Subproject creation accepts non-existing groups in ACLs
Description of the problem
There is an issue when it is possible to create a new subproject with non-existing groups in the acls
field. And then, any action, except deleting the subproject, throws 403
in the subproject.
Steps to reproduce it
- Create a new subproject with invalid acls:
curl --location --request POST 'https://<svc_url>/v3/subproject/tenant/osdu/subproject/test-123' \
--header 'x-api-key: {{SVC_API_KEY}}' \
--header 'Content-Type: application/json' \
--header 'ltag: osdu-demo-legaltag' \
--header 'appkey: {{DE_APP_KEY}}' \
--header 'Authorization: Bearer <token>' \
--data-raw '{
"storage_class": "REGIONAL",
"storage_location": "US-CENTRAL1",
"acls": {
"admins": [
"data.sdms.non-existing.admin@osdu.group"
],
"viewers": [
"data.sdms.non-existing.viewer@osdu.group"
]
}
}'
This request is executed without any error.
- Try to upload any file to the subproject:
python sdutil cp somefile sd://osdu/test-123/somefile
Output:
[403] [seismic-store-service] User not authorized to perform this operation