PAT is not working for all opal-python-client commands

29 views
Skip to first unread message

Ivo Leist

unread,
Apr 13, 2021, 10:19:19 AM4/13/21
to obiba-users

Dear Opal community,

while automating our project administration and report runs we stumbled 
over an unexpected behaviour:

The following opal python client commands only work with username & password
and not with the personal access token (PAT) of our Opal admin account having all rights.

Creating a new project: 
opal project -o $URL -tk $TOKEN -add --name $PROJ

Deleting a project: 
opal rest -v /project/$PROJ -o $URL -tk $TOKEN -m DELETE

Run a report:

echo $JSON |opal rest -v /project/$PROJ/commands/_report -o $URL -tk $TOKEN -m POST -ct "application/json"
 

All these commands run into:
(22, 'The requested URL returned error: 403 Forbidden')

Tested on:
Opal 4.x and Opal 3.x

I have double checked that the token works because in the same script
creating a resource works as expected:
$JSON |opal rest -v /project/$PROJ/resources -o $URL -tk $TOKEN -m POST -ct "application/json" 

Since I am not sure if that is a bug or a security feature
I asked here first. If you prefer a issue on
https://github.com/obiba/opal-python-client please let me know

Best regards,
Ivo

---

Predoc @ Biomedical Genomics group
Centre Nacional d'Anàlisi Genòmica (CNAG)
Centre de Regulació Genòmica (CRG)
Parc Científic de Barcelona-Torre I Baldiri Reixac, 4
08028 Barcelona
Email: ivo....@cnag.crg.eu
web: www.cnag.crg.eu

Yannick Marcon

unread,
Apr 13, 2021, 12:02:26 PM4/13/21
to obiba...@googlegroups.com
Hi,

The PAT is designed so that edit operations on the project itself are forbidden. Then no project can be created, nor deleted/updated. I understand this can be useful for your use case, and it is much secure to use a PAT than the username/password. This is a feature request, it is quite straightforward to implement, I can include it in the next opal release.
For the report, I have tested and it works. Make sure you have selected "Report" in the "Project Tasks" section when creating the PAT (and that the corresponding project is in the PAT's scope).

Regards,
Yannick

--
You received this message because you are subscribed to the Google Groups "obiba-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to obiba-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/e33b6aa2-55cf-42da-aaef-3ea8317b2680n%40googlegroups.com.

Ivo Leist

unread,
Apr 16, 2021, 11:26:54 AM4/16/21
to obiba-users
Hi Yannick,

thank you for the clarification. Since this is a feature request do you want us to create an issue on:
https://github.com/obiba/opal-python-client or do you have an internal issue board?

Regarding running the report:
I can confirm that everything works as expected the corresponding project was indeed not in the PAT's scope.
Thanks for that hint.

Best regards,
Ivo

Yannick Marcon

unread,
Apr 16, 2021, 11:32:50 AM4/16/21
to obiba...@googlegroups.com
Hi,

There is already an issue, and it is fixed:

Regards,
Yannick

To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/a48bd325-8aaa-4d1d-b70d-23df721b4fcfn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages