Opened on Jun 5, 2019 at 7:03:32 PM
Closed on Jun 8, 2019 at 7:47:18 AM
Last modified on Jun 19, 2019 at 12:05:35 PM
#10725 closed defect (fixed)
B2 fails with app key limited to specific buckets
Reported by: | im.thatoneguy | Owned by: | dkocher |
---|---|---|---|
Priority: | high | Milestone: | 7.0.1 |
Component: | b2 | Version: | 7.0 |
Severity: | blocker | Keywords: | |
Cc: | Architecture: | ||
Platform: | Windows 10 |
Description (last modified by im.thatoneguy)
Regression from <7.0
When opening connection, b2_list_buckets will fail if the app key in-use is limited to one bucket. 6.9 would list one bucket, 7.0 errors and breaks authorization flow.
Reproduction: 1) Create B2 app key limited to one bucket 2) Attempt connection POST /b2api/v2/b2_list_buckets HTTP/1.1
Error: 401 Listing Directory / Failed
https://www.backblaze.com/b2/docs/application_keys.html#usingRestrictedKeys
Most of the API calls that deal with buckets or files use a bucketId to identify a bucket. But, when using an application key that restricts access to just one bucket, you can't use b2_list_buckets to list all the buckets. When there is a bucket restriction, the bucketId and the bucketName for that bucket are in the response from b2_authorize_account in the allowed section. You can then use that bucketId in all of your later calls.
Change History (11)
comment:1 Changed on Jun 5, 2019 at 7:43:01 PM by dkocher
- Version set to 7.0
comment:2 Changed on Jun 5, 2019 at 7:43:31 PM by dkocher
- Milestone set to 7.1
- Owner set to dkocher
- Status changed from new to assigned
comment:3 Changed on Jun 6, 2019 at 9:33:22 AM by dkocher
comment:4 Changed on Jun 6, 2019 at 9:35:18 AM by dkocher
I cannot reproduce this issue with an application key with the capabilities listBuckets, listFiles, readFiles, shareFiles.
comment:5 Changed on Jun 6, 2019 at 4:20:47 PM by im.thatoneguy
- Description modified (diff)
- Summary changed from B2 can't login in 7.00+ to B2 fails with app key limited to specific buckets
Traced it. The application keys were limited to a single bucket. An application key with "All" for buckets works. An application key with just one bucket fails. Probably on t he new apiv2 list buckets?
capabilities: deleteFiles, listBuckets, listFiles, readFiles, shareFiles, writeFiles
Old Flow 6.9
GET /b2api/v1/b2_authorize_account HTTP/1.1 Authorization: ******** Host: api.backblazeb2.com Connection: Keep-Alive User-Agent: Cyberduck/6.9.4.30164 (Windows 10/10.0) (x86) Accept-Encoding: gzip,deflate HTTP/1.1 200 Cache-Control: max-age=0, no-cache, no-store Content-Type: application/json;charset=utf-8 Content-Length: 608 Date: Thu, 06 Jun 2019 15:54:41 GMT POST /b2api/v1/b2_list_buckets HTTP/1.1 Authorization: ******** Content-Length: 28 Content-Type: application/json; charset=UTF-8 Host: api000.backblazeb2.com Connection: Keep-Alive User-Agent: Cyberduck/6.9.4.30164 (Windows 10/10.0) (x86) Accept-Encoding: gzip,deflate HTTP/1.1 200 Cache-Control: max-age=0, no-cache, no-store Content-Type: application/json;charset=utf-8 Content-Length: 279 Date: Thu, 06 Jun 2019 15:54:42 GMT
7.00 connection flow
[Window Title] Error [Main Instruction] Listing directory / failed. [Content] Please contact your web hosting service provider for assistance. [Expanded Information] POST /b2api/v2/b2_list_buckets HTTP/1.1 Authorization: ******** Content-Length: 28 Content-Type: application/json; charset=UTF-8 Host: api000.backblazeb2.com Connection: Keep-Alive User-Agent: Cyberduck/7.0.0.30869 (Windows 10/10.0) (x86) Accept-Encoding: gzip,deflate HTTP/1.1 401 Cache-Control: max-age=0, no-cache, no-store Content-Type: application/json;charset=utf-8 Content-Length: 62 Date: Thu, 06 Jun 2019 16:02:25 GMT GET /b2api/v2/b2_authorize_account HTTP/1.1 Authorization: ******** Host: api.backblazeb2.com Connection: Keep-Alive User-Agent: Cyberduck/7.0.0.30869 (Windows 10/10.0) (x86) Accept-Encoding: gzip,deflate HTTP/1.1 200 Cache-Control: max-age=0, no-cache, no-store Content-Type: application/json;charset=utf-8 Content-Length: 576 Date: Thu, 06 Jun 2019 16:02:30 GMT POST /b2api/v2/b2_list_buckets HTTP/1.1 Authorization: ******** Content-Length: 28 Content-Type: application/json; charset=UTF-8 Host: api000.backblazeb2.com Connection: Keep-Alive User-Agent: Cyberduck/7.0.0.30869 (Windows 10/10.0) (x86) Accept-Encoding: gzip,deflate HTTP/1.1 401 Cache-Control: max-age=0, no-cache, no-store Content-Type: application/json;charset=utf-8 Content-Length: 62 Date: Thu, 06 Jun 2019 16:02:30 GMT [^] Hide details [Try Again] [Cancel] [Footer] Help
comment:6 Changed on Jun 6, 2019 at 5:02:46 PM by im.thatoneguy
Ok there is a change in the API in v2.
v2: Remove application key workaround (Sept 13, 2018) Listing buckets will always return all buckets, unless you ask for just one by specifying bucketName or bucketId. '''If you ask for all buckets and your application key is restricted to one bucket, the call is unauthorized.'''
I see though in the Authorize response JSON it does return:
"allowed": { "bucketId": "****", "bucketName": "AAABCC",
So that you don't need to actually call the list_buckets separately.
comment:7 Changed on Jun 6, 2019 at 5:09:28 PM by im.thatoneguy
- Description modified (diff)
comment:8 Changed on Jun 8, 2019 at 12:40:00 AM by im.thatoneguy
Opened a SynampticLoop backblaze-b2-java-api ticket. Looks like the error is ultimately with its handling of the login flow.
https://github.com/synapticloop/backblaze-b2-java-api/issues/41
Need to add the "allowed" field to the client object. And list_buckets needs to conditionally check for a like getAllowedBuckets() length !> 0 before submitting a request.
Could you feasibly just use the /v1/ api for just the list_buckets command? Since it doesn't fail in 6.9? Easy band-aid solution?
comment:9 Changed on Jun 8, 2019 at 7:46:59 AM by dkocher
comment:10 Changed on Jun 8, 2019 at 7:47:18 AM by dkocher
- Resolution set to fixed
- Status changed from assigned to closed
In r47199.
comment:11 Changed on Jun 19, 2019 at 12:05:35 PM by dkocher
- Milestone changed from 7.1 to 7.0.1
What capabilities do you have assigned to the application key? Please post the transcript from the log drawer (⌘-L).