FQM sends multiple tenant headers when retrieving entity type permissions
Description
CSP Request Details
CSP Rejection Details
Potential Workaround
blocks
relates to
Checklist
hideActivity
Kathleen MooreDecember 17, 2024 at 10:46 PMEdited
confirmed cross-tenant queries are now working as expected in Eureka ECS bugfest + Okapi ECS bugfest
will you please add a fix version and RCA?
Emma_HaroyanDecember 17, 2024 at 2:54 PM
Works as expected on Eureka ECS BF.
All related tickets are also fixed.
Yogesh KumarDecember 17, 2024 at 2:00 PM
- What is the status of this ticket on the EUREKA ECS BF environment?
Emma_HaroyanDecember 15, 2024 at 7:20 PM
I am moving the ticket to “In review”, as , and looks good on Eureka ECS Snapshot.
Matt WeaverDecember 13, 2024 at 4:34 PM
This was blocked due to environment issues. We’ve got a working env again, and so I was finally able to test and merge this. This ticket addresses the underlying issue from , so it can be tested in the same way: cross-tenant queries should work for non-admin users (also, stuff like the value dropdown should work again).
For my own testing, I created a new user in the Corsair edev env (mweaver/folio) in the central tenant with an affiliation in a member tenant. I also added all of the Lists and FQM permissions (I created a “Lists (all)” role for this), along with the cataloguer role. With this setup, I was able to reproduce the original error. After deploying the fix from this ticket’s branch, the error went away.
In , it was discovered that mod-fqm-manager is sending requests to mod-roles-keycloak with multiple x-okapi-tenant headers (with different case on the headers), which causes problems. We need to not do that.
As part of this, let’s switch the tenant header in ModPermissionsClient and ModRolesKeycloakClient to all lower-case (using the headers defined in
XOkapiHeadersfrom folio-spring-base) and switch to theCrossTenantClientconfiguration, so that we only send the one tenant header