Access Denied Errors in API Service

[matiasAS]

Description
I'm experiencing repeated Access Denied errors in the API service of OpenBalena. Below is a screenshot of the errors:

The errors look like this:

Questions
What is causing these Access Denied errors?
How can I resolve these errors to ensure the API service functions correctly?
Any guidance or suggestions to resolve this issue would be greatly appreciated.

Thank you!

Best regards,
Matias Alvarez Sabate

[tadcom0]

I have the same problem and didn't found the solution yet.

[matiasAS]

@tadcom0 For me, at times it works and at other times it is like this continuously.

@ab77 help me please with this issue, long time waiting for a solution

[smarthomeagentur]

Same issue. Deployment with Docker Desktop and WSL2

[matiasAS]

@tadcom0 hello, Have you found the problem? It takes a long time for developers to respond to issues, that's the bad thing.

[matiasAS]

@tadcom0 hello, Have you found the problem? It takes a long time for developers to respond to issues, that's the bad thing.

[thgreasi]

Hi,
Does this block any functionality on your side? Because these are only supposed to be warnings.
One way to to silence these warning could be to use the CONTRACT_ALLOWLIST env var for the API service on your docker-compose, and list there only the contracts (device types, cpu architectures etc) that you care to import on your instance.
Let me point you to its definition & description:
https://github.com/balena-io/open-balena-api/blob/master/src/lib/config.ts#L96-L110

[thgreasi]

Hi,
I would like to let you know open-balena-api v31.1.0 should no longer log these warnings.
Can you give it a try and let us know?

Kind regards,
Thodoris

[matiasAS]

@thgreasi Is that version of the api compatible with openbalena v3?
I also have v4, I will test how it behaves

[matiasAS]

@thgreasi

The errors are not shown in version 31.1.0, but if I make a request to the url:
https://api.<my_domain>/device-types/v1
At times it responds quickly and at other times it does not respond due to a timeout error. It coincides with when these errors were seen in the log before.
Unlike the balena cloud api:
https://api.balena-cloud.com/device-types/v1 always responds, is that because it is openbalena or is it another bug?

Best regards

[thgreasi]

Hi @matiasAS,
There were no behavioral changes in 31.1.0, other than silencing the warnings, since in unauthenticated open-balena they are expected, thus are just noise.
What version of open-balena-api were you running before? The only think that I can imagine being related to what you describe is when open-balena-api v0.206.4 changed the way that its /device-types/v1 cache was working to a lazy/on-demand population method.

You mention that it coincides with when these errors warnings where seen before, which sounds like the /device-types/v1 cache at that point had expired, either b/c it became stale or b/c the Redis cached item was evicted (which doesn't happen on balenaCloud, either because we continuously get such requests & we don't have space based evictions from Redis). On the other hand populating the cache shouldn't take that much time (should be ready in less that 5s when I was testing it a few years ago), but that of course depends on the networking bandwidth that your instance.
One way to make things faster is trying to use the CONTRACT_ALLOWLIST env var to have your instance only fetch the device types that you actually use.

[matiasAS]

Hi @thgreasi ,
Are you from the openbalena development team or a user? Do you know if the is_online attribute can be made reactive and in real time?
And another question, for version 3.x and 4.x, what should I do to change the domain?