Forbidden error from source-record-storage obtained for full harvesting request on ECS bugfest Eureka environment for SRS record source
Description
Environment
CSP Request Details
CSP Rejection Details
Potential Workaround
Estimation Notes and Assumptions
RCA Group Details
Attachments
Checklist
hideActivity
Tatsiana HryhoryevaDecember 3, 2024 at 1:34 PM
Verified on https://folio-etesting-snapshot-consortium.ci.folio.org/ environment, works as expected
response from College tenant (in Settings > OAI-PMH > Behavior set “Record source“ to “Source records storage“)
response from University tenant (in Settings > OAI-PMH > Behavior set “Record source“ to “Source records storage and Inventory“)
Tatsiana HryhoryevaDecember 3, 2024 at 1:11 PM
Verified on https://eureka-bugfest-ramsons-consortium.int.aws.folio.org/ environment, works as expected - for all 11 tenants (with different oai-pmh settings) successful response is obtained, harvested records are included in the response
Oleksii PetrenkoDecember 3, 2024 at 9:42 AM
Issue related to Cross tenant requests
Please retest on Snapshot and Eureka BF ENV
Oleksii PetrenkoNovember 28, 2024 at 9:59 AM
Look like the same issue in sidecars related to integration of Congressional loans
Mikita SiadykhNovember 27, 2024 at 12:02 PMEdited
some findings (thanks to ):
1. most likely issue comes from cross-tenant request from member tenant to central tenant to retrieve SRS record for shared instance
2. shadow user exists in central tenant and is active
3. capabilities from module permissions were assigned manually to the user role, but didn’t help
tokens were fresh and not cached (FSE team restarted edge-oai-pmh and mod-oai-pmh)
token is valid (logged it on dev rancher to see what is passed to SRS client: valid edge user token from member tenant to make a call in central tenant)
would be grateful for any other ideas to check, but for now it still looks like Eureka issue as cross-tenant requests (with permissions from module permissions) is must have functionality for ECS
cc as it blocks many test cases
Details
Assignee
Tatsiana HryhoryevaTatsiana HryhoryevaReporter
Tatsiana HryhoryevaTatsiana HryhoryevaDevelopment Team
EurekaRelease
Ramsons (R2 2024) Bug FixRCA Group
Not a bug anymoreStory Points
0Sprint
NonePriority
P1TestRail: Cases
Open TestRail: CasesTestRail: Runs
Open TestRail: Runs
Details
Details
Assignee
Tatsiana HryhoryevaReporter
Tatsiana HryhoryevaDevelopment Team
Release
RCA Group
Story Points
Sprint
Priority
P1TestRail: Cases
TestRail: Runs
The issue is reproduced on ECS Eureka environment
on Member tenant (e.g. college) in Settings > OAI-PMH > Behavior set “Record source“ to “Source records storage“ or “Source records storage and Inventory“
send full harvesting OAI-PMH request via Postman (by edge-user) GET {{edge-url}}/oai/records?verb=ListRecords&metadataPrefix=marc21_withholdings&apiKey={{apiKey}}
check the response
Expected result: successful response is obtained, harvested records are included in the response
Actual result:
<error code="noRecordsMatch">Got error response from source-record-storage, uri: '/source-storage/source-records' message: Forbidden</error>Additional information:
the issue is not reproduced on ECS bugfest okapi environment
The issue causes fail for Central tenant harvesting as well
This issue is also active on https://folio-etesting-snapshot-consortium.ci.folio.org/