Context Navigation

B2 fails with app key limited to specific buckets

Reported by:	im.thatoneguy	Owned by:	dkocher
Priority:	high	Milestone:	7.0.1
Component:	b2	Version:	7.0
Severity:	blocker	Keywords:
Cc:		Architecture:
Platform:	Windows 10

Description (last modified by im.thatoneguy)

Regression from <7.0

When opening connection, b2_list_buckets will fail if the app key in-use is limited to one bucket. 6.9 would list one bucket, 7.0 errors and breaks authorization flow.

Reproduction: 1) Create B2 app key limited to one bucket 2) Attempt connection POST /b2api/v2/b2_list_buckets HTTP/1.1

Error: 401 Listing Directory / Failed

https://www.backblaze.com/b2/docs/application_keys.html#usingRestrictedKeys

Most of the API calls that deal with buckets or files use a bucketId to identify a bucket. But, when using an application key that restricts access to just one bucket, you can't use b2_list_buckets to list all the buckets.

When there is a bucket restriction, the bucketId and the bucketName for that bucket are in the response from b2_authorize_account in the allowed section. You can then use that bucketId in all of your later calls.

Change History (11)

comment:1 Changed on Jun 5, 2019 at 7:43:01 PM by dkocher

Version set to 7.0

comment:2 Changed on Jun 5, 2019 at 7:43:31 PM by dkocher

Milestone set to 7.1
Owner set to dkocher
Status changed from new to assigned

comment:3 Changed on Jun 6, 2019 at 9:33:22 AM by dkocher

What capabilities do you have assigned to the application key? Please post the transcript from the log drawer (⌘-L).

comment:4 Changed on Jun 6, 2019 at 9:35:18 AM by dkocher

I cannot reproduce this issue with an application key with the capabilities listBuckets, listFiles, readFiles, shareFiles.

comment:5 Changed on Jun 6, 2019 at 4:20:47 PM by im.thatoneguy

Description modified (diff)
Summary changed from B2 can't login in 7.00+ to B2 fails with app key limited to specific buckets

Traced it. The application keys were limited to a single bucket. An application key with "All" for buckets works. An application key with just one bucket fails. Probably on t he new apiv2 list buckets?

capabilities: deleteFiles, listBuckets, listFiles, readFiles, shareFiles, writeFiles

Old Flow 6.9


GET /b2api/v1/b2_authorize_account HTTP/1.1
Authorization: ********
Host: api.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.4.30164 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 200 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 608
Date: Thu, 06 Jun 2019 15:54:41 GMT
POST /b2api/v1/b2_list_buckets HTTP/1.1
Authorization: ********
Content-Length: 28
Content-Type: application/json; charset=UTF-8
Host: api000.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/6.9.4.30164 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 200 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 279
Date: Thu, 06 Jun 2019 15:54:42 GMT

7.00 connection flow

[Window Title]
Error

[Main Instruction]
Listing directory / failed.

[Content]
Please contact your web hosting service provider for assistance.

[Expanded Information]
POST /b2api/v2/b2_list_buckets HTTP/1.1
Authorization: ********
Content-Length: 28
Content-Type: application/json; charset=UTF-8
Host: api000.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/7.0.0.30869 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 401 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 62
Date: Thu, 06 Jun 2019 16:02:25 GMT
GET /b2api/v2/b2_authorize_account HTTP/1.1
Authorization: ********
Host: api.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/7.0.0.30869 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 200 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 576
Date: Thu, 06 Jun 2019 16:02:30 GMT
POST /b2api/v2/b2_list_buckets HTTP/1.1
Authorization: ********
Content-Length: 28
Content-Type: application/json; charset=UTF-8
Host: api000.backblazeb2.com
Connection: Keep-Alive
User-Agent: Cyberduck/7.0.0.30869 (Windows 10/10.0) (x86)
Accept-Encoding: gzip,deflate
HTTP/1.1 401 
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json;charset=utf-8
Content-Length: 62
Date: Thu, 06 Jun 2019 16:02:30 GMT


[^] Hide details  [Try Again] [Cancel]

[Footer]
Help

Last edited on Jun 6, 2019 at 4:23:56 PM by im.thatoneguy (previous) (diff)

comment:6 Changed on Jun 6, 2019 at 5:02:46 PM by im.thatoneguy

Ok there is a change in the API in v2.

v2: Remove application key workaround (Sept 13, 2018)
Listing buckets will always return all buckets, unless you ask for just one by specifying bucketName or bucketId. '''If you ask for all buckets and your application key is restricted to one bucket, the call is unauthorized.'''

I see though in the Authorize response JSON it does return:

 "allowed": {
        "bucketId": "****",
        "bucketName": "AAABCC",

So that you don't need to actually call the list_buckets separately.

comment:7 Changed on Jun 6, 2019 at 5:09:28 PM by im.thatoneguy

Description modified (diff)

comment:8 Changed on Jun 8, 2019 at 12:40:00 AM by im.thatoneguy

Opened a SynampticLoop backblaze-b2-java-api ticket. Looks like the error is ultimately with its handling of the login flow.

https://github.com/synapticloop/backblaze-b2-java-api/issues/41

Need to add the "allowed" field to the client object. And list_buckets needs to conditionally check for a like getAllowedBuckets() length !> 0 before submitting a request.

Could you feasibly just use the /v1/ api for just the list_buckets command? Since it doesn't fail in 6.9? Easy band-aid solution?