2021-12-08 18:35:18 |
Natalia Bidart |
bug |
|
|
added bug |
2021-12-08 18:36:01 |
Natalia Bidart |
snapstore-server: status |
New |
Triaged |
|
2021-12-08 18:36:05 |
Natalia Bidart |
snapstore-server: importance |
Undecided |
Medium |
|
2021-12-08 18:38:32 |
Natalia Bidart |
bug task added |
|
snapd |
|
2021-12-08 18:39:04 |
Natalia Bidart |
description |
We got a customer report saying that they couldn't access snapd revision 13640 by using a command like this one:
UBUNTU_STORE_ID=brand-store-id UBUNTU_STORE_AUTH_DATA_FILENAME=store-viewer.credentials snap download --revision=13640 snapd
I investigated further and the snap store ACL API endpoint was returning "false" for "allowed_by_revision":
{
"user_external_id": "usso:https://login.ubuntu.com/+id/openid-suffix",
"permissions": {
"PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4": {
"allowed_if_private": false,
"allowed_by_revision": false
}
}
}
Checking deep in our backend code, the checks need to consider essential snaps as part of any store.
Separately, the help for `snap download` should be extended to say that any user with store viewer role can access snaps by revision if the snap is available from their store. |
We got a customer report saying that they couldn't access snapd revision 13640 by using a command like this one:
UBUNTU_STORE_ID=brand-store-id UBUNTU_STORE_AUTH_DATA_FILENAME=store-viewer.credentials snap download --revision=13640 snapd
I investigated further and the snap store ACL API endpoint was returning "false" for "allowed_by_revision":
{
"user_external_id": "usso:https://login.ubuntu.com/+id/openid-suffix",
"permissions": {
"PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4": {
"allowed_if_private": false,
"allowed_by_revision": false
}
}
}
Checking deep in our backend code, the checks need to consider essential snaps as part of any store.
Separately, the help for `snap download` should be extended to say that any user with store viewer role can access snaps by revision if the snap is available from their store:
--revision= Download the given revision of a snap, to which you must have developer access |
|
2021-12-08 20:32:45 |
Ian Johnson |
snapd: status |
New |
Incomplete |
|
2021-12-09 12:25:40 |
Natalia Bidart |
description |
We got a customer report saying that they couldn't access snapd revision 13640 by using a command like this one:
UBUNTU_STORE_ID=brand-store-id UBUNTU_STORE_AUTH_DATA_FILENAME=store-viewer.credentials snap download --revision=13640 snapd
I investigated further and the snap store ACL API endpoint was returning "false" for "allowed_by_revision":
{
"user_external_id": "usso:https://login.ubuntu.com/+id/openid-suffix",
"permissions": {
"PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4": {
"allowed_if_private": false,
"allowed_by_revision": false
}
}
}
Checking deep in our backend code, the checks need to consider essential snaps as part of any store.
Separately, the help for `snap download` should be extended to say that any user with store viewer role can access snaps by revision if the snap is available from their store:
--revision= Download the given revision of a snap, to which you must have developer access |
We got a customer report saying that they couldn't access snapd revision 13640 by using a command like this one:
UBUNTU_STORE_ID=brand-store-id UBUNTU_STORE_AUTH_DATA_FILENAME=store-viewer.credentials snap download --revision=13640 snapd
A few months ago, we changed the store ACLs so store viewers could access any previously released revision for any snap available in their store. This change was introduced because when brand store users build their images, they usually need a specific revision of some snaps which is usually the latest revision they have validated, which is in most cases not a currently released one (but certainly was released some time in the past).
This report from the customer showed that we had a bug in our logic, since snapd wasn't allowed to be downloaded. I investigated further and the snap store ACL API endpoint was returning "false" for "allowed_by_revision":
{
"user_external_id": "usso:https://login.ubuntu.com/+id/openid-suffix",
"permissions": {
"PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4": {
"allowed_if_private": false,
"allowed_by_revision": false
}
}
}
Checking deep in our backend code, the checks need to consider essential snaps as part of any store (so far they only check among all the snaps that are showing in a store the user has viewer role in).
Separately, the help for `snap download` should be extended to say that any user with store viewer role can access snaps by revision if the snap is available from their store:
--revision= Download the given revision of a snap, to which you must have developer access |
|
2021-12-09 12:25:46 |
Natalia Bidart |
snapd: status |
Incomplete |
New |
|
2021-12-09 19:21:51 |
Natalia Bidart |
snapstore-server: assignee |
|
Natalia Bidart (nataliabidart) |
|
2021-12-09 19:21:54 |
Natalia Bidart |
snapstore-server: status |
Triaged |
In Progress |
|
2021-12-09 22:41:19 |
Ian Johnson |
snapd: status |
New |
Confirmed |
|
2021-12-09 22:41:21 |
Ian Johnson |
snapd: importance |
Undecided |
Low |
|
2022-03-30 19:39:52 |
Natalia Bidart |
snapstore-server: status |
In Progress |
Fix Released |
|