Groups & client user?

[ianmcorvidae]

I'm not sure if this is a Jargon issue or an iRODS one. Apologies in advance if I should be bothering someone else!

We're starting to try to use the client/proxy user feature. However, this isn't always working as expected. In particular, proxying as a group seems to basically not work.

What we're doing:

• Make the IRODSAccount with IRODSAccount/instanceWithProxy, passing a group name as the third argument (host port client-user password home zone resource username zone)
• Create an IRODSFile with instanceIRODSFile on the IRODSFileFactory for a directory the group has ownership permissions on.
• Call exists on that IRODSFile

When I do this with a random member of the group, everything seems to work fine. But, when using the group name itself, it returns false, and verifying with an ObjStat lookup I see a FileNotFoundException: unable to find file under path.

[ianmcorvidae]

n.b. in case relevant, iRODS 4.1.10, looks like.

[ianmcorvidae]

(and, we're on jargon 4.0.2.6-RELEASE still, in case something has changed since then)

[trel]

Can you easily try 4.2.0.0-RELEASE?

[ianmcorvidae]

Pretty easily. Having now tried it, situation is the same, sadly :(

[trel]

Thanks.

[ianmcorvidae]

Pulling the logs, this is for the ObjStat rather than the exists (but exists is built off getting an ObjStat, of course!):

