[FOLIO-2945] Create ldp report user on reference environments Created: 05/Jan/21  Updated: 03/Aug/21

Status: In Progress
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Story Priority: TBD
Reporter: Ian Hardy Assignee: Ian Hardy
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Attachments: Text File changed-perms.txt    
Issue links:
Relates
relates to FOLIO-3027 Request creation of an ldp_admin account Open
relates to UIU-2075 "visible: false" permissions are inad... Closed
Sprint: DevOps: Sprint 105, DevOps Sprint 109, DevOps Sprint 107, DevOps Sprint 108, DevOps Sprint 106
Development Team: FOLIO DevOps

 Description   

From Nassib Nassar

Hello, I think we are seeing again a problem that was discussed here on Nov. 24, which is 403 errors connecting to interfaces in:

mod-email
mod-feesfines
mod-finance-storage
mod-inventory-storage
mod-invoice-storage
mod-orders-storage
mod-organizations-storage

In November the problem was missing permissions for diku_admin, although it was not clear why the permissions had stopped being assigned during the build. The symptoms here appear to be identical. The problem prevents reporting SMEs from working on FOLIO report development. Thank you for any assistance.



 Comments   
Comment by Nassib Nassar [ 05/Jan/21 ]

To clarify, this problem is observed with folio-snapshot which is the data source used for the reporting reference environment.

Comment by Ian Hardy [ 05/Jan/21 ]

Hi Nassib, the permissions look OK to me. I didn't check every module, but got a fresh token for diku admin and was able to use it to get things like /item-storage/items and /feefines without problems. Where specifically are you seeing this 403?

Comment by Nassib Nassar [ 05/Jan/21 ]

The problem appears to have been fixed.

The details were the same as in the Nov. 24 thread and affected the same interfaces:

Response code: mod-email: /email: 403
Response code: mod-feesfines: /transfer-criterias: 403
Response code: mod-finance-storage: /finance-storage/budgets: 403
Response code: mod-finance-storage: /finance-storage/fiscal-years: 403
Response code: mod-finance-storage: /finance-storage/fund-types: 403
Response code: mod-finance-storage: /finance-storage/funds: 403
Response code: mod-finance-storage: /finance-storage/group-fund-fiscal-years: 403
Response code: mod-finance-storage: /finance-storage/groups: 403
Response code: mod-finance-storage: /finance-storage/ledger-fiscal-years: 404
Response code: mod-finance-storage: /finance-storage/ledgers: 403
Response code: mod-finance-storage: /finance-storage/transactions: 403
Response code: mod-inventory-storage: /instance-storage/instance-relationships: 403
Response code: mod-invoice-storage: /invoice-storage/invoice-lines: 403
Response code: mod-invoice-storage: /invoice-storage/invoices: 403
Response code: mod-invoice-storage: /voucher-storage/voucher-lines: 403
Response code: mod-invoice-storage: /voucher-storage/vouchers: 403
Response code: mod-orders-storage: /acquisitions-units-storage/memberships: 403
Response code: mod-orders-storage: /acquisitions-units-storage/units: 403
Response code: mod-orders-storage: /orders-storage/alerts: 403
Response code: mod-orders-storage: /orders-storage/order-templates: 403
Response code: mod-orders-storage: /orders-storage/po-lines: 403
Response code: mod-orders-storage: /orders-storage/purchase-orders: 403
Response code: mod-orders-storage: /orders-storage/receiving-history: 403
Response code: mod-orders-storage: /orders-storage/reporting-codes: 403
Response code: mod-organizations-storage: /organizations-storage/organizations: 403
Comment by Ian Hardy [ 05/Jan/21 ]

Nassib reports it only seems to have occured certain days: Dec. 3, 17, 28, 30, and Jan 4. Difficult to reconstruct, but happening enough that its probably worth looking into. Nassib will review LDP logs, if we're still in the dark, set up a jenkins job to:

1. Login as diku_admin
2. get all permissions assigned to diku_admin and log them
2. try a get on some of the effected interfaces listed above and fail if 403. Send email to Ian and Nassib.

Comment by Nassib Nassar [ 18/Feb/21 ]

This was seen again on February 9, and is active again today (February 18).

Comment by Nassib Nassar [ 24/Feb/21 ]

This is active again today (February 24).

Comment by Nassib Nassar [ 12/Mar/21 ]

This is active again today (March 12).

Comment by Ian Hardy [ 12/Mar/21 ]

Zak Burke suggested this is happening when you edit diku_admin's perms in the UI. Perms that aren't visible don't get preserved when you save. I re-ran the tenant-admin-perms role Attaching output here. lines that start "skipping" mean that permission was never lost, starting with "changed" means the permission needed to restored. changed-perms.txt

Comment by Ian Hardy [ 18/Mar/21 ]

Zak has opened UIU-2075 Closed to address the permissions issue. We'll create a seperate ldp user w/read only permissions to avoid any problems w/using the tenant admin user.

Comment by Jakub Skoczen [ 13/Apr/21 ]

Ian Hardy is this closed?

Generated at Thu Feb 08 23:24:25 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.