only Intercepting/hijack is giving 403 forbidden

[gowrisankar22]

Hello,

We are getting 403 forbidden only for the Intercepting/hijacking operations for concourse containers.
Not really sure what’s going wrong, whereas other commands like set-pipeline, watch ...etc are working fine.

Also, I have a garden configuration like below,

env:
  - name: CONCOURSE_GARDEN_NETWORK_POOL
    value: "10.254.0.0/16"
  - name: CONCOURSE_GARDEN_MAX_CONTAINERS
    value: "500"
  - name: CONCOURSE_GARDEN_DENY_NETWORK
    value: "169.254.169.254/32"

$ fly6 --verbose -t validation intercept -j test/prepare-2

2020/06/22 15:38:02 GET /api/v1/info HTTP/1.1
Host: xxx
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip


2020/06/22 15:38:02 HTTP/1.1 200 OK
Content-Length: 141
Alt-Svc: clear
Content-Type: application/json
Date: Mon, 22 Jun 2020 12:38:02 GMT
Vary: Accept-Encoding
Via: 1.1 google
X-Concourse-Version: 6.0.0
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block

{"version":"6.0.0","worker_version":"2.2","external_url":xxxxx","cluster_name":"Concourse"}

2020/06/22 15:38:02 GET /api/v1/teams/Teama/containers?job_name=prepare-2&pipeline_name=test HTTP/1.1
Host: xxxx
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip


2020/06/22 15:38:02 HTTP/1.1 403 Forbidden
Alt-Svc: clear
Date: Mon, 22 Jun 2020 12:38:02 GMT
Vary: Accept-Encoding
Via: 1.1 google
X-Concourse-Version: 6.0.0
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block
Content-Length: 0

error: forbidden

Can somebody help, what might have been the problem ?

[jamieklassen]

It's the ListContainers action that is giving you this 403. Analyzing the v6.0.0 source code, we can see that the ListContainers is wrapped by a team-scoped handler factory:

concourse/atc/api/handler.go

Line 192 in 559620b

atc.ListContainers: teamHandlerFactory.HandlerFor(containerServer.ListContainers),

and the resulting wrapped handler will give a 403 if accessor.IsAuthorized returns false for the given team:

concourse/atc/api/team_scoped_handler_factory.go

Lines 35 to 52 in 559620b

	if acc.IsAuthorized(teamName) {
	team, found, err := f.teamFactory.FindTeam(teamName)
	if err != nil {
	logger.Error("failed-to-find-team-in-db", err)
	w.WriteHeader(http.StatusInternalServerError)
	return
	}
	if !found {
	logger.Error("team-not-found-in-database", errors.New("team-not-found-in-database"), lager.Data{"team-name": teamName})
	w.WriteHeader(http.StatusNotFound)
	return
	}
	teamScopedHandler(team).ServeHTTP(w, r)
	} else {
	w.WriteHeader(http.StatusForbidden)
	}

Inspecting the implementation of that function, we see that it will be true if you are an admin or if you have the required role for the ListContainers action on the given team:

concourse/atc/api/accessor/accessor.go

Lines 44 to 59 in 559620b

	func (a *access) IsAuthorized(team string) bool {
	if a.IsAdmin() {
	return true
	}
	for teamName, teamRoles := range a.TeamRoles() {
	if teamName != team {
	continue
	}
	for _, teamRole := range teamRoles {
	if a.hasPermission(teamRole) {
	return true
	}
	}
	}
	return false
	}

The natural question then, is -- what role does your user have on that team? By default, you must be a viewer or higher:

concourse/atc/api/accessor/role_action_map.go

Line 91 in 559620b

atc.ListContainers: ViewerRole,

but you also might have overridden this using --config-rbac.

There is another code path that results in a 403, but hopefully this helps.

[gowrisankar22]

@jamieklassen Yup you are right. I moved the ListContainers action from member to owner. Looks like that is causing the issue. I will change that back to member and redeploy and see that fixes the issue.

[gowrisankar22]

@jamieklassen thanks a lot. it did the trick.