2017-07-25 16:08:33,221 INFO  :: authenticateIRODSAccount() :: [qtp2012345402-22] org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl
2017-07-25 16:08:33,221 INFO  :: any existing session will be closed, or at least handed back to a pool/cache :: [qtp2012345402-22] org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl
2017-07-25 16:08:33,221 WARN  :: closing session that is already closed, silently ignore :: [qtp2012345402-22] org.irods.jargon.core.connection.IRODSSession
2017-07-25 16:08:33,221 INFO  :: instance() method...calling connection life cycle :: [qtp2012345402-22] org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory
2017-07-25 16:08:33,221 INFO  :: create connection.... :: [qtp2012345402-22] org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory
2017-07-25 16:08:33,221 INFO  :: instance() :: [qtp2012345402-22] org.irods.jargon.core.connection.IRODSTCPConnectionFactoryImpl
2017-07-25 16:08:33,221 INFO  :: AbstractConnection() :: [qtp2012345402-22] org.irods.jargon.core.connection.AbstractConnection
2017-07-25 16:08:33,221 INFO  :: using default negotiation policy:ClientServerNegotiationPolicy [sslNegotiationPolicy=CS_NEG_DONT_CARE] :: [qtp2012345402-22] org.irods.jargon.core.connection.AbstractConnection
2017-07-25 16:08:33,221 INFO  :: opening irods socket :: [qtp2012345402-22] org.irods.jargon.core.connection.AbstractConnection
2017-07-25 16:08:33,225 INFO  :: ...have connection, now authenticate given the auth scheme in the iRODS account... :: [qtp2012345402-22] org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory
2017-07-25 16:08:33,225 INFO  :: authenticate() :: [qtp2012345402-22] org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory
2017-07-25 16:08:33,225 INFO  :: get auth mechanism :: [qtp2012345402-22] org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory
2017-07-25 16:08:33,225 INFO  :: instanceAuthMechanism() :: [qtp2012345402-22] org.irods.jargon.core.connection.AuthenticationFactoryImpl
2017-07-25 16:08:33,226 INFO  :: authScheme:STANDARD :: [qtp2012345402-22] org.irods.jargon.core.connection.AuthenticationFactoryImpl
2017-07-25 16:08:33,226 INFO  :: using standard auth :: [qtp2012345402-22] org.irods.jargon.core.connection.AuthenticationFactoryImpl
2017-07-25 16:08:33,226 INFO  :: authenticate... :: [qtp2012345402-22] org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory
2017-07-25 16:08:33,226 INFO  :: sendStartupPacket() :: [qtp2012345402-22] org.irods.jargon.core.connection.AuthMechanism
2017-07-25 16:08:33,226 INFO  :: clientServerNegotiationHook() :: [qtp2012345402-22] org.irods.jargon.core.connection.AuthMechanism
2017-07-25 16:08:33,226 INFO  :: negotiation is required :: [qtp2012345402-22] org.irods.jargon.core.connection.AuthMechanism
2017-07-25 16:08:33,226 INFO  :: clientServerNegotiation() :: [qtp2012345402-22] org.irods.jargon.core.connection.AuthMechanism
2017-07-25 16:08:33,322 INFO  :: have a server negotiation response:ClientServerNegotiationStruct [status=1, sslNegotiationPolicy=CS_NEG_REFUSE] :: [qtp2012345402-22] org.irods.jargon.core.connection.AuthMechanism
2017-07-25 16:08:33,322 INFO  :: negotiate() :: [qtp2012345402-22] org.irods.jargon.core.connection.ClientServerNegotiationService
2017-07-25 16:08:33,322 INFO  :: negotiateUsingServerProtocol() :: [qtp2012345402-22] org.irods.jargon.core.connection.ClientServerNegotiationService
2017-07-25 16:08:33,322 INFO  :: negotiation over response from server:ClientServerNegotiationStruct [status=1, sslNegotiationPolicy=CS_NEG_REFUSE] :: [qtp2012345402-22] org.irods.jargon.core.connection.ClientServerNegotiationService
2017-07-25 16:08:33,322 INFO  :: client policy:ClientServerNegotiationPolicy [sslNegotiationPolicy=CS_NEG_DONT_CARE] :: [qtp2012345402-22] org.irods.jargon.core.connection.ClientServerNegotiationService
2017-07-25 16:08:33,322 INFO  :: negotiatedOutcome:CS_NEG_USE_TCP :: [qtp2012345402-22] org.irods.jargon.core.connection.ClientServerNegotiationService
2017-07-25 16:08:33,322 INFO  :: was a success, return choice to server :: [qtp2012345402-22] org.irods.jargon.core.connection.ClientServerNegotiationService
2017-07-25 16:08:33,325 INFO  :: startupResponse captured:StartupResponseData:
   status:0
   relVersion:rods4.1.10
   apiVersion:d
   reconnPort:0
   reconnAddr:
   cookie:400 :: [qtp2012345402-22] org.irods.jargon.core.connection.ClientServerNegotiationService
2017-07-25 16:08:33,325 INFO  :: wrapConnectionInSsl() :: [qtp2012345402-22] org.irods.jargon.core.connection.ClientServerNegotiationService
2017-07-25 16:08:33,326 INFO  :: no ssl :: [qtp2012345402-22] org.irods.jargon.core.connection.ClientServerNegotiationService
2017-07-25 16:08:33,326 INFO  :: negotiated configuration:StartupResponseData:
   status:0
   relVersion:rods4.1.10
   apiVersion:d
   reconnPort:0
   reconnAddr:
   cookie:400 :: [qtp2012345402-22] org.irods.jargon.core.connection.AuthMechanism
2017-07-25 16:08:33,326 INFO  :: startup response:StartupResponseData:
   status:0
   relVersion:rods4.1.10
   apiVersion:d
   reconnPort:0
   reconnAddr:
   cookie:400 :: [qtp2012345402-22] org.irods.jargon.core.connection.AuthMechanism
2017-07-25 16:08:33,326 INFO  :: authenticate :: [qtp2012345402-22] org.irods.jargon.core.connection.StandardIRODSAuth
2017-07-25 16:08:33,326 INFO  :: sending standard irods password :: [qtp2012345402-22] org.irods.jargon.core.connection.StandardIRODSAuth
2017-07-25 16:08:33,336 INFO  :: auth was successful :: [qtp2012345402-22] org.irods.jargon.core.connection.StandardIRODSAuth
2017-07-25 16:08:33,336 INFO  :: auth response was:AuthResponse [successful=true, authMessage=, authenticatingIRODSAccount=irods://data-curators@irods-2.cyverse.org:1247, authenticatedIRODSAccount=irods://data-curators@irods-2.cyverse.org:1247, responseProperties=[], startupResponse=StartupResponseData:
   status:0
   relVersion:rods4.1.10
   apiVersion:d
   reconnPort:0
   reconnAddr:
   cookie:400] :: [qtp2012345402-22] org.irods.jargon.core.connection.StandardIRODSAuth
2017-07-25 16:08:33,336 INFO  :: ..authenticated...now decorate and return... :: [qtp2012345402-22] org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory
2017-07-25 16:08:33,336 INFO  :: decorate() :: [qtp2012345402-22] org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory
2017-07-25 16:08:33,336 INFO  :: getting irods server properties :: [qtp2012345402-22] org.irods.jargon.core.connection.EnvironmentalInfoAccessor
2017-07-25 16:08:33,336 INFO  :: now retriving server properties from cache with zone:iplant :: [qtp2012345402-22] org.irods.jargon.core.connection.DiscoveredServerPropertiesCache
2017-07-25 16:08:33,336 INFO  :: returning cached props:org.irods.jargon.core.connection.IRODSServerProperties@5ea67e80 :: [qtp2012345402-22] org.irods.jargon.core.connection.EnvironmentalInfoAccessor
2017-07-25 16:08:33,336 INFO  :: org.irods.jargon.core.connection.IRODSServerProperties@5ea67e80 :: [qtp2012345402-22] org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory
2017-07-25 16:08:33,337 INFO  :: authResponse:AuthResponse [successful=true, authMessage=, authenticatingIRODSAccount=irods://data-curators@irods-2.cyverse.org:1247, authenticatedIRODSAccount=irods://data-curators@irods-2.cyverse.org:1247, responseProperties=[], startupResponse=StartupResponseData:
   status:0
   relVersion:rods4.1.10
   apiVersion:d
   reconnPort:0
   reconnAddr:
   cookie:400] :: [qtp2012345402-22] org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl
2017-07-25 16:08:33,337 INFO  :: getObjStat(final String irodsAbsolutePath) :: [qtp2012345402-22] org.irods.jargon.core.pub.IRODSFileSystemAOImpl
2017-07-25 16:08:33,337 INFO  :: retrieveObjectStatForPathWithHeuristicPathGuessing() :: [qtp2012345402-22] org.irods.jargon.core.pub.CollectionAndDataObjectListAndSearchAOImpl
2017-07-25 16:08:33,351 INFO  :: got a file not found, try to heuristically produce an objstat :: [qtp2012345402-22] org.irods.jargon.core.pub.CollectionAndDataObjectListAndSearchAOImpl
2017-07-25 16:08:33,351 INFO  :: handleNoObjStatUnderRootOrHomeByLookingForPublicAndHome() :: [qtp2012345402-22] org.irods.jargon.core.pub.CollectionIteratorAOImpl
2017-07-25 16:08:33,351 INFO  :: really is a not found for file:/iplant/home/shared/commons_repo/curated/test-doi-perf :: [qtp2012345402-22] org.irods.jargon.core.pub.CollectionIteratorAOImpl
2017-07-25 16:08:33,352 INFO  :: preDisconnectAction() :: [qtp2012345402-22] org.irods.jargon.core.connection.IRODSMidLevelProtocol
2017-07-25 16:08:33,353 ERROR :: org.ixxxxxxxx.jargon.core.exception.FileNotFoundException: unable to find file under path
    at org.ixxxxxxxx.jargon.core.pub.CollectionListingUtils.handleNoObjStatUnderRootOrHomeByLookingForPublicAndHome(CollectionListingUtils.java:292)
    at org.ixxxxxxxx.jargon.core.pub.CollectionAndDataObjectListAndSearchAOImpl.retrieveObjectStatForPathWithHeuristicPathGuessing(CollectionAndDataObjectListAndSearchAOImpl.java:1589)
    at org.ixxxxxxxx.jargon.core.pub.IRODSFileSystemAOImpl.getObjStat(IRODSFileSystemAOImpl.java:469)
    at ...

