Shotgrid addon secrets permissions and Proxy problems

General
1

Hello Ynput gang,

Coming across a few small errors using the Shotgrid addon.

The first is regarding user permissions. If a user is not Admin, they cannot access the Ayon SG Integration secret required to start the SG addon. Here is the slightly unhelpful error logged when a non-admin launches an app:

Non-admin error 
Traceback (most recent call last):
  File "C:\Program Files\Ynput\AYON 1.0.0\dependencies\ayon_api\server_api.py", line 194, in raise_for_status
    self._response.raise_for_status()
  File "C:\Program Files\Ynput\AYON 1.0.0\dependencies\requests\models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: http://10.0.*.*:****/api/secrets/Ayon_Integration

It would obviously be a bad idea for users to be able to see and change the api key, but they still need to access it to start the module, publish etc. Is there a recommended workflow for this, or some permission to tweak?

The second error I’m coming across is when connecting to Shotgun through our studio’s proxy. We use a Squid proxy that whitelists Shotgrid, as well as some others, Autodesk, Adobe etc
When this proxy is enabled the SG connection publish step fails, despite the user being able to access SG fine in a browser or through SG desktop.

Proxy enabled error 
INFO: Creating Shotgrid Session for user: ************ at https://****************.shotgunstudio.com
ERROR: Failed to connect to Shotgrid.
Traceback (most recent call last):
  File "C:\Users\************\AppData\Local\Ynput\AYON\addons\shotgrid_0.3.2\ayon_shotgrid\plugins\publish\collect_shotgrid_session.py", line 30, in process
    sg_session = shotgrid_module.create_shotgrid_session()
  File "C:\Users\************\AppData\Local\Ynput\AYON\addons\shotgrid_0.3.2\ayon_shotgrid\addon.py", line 54, in create_shotgrid_session
    return credentials.create_sg_session(
  File "C:\Users\************\AppData\Local\Ynput\AYON\addons\shotgrid_0.3.2\ayon_shotgrid\lib\credentials.py", line 21, in create_sg_session
    session = shotgun_api3.Shotgun(
  File "C:\Users\************\AppData\Local\Ynput\AYON\dependency_packages\ayon_2401161802_windows.zip\dependencies\shotgun_api3\shotgun.py", line 710, in __init__
    self.server_caps
  File "C:\Users\************\AppData\Local\Ynput\AYON\dependency_packages\ayon_2401161802_windows.zip\dependencies\shotgun_api3\shotgun.py", line 781, in server_caps
    self._server_caps = ServerCapabilities(self.config.server, self.info())
  File "C:\Users\************\AppData\Local\Ynput\AYON\dependency_packages\ayon_2401161802_windows.zip\dependencies\shotgun_api3\shotgun.py", line 833, in info
    return self._call_rpc("info", None, include_auth_params=False)
  File "C:\Users\************\AppData\Local\Ynput\AYON\dependency_packages\ayon_2401161802_windows.zip\dependencies\shotgun_api3\shotgun.py", line 3393, in _call_rpc
    http_status, resp_headers, body = self._make_call(
  File "C:\Users\************\AppData\Local\Ynput\AYON\dependency_packages\ayon_2401161802_windows.zip\dependencies\shotgun_api3\shotgun.py", line 3551, in _make_call
    return self._http_request(verb, path, body, req_headers)
  File "C:\Users\************\AppData\Local\Ynput\AYON\dependency_packages\ayon_2401161802_windows.zip\dependencies\shotgun_api3\shotgun.py", line 3605, in _http_request
    resp, content = conn.request(url, method=verb, body=body, headers=headers)
  File "C:\Users\************\AppData\Local\Ynput\AYON\dependency_packages\ayon_2401161802_windows.zip\dependencies\shotgun_api3\lib\httplib2\python3\__init__.py", line 1724, in request
    (response, content) = self._request(
  File "C:\Users\************\AppData\Local\Ynput\AYON\dependency_packages\ayon_2401161802_windows.zip\dependencies\shotgun_api3\lib\httplib2\python3\__init__.py", line 1444, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "C:\Users\************\AppData\Local\Ynput\AYON\dependency_packages\ayon_2401161802_windows.zip\dependencies\shotgun_api3\lib\httplib2\python3\__init__.py", line 1366, in _conn_request
    conn.connect()
  File "C:\Users\************\AppData\Local\Ynput\AYON\dependency_packages\ayon_2401161802_windows.zip\dependencies\shotgun_api3\lib\httplib2\python3\__init__.py", line 1156, in connect
    sock.connect((self.host, self.port))
TimeoutError: [WinError 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users\************\AppData\Local\Ynput\AYON\dependency_packages\ayon_2401161802_windows.zip\dependencies\pyblish\plugin.py", line 527, in __explicit_process
    runner(*args)
  File "C:\Users\************\AppData\Local\Ynput\AYON\addons\shotgrid_0.3.2\ayon_shotgrid\plugins\publish\collect_shotgrid_session.py", line 34, in process
    raise KnownPublishError(
openpype.pipeline.publish.publish_plugins.KnownPublishError: Could not connect to Shotgrid https://****************.shotgunstudio.com with user ************.

Having our proxy on also does some strange things to the web interface, which are very minor but worth a mention

ayon_proxy_20240403_001_anno
ayon_proxy_20240403_001_anno3742×919 110 KB

ayon_proxy_20240403_002

Had to remove a few things from the logs but hopefully they are still clear. Could there be some other domain that needs to be allowed through our proxy? Or could the addon be accessing something unintended

2

First one is quite worrisome, I have only been testing it as my user so far so I hadn’t encountered this error. I guess if that’s a design flaw I’d just change the addon to set the API key directly on the settings without being a secret like it was in OpenPype but I will wait for @Ynput team to comment on how they intend to use these secrets.

As for the second error with the proxy I think I fixed it when I added the http proxy env to the SG session creation: Use SG API key for creating session and remove login functionality by fabiaserra · Pull Request #58 · ynput/ayon-shotgrid · GitHub make sure you have HTTPS_PROXY env var set in the runtime environment

3

@jakub.jezek please comment on what should be the workflow moving forward re: secrets

4

Hey again @fabiaserra
Thanks for your help yet again! Setting the “HTTPS_PROXY” globally fixed the second issue.

However there was a bit of troubleshooting, as the proxy variable getting lstrip’d causes errors. Our proxy starts with a p, ie “https://proxy01” becomes “roxy01”.
I worked around by setting the env var to “https://Proxy01” with a capital P. Lstrip seems like the wrong way to remove a leading https

Fingers crossed on the secrets!

5

ohh yeah good call… we should be using replace instead

6

as for the secrets… If I was in the middle of a fire and needed a quick patch without Ynput redesigning the access of those would be to hard-code the API key directly on these entries Code search results · GitHub and roll out my custom version of the addon but if you can wait let’s see if @jakub.jezek or someone from the team can answer

EDIT: I just asked here Discord

7

@Ynput answered that if it’s a secret it shouldn’t be used like that so we need to change the addon and remove the use of the secret and just expose the API key directly on the setting

Created two PRs addressing these issues:

And another one to update to ayon-core: Update to ayon_core by fabiaserra · Pull Request #80 · ynput/ayon-shotgrid · GitHub

8

Sorry for the delay,

yeah thanks @fabiaserra for the proxy fix!. Also the issue is really that only admin users and services are having access to the secrets. This need to be fixed in the opened PR Reimplementation of Tray user logging by jakubjezek001 · Pull Request #83 · ynput/ayon-shotgrid · GitHub