Page MenuHomePhabricator
Create Task
Maniphest T354286

Permission denied for logo on wikibase.dev
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue:

  • Load coffeebase.wikibase.dev in a browser

What happens?:
No logo is visible.

In the network tab we can see:
https://storage.googleapis.com/wikibase-dev-static/sites/54cd077265f81c058d439c3b7b183f89/logos/64.ico is returning a 403 with text

<Error>
<Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).</Details>
</Error>

What should have happened instead?:
Logo should have been visible

Software version (skip for WMF-hosted wikis like Wikipedia):
wikibase.cloud

Other information (browser name/version, screenshots, etc.):

image.png (230×736 px, 15 KB)

Related Objects

Event Timeline

Tarrow created this task.Jan 3 2024, 3:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 3 2024, 3:52 PM
Aklapper added a comment.Jan 3 2024, 5:11 PM

Hi @Tarrow, can you please associate one or more active project tags with this task (via the Add Action...Change Project Tags dropdown)? That will allow to see a task when looking at project workboards or searching for tasks in certain projects, and get notified about a task when watching a related project tag. Thanks!

Nintendofan885 added a project: Wikibase Cloud.Jan 3 2024, 9:59 PM
Fring claimed this task.Jan 18 2024, 7:47 AM
Fring moved this task from Backlog (incoming) to Kanban board Q4 2023 on the Wikibase Cloud board.
Fring edited projects, added Wikibase Cloud (Kanban board Q4 2023); removed Wikibase Cloud.
Fring moved this task from To do to Doing on the Wikibase Cloud (Kanban board Q4 2023) board.
Tarrow added a comment.Jan 18 2024, 8:09 AM

Looking at the object in Google Clouds console it's super unclear why this thing isn't visible.

image.png (835×787 px, 109 KB)

Clicking the public URL link returns that access denied page as you would expect.

The Authenticated URL does work while l'm logged in

Fring moved this task from Doing to In Review on the Wikibase Cloud (Kanban board Q4 2023) board.Jan 18 2024, 12:14 PM

PRs:

Fring removed Fring as the assignee of this task.Jan 18 2024, 12:48 PM
Fring subscribed.
Fring added a comment.Jan 18 2024, 2:26 PM

This ticket is now munged together with https://phabricator.wikimedia.org/T354744 as we rolled back the original changes in order to ship something else.

Fring moved this task from In Review to To do on the Wikibase Cloud (Kanban board Q4 2023) board.Jan 18 2024, 2:44 PM
Fring added a comment.EditedJan 23 2024, 1:11 PM

After working on https://phabricator.wikimedia.org/T354744 I think the brokenness of the logo for coffeebase.wikibase.dev is the result of unwanted manual editing of file level ACLs, and there is nothing to fix on a code level here.

We could however check if it's possible to recursively list all files in a bucket and list their ACLs. In case we find any other broken assets we can then manually fix these.

Fring claimed this task.Jan 23 2024, 1:12 PM
Fring moved this task from To do to Doing on the Wikibase Cloud (Kanban board Q4 2023) board.
Fring added a comment.EditedJan 23 2024, 1:45 PM

I came up with a script for hunting down files with unexpected ACLs:

#!/usr/bin/env node

const fs = require('fs')

;(async () => {
	const stdinBuffer = fs.readFileSync(0)
	const items = JSON.parse(stdinBuffer.toString())
	const objects = items.filter(i => i.type === 'cloud_object')
	const withMalformedAcls = objects.filter((object) => {
		if (!object.metadata || !object.metadata.acl || !Array.isArray(object.metadata.acl)) {
			return true
		}
		const hasProperOwner = object.metadata.acl.some((acl) => {
			return acl.role === 'OWNER' && /wikibase-(dev|cloud)-api@wikibase-cloud\.iam\.gserviceaccount\.com/.test(acl.entity)
		})
		const hasProperReader = object.metadata.acl.some((acl) => {
			return acl.role === 'READER' && acl.entity === 'allUsers'
		})
		return !hasProperOwner || !hasProperReader
	})
	return withMalformedAcls.map((object) => object.metadata.name)
})()
	.then((output) => {
		console.log(output)
	})
	.catch((err) => {
		console.error(err)
		process.exit(1)
	})

which can read the input from gcloud storage ls --recursive --json gs://$BUCKET_NAME.

Unfortunately it seems there are still assets in that bucket where my Google Cloud Account is not allowed to read all object metadata.

Fring added a comment.Jan 23 2024, 2:55 PM

Staging has now been cleaned up manually and has all assets with the expected ACLs

Fring added a comment.Jan 23 2024, 3:03 PM

Production had 3 assets with bad ACLs, all of them being caused by https://github.com/wbstack/api/pull/729

I fixed these manually and now production is clean as well.

I'll put this ticket in review now, waiting a few days until I check the buckets once more. In case results are still empty then, we can consider this done.

Fring removed Fring as the assignee of this task.Jan 23 2024, 3:03 PM
Fring moved this task from Doing to In Review on the Wikibase Cloud (Kanban board Q4 2023) board.
Fring added a comment.Jan 29 2024, 8:49 AM

Things still look ok as of now. Closing this ticket.

Fring moved this task from In Review to Done on the Wikibase Cloud (Kanban board Q4 2023) board.Jan 29 2024, 8:49 AM
Tarrow closed this task as Resolved.Feb 7 2024, 12:06 PM
Tarrow claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL