}},"resource":{"assignee":{"id":2},"id":46,"organization":{"id":1},"owner":{"id":1},"project":{"assignee":{"id":null},"organization":{"id":1},"owner":{"id":1}}},"scope":"view:data"},"labels":{"id":"4c237a78-9aa2-4ac2-b3fc-2fdf3336f7d6","version":"0.34.2"},"level":"info","metrics":{"counter_server_query_cache_hit":1,"timer_rego_input_parse_ns":70449,"timer_rego_query_eval_ns":1365731,"timer_server_handler_ns":1476350},"msg":"Decision Log","path":"tasks/allow","requested_by":"172.23.0.14:39018","result":true,"time":"2022-10-03T21:22:15Z","timestamp":"2022-10-03T21:22:15.808148323Z","type":"openpolicyagent.org/decision_logs"}
{"client_addr":"172.23.0.14:39018","level":"info","msg":"Sent response.","req_id":21,"req_method":"POST","req_path":"/v1/data/tasks/allow","resp_bytes":68,"resp_duration":1.758158,"resp_status":200,"time":"2022-10-03T21:22:15Z"}

It seems strange to me, that when executing a serverless function on only one image in a job, we have request with the "path" equals "tasks/allow". Why is it going to "tasks/allow", shouldn't it go to "jobs/allow", @nmanovic or @bsekachev ? Could you fix it, please?

P.S.
In the second case I've also tried to make "Automatic annotation" for the whole task, but got the error (Could not infer model for the task 46 Error: Request failed with status code 403. {"detail":"You do not have permission to perform this action."}.) and the following logs in cvat_opa:

{"client_addr":"172.23.0.14:56918","level":"info","msg":"Received request.","req_id":51,"req_method":"POST","req_path":"/v1/data/lambda/allow","time":"2022-10-03T21:26:48Z"}
{"decision_id":"cd9cedb9-dffe-4e55-94a6-5ee7f4bee3fa","input":{"auth":{"organization":{"id":1,"owner":{"id":1},"user":{"role":"worker"}},"user":{"id":2,"privilege":"user"}},"resource":null,"scope":"call:offline"},"labels":{"id":"4c237a78-9aa2-4ac2-b3fc-2fdf3336f7d6","version":"0.34.2"},"level":"info","metrics":{"counter_server_query_cache_hit":1,"timer_rego_input_parse_ns":94255,"timer_rego_query_eval_ns":778059,"timer_server_handler_ns":940245},"msg":"Decision Log","path":"lambda/allow","requested_by":"172.23.0.14:56918","result":false,"time":"2022-10-03T21:26:48Z","timestamp":"2022-10-03T21:26:48.800142299Z","type":"openpolicyagent.org/decision_logs"}
{"client_addr":"172.23.0.14:56918","level":"info","msg":"Sent response.","req_id":51,"req_method":"POST","req_path":"/v1/data/lambda/allow","resp_bytes":69,"resp_duration":1.449148,"resp_status":200,"time":"2022-10-03T21:26:48Z"}

The latter problem was fixed with adding this user to the business group in the admin panel.

[alex4men]

As a temporary solution I made this modification to the cvat/apps/iam/rules/tasks.rego

# git diff cvat/apps/iam/rules/tasks.rego
diff --git a/cvat/apps/iam/rules/tasks.rego b/cvat/apps/iam/rules/tasks.rego
index 639a8bb2..3b2585ce 100644
--- a/cvat/apps/iam/rules/tasks.rego
+++ b/cvat/apps/iam/rules/tasks.rego
@@ -75,6 +75,11 @@ is_task_staff {
     is_task_assignee
 }

+is_task_staff {
+    input.auth.organization.id == input.resource.organization.id
+    utils.has_perm(utils.USER)
+}
+
 default allow = false

 allow {

Now our annotators could use AI Tools in their jobs, without adding them to the admin group with dangerous rights. Removing annotators from the admins also helped to clean up their Jobs page, now they see jobs assigned only to them.

[aliu-dm]

@hadi-ghnd

In the admin panel, once you select a user as shown here.

@alex4men Thanks for the temporary fix! It worked for me as well.

[hadign20]

@aliu-dm Thank you.

After I login and hover over my name, there is no option called "Admin Page".

I probably have done something wrong with Django.

[bsekachev]

@aliu-dm

Looks like this account is not a superuser.
You can create one more superuser using python manage.py createsuperuser command in the container.

[hadign20]

@bsekachev Thank you. This solved my problem.

[alex4men]

@yasakova-anastasia why did you close it?) It's not solved properly yet.

Still waiting for the answer from @bsekachev or @nmanovic on the question from the message #4996 (comment)

It seems strange to me, that when executing a serverless function on only one image in a job, we have request with the "path" equals "tasks/allow". Why is it going to "tasks/allow", shouldn't it go to "jobs/allow", @nmanovic or @bsekachev ?

Is my solution legit, should I make a PR, or is it just a bad smelling kludge?)

[nmanovic]

@yasakova-anastasia , could you please reproduce and fix if it is a problem on our side?

[zhiltsov-max]

Hi, I was able to reproduce the problem. Thinking on the fix.

[Answergeng]

Hi, I can reproduce the problem.

[bsekachev]

@Answergeng

Please, provide the version you are using.

[Answergeng]

2.3.0 from last week

[bsekachev]

@Answergeng

Your screenshot has another error, not with 403 code.
Probably you need to restart nuclio_dashboard container or a container with the model.