Uploaded image for project: 'mod-remote-storage'
  1. mod-remote-storage
  2. MODRS-114

mod-remote-storage fails to recover from invalid token

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • P2
    • Resolution: Done
    • 1.3.4
    • 1.5.0
    • None
    • Firebird Sprint 133
    • 2
    • Firebird
    • Lotus R1 2022
    • University of Chicago
    • Requirements change

    Description

      Overview:
      If the Okapi authentication token for the system-user for mod-remote-storage is invalidated, the module does not recover and the token apparently needs to be manually updated in the system_user_parameters table. This is obviously extremely brittle, as the authentication token is not guaranteed to remain valid indefinitely (and indeed it would be a security risk if it was never invalidated).

      Steps to Reproduce:
      On a running system with mod-remote-storage, restart mod-authtoken with a new signing key to force invalidation of all tokens.

      Expected Results:
      Changing the location of an item to a remote storage location should add the item to the accession queue.

      Actual Results:
      The item is not added to the accession queue, and the following error appears in the log:

      19:54:27 [] [] [] [] INFO  ccessionQueueService isEffectiveLocationChanged: true
      19:54:27 [] [] [] [] ERROR KafkaConfiguration   Error in process with Exception org.springframework.kafka.listener.ListenerExecutionFailedException: Listener method 'public void org.folio.rs.integration.KafkaMessageListener.handleEvents(java.util.List<org.folio.rs.domain.dto.DomainEvent>)' threw exception; nested exception is feign.FeignException$Unauthorized: status 401 reading InventoryClient#getInstancesByQuery(String); nested exception is feign.FeignException$Unauthorized: status 401 reading InventoryClient#getInstancesByQuery(String) and the record is org.apache.kafka.clients.consumer.ConsumerRecords@677547a9
      

      Additional Information:
      Restarting mod-remote-storage does not allow it to recover, nor does it help to set the okapi_token column in system_user_parameters to NULL. The only workaround I found was to log in to the FOLIO environment as the system-user and manually update the entry in system_user_parameters with the new token.

      Interested parties:
      dbottorff arnt@uchicago.edu

      TestRail: Results

        Attachments

          1. Screenshot 2022-02-21 at 15.33.46.png
            292 kB
            Viachaslau Khandramai
          2. Screenshot 2022-02-21 at 15.37.22.png
            537 kB
            Viachaslau Khandramai
          3. Screenshot 2022-02-21 at 15.38.05.png
            302 kB
            Viachaslau Khandramai
          4. Screenshot 2022-02-21 at 15.39.13.png
            817 kB
            Viachaslau Khandramai
          5. Screenshot 2022-02-21 at 16.12.37.png
            314 kB
            Viachaslau Khandramai
          6. Screenshot 2022-02-21 at 16.16.28.png
            500 kB
            Viachaslau Khandramai

          Issue Links

            Activity

              People

                khandramai Viachaslau Khandramai
                wayne Wayne Schneider
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases