Bug Description
`ov reindex --sudo` fails with `PERMISSION_DENIED: Requires role: root, admin` even when `root_api_key` is correctly configured in `ov.conf` and the matching key is set in `ovcli.conf`.
Environment
- OpenViking version: 0.3.12
- Server auth_mode: trusted
- root_api_key configured in ov.conf (matching between server and cli)
Steps to Reproduce
- Configure `root_api_key` in `ov.conf` under `server` section
- Configure the same key in `ovcli.conf` under `root_api_key` field
- Run: `ov reindex viking://resources/repository_3 --sudo`
- Expected: reindex starts as root
- Actual: `PERMISSION_DENIED: Requires role: root, admin`
Root Cause Analysis
After inspecting the server source code at `openviking/server/auth.py`:
Finding 1: CLI `--sudo` flag is never wired up
The `ov` CLI client (`openviking_cli/client/http.py`) sends `X-API-Key` header using the `api_key` field from `ovcli.conf`. The `--sudo` flag is parsed by the CLI but never causes a different API key to be sent. The `root_api_key` field in `ovcli.conf` is also never read by the client.
Finding 2: Server-side root_api_key validation is incomplete
In TRUSTED mode, the server validates the `root_api_key` against the incoming `X-API-Key` header (lines 138-147 of auth.py). If valid, the resolved identity is passed through. However, the only path that returns `Role.ROOT` in TRUSTED mode without root_api_key is `/api/v1/admin/*` (admin path prefix check, lines 163-170).
For all other paths (including `/api/v1/maintenance/reindex`), the role is determined by `api_key_manager.get_user_role()` which looks up the key in the API key database and returns `Role.USER` by default, even if the key matches `root_api_key`.
Expected Behavior
In TRUSTED mode with `root_api_key` configured, requests sent with that key should be granted `Role.ROOT` regardless of the API path.
Suggested Fix
Option A (minimal): In `auth.py`, when `root_api_key` is configured and the incoming `X-API-Key` matches it, set `Role.ROOT` for all paths (not just admin paths).
Option B (CLI fix): Wire up the `--sudo` flag in `openviking_cli/client/http.py` to send the `root_api_key` from `ovcli.conf` as the `X-API-Key` header instead of `api_key`.
Both options should be implemented for a complete fix.
Bug Description
`ov reindex --sudo` fails with `PERMISSION_DENIED: Requires role: root, admin` even when `root_api_key` is correctly configured in `ov.conf` and the matching key is set in `ovcli.conf`.
Environment
Steps to Reproduce
Root Cause Analysis
After inspecting the server source code at `openviking/server/auth.py`:
Finding 1: CLI `--sudo` flag is never wired up
The `ov` CLI client (`openviking_cli/client/http.py`) sends `X-API-Key` header using the `api_key` field from `ovcli.conf`. The `--sudo` flag is parsed by the CLI but never causes a different API key to be sent. The `root_api_key` field in `ovcli.conf` is also never read by the client.
Finding 2: Server-side root_api_key validation is incomplete
In TRUSTED mode, the server validates the `root_api_key` against the incoming `X-API-Key` header (lines 138-147 of auth.py). If valid, the resolved identity is passed through. However, the only path that returns `Role.ROOT` in TRUSTED mode without root_api_key is `/api/v1/admin/*` (admin path prefix check, lines 163-170).
For all other paths (including `/api/v1/maintenance/reindex`), the role is determined by `api_key_manager.get_user_role()` which looks up the key in the API key database and returns `Role.USER` by default, even if the key matches `root_api_key`.
Expected Behavior
In TRUSTED mode with `root_api_key` configured, requests sent with that key should be granted `Role.ROOT` regardless of the API path.
Suggested Fix
Option A (minimal): In `auth.py`, when `root_api_key` is configured and the incoming `X-API-Key` matches it, set `Role.ROOT` for all paths (not just admin paths).
Option B (CLI fix): Wire up the `--sudo` flag in `openviking_cli/client/http.py` to send the `root_api_key` from `ovcli.conf` as the `X-API-Key` header instead of `api_key`.
Both options should be implemented for a complete fix.