Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

readOnly properties of create authorization endpoint should not be included in requests. #11714

Closed
gshif opened this issue Feb 6, 2019 · 5 comments
Closed

readOnly properties of create authorization endpoint should not be included in requests. #11714

gshif opened this issue Feb 6, 2019 · 5 comments
Labels
area/api kind/bug

Comments

@gshif
Copy link
Contributor

gshif commented Feb 6, 2019

POST request body for the Authorization endpoint has following elements with readOnly: true properties:
id, token, userID, user, org and links. Since these elements has readOnly set to true, then they should only be included in responses and not in the requests, but I can pass userID as part of a request and it won't be ignored (as well as user and org), i.e. the same userID that is passed to the request will be returned in the response.

  • Should the swagger doc be changed to remove readOnly properties from userID, user and org?
  • Permission resource can be defined with orgID and org. Since orgID element is already required, should these two elements, orgID and org be removed?

Reference: swagger.yml
@gshif gshif added area/api and removed area/api labels Feb 6, 2019
@goller
Copy link
Contributor

goller commented Feb 6, 2019

@gshif would you add your request and response JSON structures?

@gshif
Copy link
Contributor Author

gshif commented Feb 6, 2019
edited by goller
Loading

  1. Create a test user:
{"name":"u_1"}
  1. Create test org:
{"name":"b","status:":"active"}
  1. Create authorization for the above test user:
{
    "orgID":"035c17edbd97a000",
    "userID":"035c1869c297a000",
    "permissions":[
        {
            "action":"write",
            "resource":{"type":"buckets"}
        }
    ]
}
  • Response:
{
    "description": "",
    "id": "035d0f7f1d17a000",
    "links": {
        "self": "/api/v2/authorizations/035d0f7f1d17a000",
        "user": "/api/v2/users/035c1869c297a000"
    },
    "org": "b",
    "orgID": "035c17edbd97a000",
    "permissions": [
        {
            "action": "write",
            "resource": {
                "type": "buckets"
            }
        }
    ],
    "status": "active",
    "token": "d0LBLLShwT7fXBl9tolPz69peR8z_9gUnBkN12QHRK8ExOJyf_iCA85pAvQin-9F6Babhzczzj8KJrcqqro5WQ==",
    "user": "u_1",
    "userID": "035c1869c297a000"
}

@gshif
Copy link
Contributor Author

gshif commented Feb 6, 2019

If I create an authorization without passing a userID, then admin user's id and name will be used:

status ----> active
description ---->
links ----> {u'self': u'/api/v2/authorizations/035c21a84f97a000', u'user': u'/api/v2/users/035c17eda4d7a000'}
userID ----> 035c17eda4d7a000
token ----> eFeCnyuJzE-2L3O1hJNRZP2jToM2_UAzWAjD7AxwxsEftd57ZrmVo3bVW7JVJc64jy05YJgpAQlK6jzPcKYYyA==
orgID ----> 035c17edbd97a000
user ----> admin_user
org ----> d
id ----> 035c21a84f97a000

@goller
Copy link
Contributor

goller commented Feb 6, 2019

We'll need to revert this PR:
a3541b2#diff-baac977c6f31754f1f789e8bef5924fcR156

/cc @desa

@goller
Copy link
Contributor

goller commented Feb 7, 2019

Closed in #11722

@goller goller closed this as completed Feb 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/api kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@goller @gshif