Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"cf services" is throwing "You are not authorized to perform the requested action" #1344

Closed
sivabalans opened this issue Mar 14, 2018 · 12 comments
Closed

"cf services" is throwing "You are not authorized to perform the requested action" #1344

sivabalans opened this issue Mar 14, 2018 · 12 comments
Labels
accepted

Comments

@sivabalans
Copy link

Command

"cf services"

What occurred

Returns "You are not authorized to perform the requested action" error

What you expected to occur

List the services in my space.

CLI Version

cf version 6.35.0+5c7de3e32.2018-03-08

CC API Endpoint Version

api version: 2.75.0

CF Trace

"cf services -v" returns the following towards the end:
REQUEST: [2018-03-14T13:48:50-07:00]
GET /v2/service_plans/92fd5910-eefb-4f4f-947f-4d90f098f659 HTTP/1.1
Host: api.system.aws-usw02-dev.ice.predix.io
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
User-Agent: cf/6.35.0+5c7de3e32.2018-03-08 (go1.10; amd64 darwin)

RESPONSE: [2018-03-14T13:48:50-07:00]
HTTP/1.1 403 Forbidden
Content-Length: 131
Content-Type: application/json;charset=utf-8
Date: Wed, 14 Mar 2018 20:48:50 GMT
Server: nginx
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: 977c16e5-16fd-4f12-68d9-ffa95dfa1203
X-Vcap-Request-Id: 977c16e5-16fd-4f12-68d9-ffa95dfa1203::84ccb9a8-556c-4891-a6c3-6326349107e5
{
"code": 10003,
"description": "You are not authorized to perform the requested action",
"error_code": "CF-NotAuthorized"
}

Platform & Shell Details

Mac OS X 10.13.3 iTerm2 3.0.15

Any other relevant information

It works fine with CF CLI 6.34 for the same API endpoint.
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/155992614

The labels on this github issue will be updated when the story is started.

@anyu
Copy link
Contributor

anyu commented Mar 14, 2018

Hi @sivabalans, which user roles do you have for this logged in user on this org and space?

You can run the following commands to retrieve this information:
cf org-users ORG
cf space-users ORG SPACE

@sivabalans
Copy link
Author

sivabalans commented Mar 14, 2018 via email

@anyu
Copy link
Contributor

anyu commented Mar 14, 2018

We aren't able to reproduce this bug. Can you post the whole -v output for the services command?

@sivabalans
Copy link
Author

@anyu - There is too much sensitive information in the output of -v. I need to find a way to scrub it before I post it here. But from what I can see, the difference seem to be in the /v2/service_plans/ call. This call is made from v6.35 CLI but the v6.34 CLI does not make this call. And this call is throwing the above error for me.

@anyu
Copy link
Contributor

anyu commented Mar 14, 2018

@sivabalans we were able to reproduce the problem, we're currently looking into solutions right now.

The reason this is happening is because this org/space has an instance of a service that has been disabled for this particular org/space (or the system) that it previously had access to.

A temporary solution (using the newer CLI) is to enable-service-access back to this org. Another option is just to keep using the previously working CLI.

XenoPhex added a commit that referenced this issue Mar 15, 2018
@XenoPhex
handle forbidden errors for service and service plan
de132a5 
[Finishes #155992614, #156021021] (Github Issue #1344)
@n4wei
Copy link
Contributor

n4wei commented Mar 16, 2018

Hi @sivabalans, we may have fixed this issue. Can you please try to reproduce it with a latest edge build of the CF CLI from here?

We will await your feedback before publishing a fix to the community.

@sivabalans
Copy link
Author

sivabalans commented Mar 16, 2018 via email
edited
Loading

@sivabalans
Copy link
Author

Just a quick update. The edge CLI takes 20 seconds to return the results and not 1min and 6 sec as stated originally in the previous comment. I udpated the comment.

@n4wei
Copy link
Contributor

n4wei commented Mar 16, 2018

@sivabalans thank you for verifying this. What you are seeing above is the new expected behavior. Please read on for the explanation.

  1. The services command used to make a single request to a summary endpoint to retrieve information displayed in the service and plan columns. However, the summary endpoint on the API side has a pagination bug that does not allow it to return beyond 50 results. As a result, we are individually getting service and plan information for each service instance and this inherently takes longer.
  2. As a result of individually getting service and plan information, you helped us discover a bug in the API where it returns 403s. After weighing different solutions and tradeoffs, we decided to display the warnings you see above for resources we do not have access to; and display what information we are able to retrieve from the API and still exit 0.

Please feel free to voice any concerns you may have.

@sivabalans
Copy link
Author

@nickwei84 thanks for the explanation. I presume until the pagination bug for the summary endpoint API is fixed, we have to live with those warnings. That should be fine for now.

@n4wei n4wei closed this as completed Mar 16, 2018
@sunqb
Copy link

sunqb commented Sep 26, 2020

how to solve this problem?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@anyu @sunqb @cf-gitbot @n4wei @sivabalans