[michael-conway]

Hey @trel does this have an iRODS side issue or resolution? Is this something to get together on for 4.2.5?

[trel]

I'm not sure I've seen a scenario before where someone is trying to authenticate 'as a group'...

@jasoncoposky a feature or a bug that attempting this is not working?

[ianmcorvidae]

Yeah, as original reporter, no idea if this should work or shouldn't, but one way or the other it probably shouldn't partially work, I'd imagine -- I'd expect either it should work or it should fail while trying to set up the client user, rather than apparently working and just reporting a lack of access.

[trel]

I think authenticating 'as a group' doesn't make any sense - and should be disallowed earlier in the flow. I can't think of a use case where this is useful as a feature.

[michael-conway]

On this one I'm not quite sure what should happen. It seems like it would have to be down in iRODS where a determination could be made that the proxy-ing account is a group not a user? We could add a check at the client level, but that seems to be moving in the opposite direction of 'client/server' inversion that makes the client libraries so complex.

On Mon, Jul 15, 2019 at 9:12 AM Terrell Russell notifications@github.com wrote:

I think authenticating 'as a group' doesn't make any sense - and should be disallowed earlier in the flow. I can't think of a use case where this is useful as a feature.

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/DICE-UNC/jargon/issues/257?email_source=notifications&email_token=AAIL4LICO6BPD5AECPRHVD3P7RZTJA5CNFSM4DUM24S2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ5URDQ#issuecomment-511395982, or mute the thread https://github.com/notifications/unsubscribe-auth/AAIL4LMBOD2Y6ZGLOWH2J4TP7RZTJANCNFSM4DUM24SQ .

[trel]

Agreed - I've just created irods/irods#4451 to tighten up this behavior.