You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Under OAuth (pup auth login), every Logs config endpoint gated by logs_read_config returns 401 Unauthorized, even on a freshly re-authenticated session whose token already carries logs_read_config (verified in pup auth status):
Sibling Logs config endpoints gated by other scopes work fine on the same token, so this is specific to the logs_read_config-gated family (pipelines, restriction queries), not to Logs config or OAuth in general.
This is the Logs-config analogue of #437 / #443 (AWS / GCP cloud-configuration scopes) and #445 / #570 (DBM built_in_features): the scope appears in the granted token but the server-side OAuth client is not actually authorized for it.
Repro
$ pup --versionpup 1.2.0
$ pup auth login # standard interactive flow, defaults
$ pup auth status | jq '.scopes | length'100
$ pup auth status | jq '.scopes | index("logs_read_config")'# scope IS granted<non-null index>
# logs_read_config-gated endpoints -> 401
$ pup api v1/logs/config/pipelinesError: HTTP 401 https://api.datadoghq.com/api/v1/logs/config/pipelines: {"errors":["Unauthorized"]}
$ pup api v2/logs/config/restriction_queriesError: HTTP 401 https://api.datadoghq.com/api/v2/logs/config/restriction_queries: {"errors":["Unauthorized"]}
# sibling Logs config endpoints gated by OTHER scopes work on the same token
$ pup api v2/logs/config/archives # logs_read_archives -> 200
$ pup api v1/logs/config/indexes # logs_modify_indexes -> 200
So logs_read_config is present in the token yet does not actually authorize the endpoints it is supposed to gate, while logs_read_archives / logs_modify_indexes work as expected.
Also missing: logs_write_pipelines
My end goal is to add a GeoIP Parser processor to a logs pipeline from pup (to enrich request logs with the requester's country). That requires the write scope logs_write_pipelines, which is not in default_scopes() / all_known_scopes() in src/auth/types.rs at all.
Per the precedent in #445, simply adding a not-yet-server-enabled scope to default_scopes() and re-running pup auth login --scopes ... fails with OAuth error: invalid_scope, so this needs server-side enablement on the pup OAuth client before a client-side PR is useful.
Enable logs_write_pipelines so pipelines can be created/updated over OAuth.
Once enabled server-side, I'm happy to follow up with a client-side PR adding a pup logs pipelines list/get/create/update command (modeled on the existing archives / restriction-queries subcommands) and the corresponding scopes — same shape as #443 / #570.
Use case
OAuth-only orgs (SSO, no long-lived application keys) cannot fall back to DD_API_KEY / DD_APP_KEY, so logs pipeline configuration (e.g. adding a GeoIP processor) is currently impossible from pup.
Is your feature request related to a problem?
Under OAuth (
pup auth login), every Logs config endpoint gated bylogs_read_configreturns401 Unauthorized, even on a freshly re-authenticated session whose token already carrieslogs_read_config(verified inpup auth status):Sibling Logs config endpoints gated by other scopes work fine on the same token, so this is specific to the
logs_read_config-gated family (pipelines, restriction queries), not to Logs config or OAuth in general.This is the Logs-config analogue of #437 / #443 (AWS / GCP cloud-configuration scopes) and #445 / #570 (DBM
built_in_features): the scope appears in the granted token but the server-side OAuth client is not actually authorized for it.Repro
So
logs_read_configis present in the token yet does not actually authorize the endpoints it is supposed to gate, whilelogs_read_archives/logs_modify_indexeswork as expected.Also missing:
logs_write_pipelinesMy end goal is to add a GeoIP Parser processor to a logs pipeline from
pup(to enrich request logs with the requester's country). That requires the write scopelogs_write_pipelines, which is not indefault_scopes()/all_known_scopes()insrc/auth/types.rsat all.Per the precedent in #445, simply adding a not-yet-server-enabled scope to
default_scopes()and re-runningpup auth login --scopes ...fails withOAuth error: invalid_scope, so this needs server-side enablement on thepupOAuth client before a client-side PR is useful.Request
logs_read_configscope server-side for thepupOAuth client so the already-granted scope actually authorizesv1/logs/config/pipelinesandv2/logs/config/restriction_queries(mirroring the OAuth client missing AWS / GCP cloud-configuration scopes —pup cloud {aws,gcp} listalways 401 #437 / OAuth client missing DBM scope —pup dbm samples searchalways 403 withbuilt_in_features#445 fixes).logs_write_pipelinesso pipelines can be created/updated over OAuth.Once enabled server-side, I'm happy to follow up with a client-side PR adding a
pup logs pipelines list/get/create/updatecommand (modeled on the existingarchives/restriction-queriessubcommands) and the corresponding scopes — same shape as #443 / #570.Use case
OAuth-only orgs (SSO, no long-lived application keys) cannot fall back to
DD_API_KEY/DD_APP_KEY, so logs pipeline configuration (e.g. adding a GeoIP processor) is currently impossible frompup.