Page MenuHomePhabricator
Create Task
Maniphest T216807

Meta Swift container rights incorrect for thumbor user
Closed, ResolvedPublic
Actions

Description

Can't write to wikipedia-meta-local-thumb

Feb 22 10:39:59 thumbor1004 thumbor@8822[1101]: 2019-02-22 10:39:59,713 8822 swiftclient:ERROR Object PUT failed: https://ms-fe.svc.eqiad.wmnet/v1/AUTH_mw/wikipedia-meta-local-thumb/7/7e/Vector_search_icon.svg/12px-Vector_search_icon.svg.png.webp 403 Forbidden  [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc
Feb 22 10:39:59 thumbor1004 thumbor@8822[1101]: Traceback (most recent call last):
Feb 22 10:39:59 thumbor1004 thumbor@8822[1101]:   File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line 1647, in _retry
Feb 22 10:39:59 thumbor1004 thumbor@8822[1101]:     service_token=self.service_token, **kwargs)
Feb 22 10:39:59 thumbor1004 thumbor@8822[1101]:   File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line 1298, in put_object
Feb 22 10:39:59 thumbor1004 thumbor@8822[1101]:     raise ClientException.from_response(resp, 'Object PUT failed', body)
Feb 22 10:39:59 thumbor1004 thumbor@8822[1101]: ClientException: Object PUT failed: https://ms-fe.svc.eqiad.wmnet/v1/AUTH_mw/wikipedia-meta-local-thumb/7/7e/Vector_search_icon.svg/12px-Vector_search_icon.svg.png.webp 403 Forbidden  [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resource

Related Objects
Search...

Event Timeline

Gilles created this task.Feb 22 2019, 10:43 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 22 2019, 10:43 AM
Gilles added a comment.Feb 22 2019, 10:44 AM

This probably went unnotticed before because new thumbnails on meta must have been rare, until webp came around.

fgiunchedi added a comment.Feb 22 2019, 11:09 AM

Indeed, thumbor didn't have write access in eqiad but it did in codfw for wikipedia-meta-local-thumb.

I've fixed the permissions now with swift post -w 'mw:media,mw:thumbor' -r 'mw:media,.r:*,mw:thumbor' wikipedia-meta-local-thumb although I wonder how that could have happened since setZoneAccess.php should have done the right thing for all containers, unless changed manually in eqiad only.

jijiki added projects: SRE, serviceops.Feb 22 2019, 11:36 AM
jijiki added a parent task: T214597: Thumbor upgrade to stretch plan.
jijiki closed this task as Resolved.Feb 22 2019, 7:54 PM

Will reopen if we run into this again, works for now.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL