01:06:39  * jayschmidtjoined
01:06:40  * jayschmidtquit (Client Quit)
01:17:15  * mellocquit (Quit: Leaving.)
01:20:01  * ed209quit (Remote host closed the connection)
01:20:08  * ed209joined
02:10:01  * dap_quit (Quit: Leaving.)
02:41:41  * bahamatquit (Quit: Leaving.)
03:17:27  * mhicksquit (Quit: Leaving.)
03:40:22  * mellocjoined
03:43:04  * mhicksjoined
04:12:01  * bahamatjoined
04:23:03  * bahamatquit (Quit: Leaving.)
05:10:02  * bahamatjoined
05:36:45  * bahamatquit (Quit: Leaving.)
09:33:10  * mellocquit (Quit: Leaving.)
10:20:00  * ed209quit (Remote host closed the connection)
10:20:07  * ed209joined
12:11:51  * jayschmidtjoined
13:14:14  * Bernardojoined
13:14:36  <Bernardo>Hi
13:15:21  <Bernardo>I'm trying to make a signed request with the HTTP method OPTIONS
13:15:49  <Bernardo>It works with the administrator account but I can't make it work with roles and policies.
13:16:43  * jayschmidtquit (Quit: Leaving.)
13:17:06  * jayschmidtjoined
13:17:08  <Bernardo>I get the error AuthorizationFailed with a message like user/subuser is not allowed to access ...
13:17:47  <Bernardo>Anyone know how to create a policy and role and apply a role-tag to a directory so I can make an OPTIONS request.
14:20:02  * jayschmidtquit (Quit: Leaving.)
14:23:18  * jayschmidtjoined
14:25:51  * chorrelljoined
15:45:52  * chorrellquit (Quit: Textual IRC Client: www.textualapp.com)
16:17:55  * chorrelljoined
16:38:45  * chorrellquit (Quit: Textual IRC Client: www.textualapp.com)
16:42:57  * mellocjoined
16:48:28  * mellocquit (Quit: Leaving.)
17:06:39  * mellocjoined
17:16:30  * dap_joined
17:22:40  * mellocquit (Quit: Leaving.)
17:34:30  <elijahZ24>Bernardo: Does it work with the user and role when you do a GET request?
17:34:44  <elijahZ24>Also what client library are you using?
17:36:16  <Bernardo>yes, it works por PUT and GET. I'm writing an app using php, but testing in bash
17:37:17  <Bernardo>now, I've almost solved this
17:38:09  <Bernardo>it seems using a policy with "can putobject, putdirectory, getobject and getdirectory" doesn't work but using "can *" works!
17:51:25  <elijahZ24>Are you using this library: https://github.com/joyent/php-manta
17:52:48  <elijahZ24>Also have you done a mchmod on the object in question? https://github.com/joyent/node-manta/blob/master/docs/man/mchmod.md
17:53:02  <elijahZ24>mchmod +subusername /user/stor/my_directory
17:53:35  <Bernardo>I have the problem in bash using the sign function that is in the documentation
17:55:35  * bahamatjoined
17:56:08  <elijahZ24>Bernado: I will poke around for you and see if I can isolate the problem.
17:56:27  <Bernardo>I'm using mchmod +somerole /user/stor/my_directory
17:57:33  <Bernardo>thank you. The strange thing is that it works using a policy of "can *"
18:03:24  * pmooneyquit (Quit: WeeChat 1.3)
18:14:49  * mpanajoined
18:15:12  <elijahZ24>Bernardo: Why I asked about if you are using the php client library is because it will be getting some updates in the near future to work as a composer module and it will likely have a slightly different instantiation API.
18:15:52  * mellocjoined
18:16:08  <Bernardo>no, I'm not using that library
18:16:15  <elijahZ24>Ok, then no problem.
18:16:44  <elijahZ24>What user did you use to PUT the object on to Manta? Was it the subuser?
18:18:10  <elijahZ24>My Manta subuser policy is: can createjob, can deletedirectory, can deleteobject, can get directory, can getjob, can getobject, can listjobs, can managejob, can putdirectory, can putlink, can putobject
18:18:39  <elijahZ24>I tested with the policy associated with a "manta" role which was associated with a subuser.
18:18:50  <elijahZ24>I then used that user to PUT the object.
18:18:58  * pmooneyjoined
18:19:02  <elijahZ24>Then I signed it and I was able to get it as an anonymous user.
18:19:50  <elijahZ24>I added it to the integration tests in the Java Manta client: https://github.com/joyent/java-manta/blob/master/java-manta-it/src/test/java/com/joyent/manta/client/MantaClientSigningIT.java#L164
18:21:00  <Bernardo>yes, I can put and get; the problem is with the HTTP method OPTIONS (it's for CORS purposes)
18:24:06  <Bernardo>I'm implementing a browser upload with signed urls
18:24:22  <Bernardo>I'm using this as a guide: http://mcavage.me/blog/2013/07/10/uploading-files-to-manta-from-a-browser/
18:24:54  <nahamu>are you looking at the code it uses?
18:25:06  <Bernardo>the whole process works but not when using a subuser
18:25:15  <nahamu>ah, I see.
18:25:58  <Bernardo>but, as I said, now I have it working, but only if I use a policy with "can *"
18:27:00  <elijahZ24>Bernardo: I think I've got your problem reproducing in curl.
18:27:22  <Bernardo>it looks to me like there is an undocumented rbac action that should be allowed to use OPTIONS method
18:27:33  <elijahZ24>Do you get an error message like: {"code":"AuthorizationFailed","message":"account/subuser is not allowed to access /accoung/stor/33efea55-be23-43d1-bab2-27e8931d36ff/d2b62ce5-c9b7-405d-a923-409b48639d4d"}%
18:27:44  <Bernardo>yes, exactly
18:39:31  <Bernardo>this is what I want to make work with curl:
18:39:38  <Bernardo>mantabashsignfunc /bernardo/stor/somedir/role-tagged-subdir/filetoput -X OPTIONS -H "access-control-request-method: PUT" -i -H "Origin: http://localhost"
18:44:45  <elijahZ24>Did you PUT the object using the subuser?
18:50:30  <elijahZ24>Bernardo: Are you a Joyent public cloud customer?
18:50:59  <Bernardo>yes
18:51:46  <elijahZ24>In order for this to get triaged properly, can I have you create a support ticket detailing your problem? I'm going to create a bug right now for it, but having the ticket gives more weight to the issue.
18:52:42  <elijahZ24>Please go ahead and mention that you spoke to me (Elijah Zupancic).
18:53:22  <Bernardo>yes, sure, thank you very much!
19:01:44  <elijahZ24>Bernardo: Here is the bug: https://smartos.org/bugview/MANTA-2839 I will attach any additional information that you include in your ticket.
19:01:52  <elijahZ24>I'm sorry that you ran into this.
19:26:47  <Bernardo>elijahZ24: I read the bug report. I think that the role-tag should be applied to the containing directory, because the OPTIONS request is like a PUT request in that manta queries the parent folder for the metadata because the object doesn't exist yet
19:28:59  <elijahZ24>Well, when I add the role tag to the parent directory, the issue still occurs.
19:31:15  <elijahZ24>But you make a good point.
19:38:45  <elijahZ24>Bernardo: I updated the ticket to use your directory example.
19:43:05  <Bernardo>in the example the OPTIONS request should be to an object (probably a not existing one yet or maybe it exists and you wabt to overwrite it), like
19:43:20  <Bernardo>like /elijah.zupancic/stor/3e893ac5-e26a-42f8-9555-0249d921b3ca/obect-i-want-to-put
19:45:18  <elijahZ24>Ok. Maybe I misunderstood what you said last. That was the original test that I did.
19:45:32  <elijahZ24>I had put an object in directory created by a subuser.
20:02:18  <Bernardo>elijahZ24: to reproduce: create a directory tagged with a role that has a policy with "CAN getobject, getdirectory, putobject and putdirectory"
20:02:51  <Bernardo>sign with a subuser (that has the role) key an url with an OPTIONS method request to an object inside this directory
20:03:07  <elijahZ24>Bernardo: It would help a lot if you could file full repro instructions using the CLI tools with the ticket.
20:03:53  <elijahZ24>Also, you've tried these two options to msign, right:
20:03:54  <elijahZ24> --role=ROLE,ROLE,...
20:03:55  <elijahZ24> Specify which roles to assume for the request.
20:03:55  <elijahZ24> --role-tag=ROLE,ROLE,...
20:03:55  <elijahZ24> Set the role tags on objects created with the signed URL.
20:05:55  <Bernardo>yes, but adding the role-tag to the request itself didn't appear to make any difference.
20:06:39  <Bernardo>I will fill the ticket, thank you again
20:08:22  <Bernardo>it works for now with the policy "hack", I just think it is brittle
20:10:23  * mpanaquit (Remote host closed the connection)
20:20:01  * ed209quit (Remote host closed the connection)
20:20:08  * ed209joined
21:10:55  * mpanajoined
21:16:23  * mpanaquit (Ping timeout: 260 seconds)
21:52:57  * pmooneyquit (Quit: WeeChat 1.3)
22:12:27  * mpanajoined
22:16:38  * pmooneyjoined
22:16:41  * bahamatquit (Quit: Leaving.)
22:16:53  * mpanaquit (Ping timeout: 246 seconds)
22:48:38  * bahamatjoined
23:11:48  * jayschmidt1joined
23:13:16  * mpanajoined
23:17:26  * mpanaquit (Ping timeout: 240 seconds)
23:44:32  * jayschmidt1quit (Quit: Leaving.)