Revocation of remote user account in presence of a zowe.config.json file in a Zowe CLI V1 context

FALLAI-Denis commented 2 years ago

Development environment used

Z Open Editor version: 2.1.0 (Zowe Explorer 2.1.0)
Editor Platform
- [X] Visual Studio Code
- [ ] Red Hat CodeReady Workspaces
- [ ] Eclipse Che
- [ ] Standalone Theia
Editor Platform Version: 1.68
Operating System: Windopws 10 20H2
Java Version: 1.8
[ ] Related to RSE API?
- RSE API Plugin version:
- Zowe CLI version: 7.1.2 (V2)
- Node.js version:
Logs attached: no

Problem Description

When swithcing Workspace, (witout leaving VS Code), using different Zowe and SSH profiles, (or same named profil?), the remote user account (RACF) was revoked when searching for COPYBOOKs on the remote system.

This is the case with Zowe CLI V2, and zowe.config.json files for a Workspace present at the root of the Workspace, and for the other Workspace absent from the Workspace (therefore using the zowe.config.json file in the home directory).

Zowe Explorer messages about profile cache management problem appeared. The system failed to save the new credentials and repeatedly requested them.

The case is not clearly identified and has not been reproduced, (no attempt to revoke the user account again).

In Zowe CLI V1 this problem did not occur because profile management was global at the home directory level and the same credentials were used by all Workspaces.

In Zowe CLI V2, each Workspace defines new credentials context if a zowe.config.json file is declared at the root of the Workspace, even if the profile names are identical (the credentials depend on the folder where the zowe.config.json file is stored). See comment on Zowe CLI V2 - Using environment variables in profile properties

It turns out that the password of the remote account had been changed on the remote system, that several remote systems were accessed from Workspaces, but that all the remote systems use the same account password (RACF synchronization between the systems), and that the credentials therefore had to be updated in each Zowe CLI context.

It may be the combination, "same profile name", "Zowe CLI V2 credentials context per folder", "workspace switching", "change password on remote system" which is mishandled in Z Open Editor or in Zowe Explorer which caused the user account to be revoked on the remote system.

Observed behavior

Revoked user account by COPYBOOKs search on remote system.

FALLAI-Denis commented 2 years ago

Hi,

Due to issue #245, I am switching between Zowe CLI V1 and Zowe CLI V2. This switchover is obtained by changing the node.js version using nvm, (node version manager, on Windows system).

In some workspaces, Git repositories, zowe.config.json files are present in the root folder.

In this case I think that Zowe Explorer, or Z Open Editor, works in Zowe CLI V2 mode, even if the installation in node.js is Zowe CLI V1: this is a priori proven because in the settings.json I declared defaultCliProfile and defaultSshCliProfile profiles which do not exist in zowe.config.json of the workspace, (nor in the home directory since I am in Zowe CLI V1), but which exist as Zowe CLI V1 profiles in the .zowe folder of the user.

In this configuration, to search for COPYBOOKs on the remote system, Z Open Editor repeatedly asks for credentials, tries to save them, and fails, with popups indicating that the profile does not exist and there are problems of cache management on profiles.

If I delete the zowe.config.json files (or rename them) in the workspace, and "reload windows" in VS Code, then everything is back to normal and the Zowe CLI V1 profiles are used.

So it seems that there is a problem detecting the version of Zowe CLI installed, when a zowe.config.json file is present in the workspace: it seems to force the use of Zowe CLI V2 , even if Zowe CLI V1 is actually installed on the workstation.

Today, we have workstations with Zowe CLI V1 and others with Zowe CLI V2, and all of them must work on the same Git repositories / Workspace in which we have declared the zowe.config.json files (for that users do not have to do it at their workstation if they are in Zowe CLI V2).

FALLAI-Denis commented 2 years ago

Reproducing the problem.

Zowe CLI V1 installed on the workstation, zowe.config.json (Zowe CLI V2) files present in the workspace.

This log file is available at c:\Users\S0070188\AppData\Roaming\CodeMainframe\logs\20220713T140343\exthost1\IBM.zopeneditor\zopeneditor-20220713-120400.log
Initialized IBM Z Open Editor logger on level "INFO".
2022-07-13T14:04:03.976+02:00 INFO : Zowe Explorer was modified for IBM Remote System Explorer API (RSE API) support by IBM Z Open Editor.
2022-07-13T14:04:05.822+02:00 INFO : IBM Z Open Editor extension has (re)started.
2022-07-13T14:07:03.692+02:00 INFO : The COBOL language server requested the include file "SGFSAPP", which was found and available as file "file:///C:/Trv/DepotsGIT/environn-techleads-sandbox/src/COPYCOB/SGFSAPP.cpy".
2022-07-13T14:07:04.835+02:00 INFO : The COBOL language server requested the include file "SGFSADM", which was found and available as file "file:///C:/Trv/DepotsGIT/environn-techleads-sandbox/src/COPYCOB/SGFSADM.cpy".
2022-07-13T14:07:05.998+02:00 INFO : The COBOL language server requested the include file "S9FSI902", which was found and available as file "file:///C:/Trv/DepotsGIT/environn-techleads-sandbox/src/COPYCOB/S9FSI902.cpy".
2022-07-13T14:07:07.142+02:00 INFO : The COBOL language server requested the include file "S9FSI903", which was found and available as file "file:///C:/Trv/DepotsGIT/environn-techleads-sandbox/src/COPYCOB/S9FSI903.cpy".
2022-07-13T14:07:08.573+02:00 ERROR: ZoweSettings.checkProfile: MVS connection check failed for profile GMVS with HTTP Error 401 - Unauthorized

Prompt for credential... Prompt for saving credential...

2022-07-13T14:07:22.190+02:00 WARN : The COBOL language server requested the include file "AGAVBATC", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:24.251+02:00 WARN : The COBOL language server requested the include file "AGADHORO", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:26.334+02:00 WARN : The COBOL language server requested the include file "AAADACCE", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:28.619+02:00 WARN : The COBOL language server requested the include file "AAADACCE", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:30.798+02:00 WARN : The COBOL language server requested the include file "AAADACCE", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:32.854+02:00 WARN : The COBOL language server requested the include file "AAADACCE", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:35.259+02:00 WARN : The COBOL language server requested the include file "AGADPAC0", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:37.421+02:00 WARN : The COBOL language server requested the include file "ADADDATE", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:39.478+02:00 WARN : The COBOL language server requested the include file "AGADAUDT", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:41.508+02:00 WARN : The COBOL language server requested the include file "AAAPACCE", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:43.646+02:00 WARN : The COBOL language server requested the include file "AAAPACCE", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:45.547+02:00 WARN : The COBOL language server requested the include file "AAAPACCE", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:47.460+02:00 WARN : The COBOL language server requested the include file "AAAPACCE", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:49.452+02:00 WARN : The COBOL language server requested the include file "ADAPDATE", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:51.591+02:00 WARN : The COBOL language server requested the include file "AGAPAUD1", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.
2022-07-13T14:07:53.616+02:00 WARN : The COBOL language server requested the include file "AGAPAUD2", which was not found. enforceCaseSensitiveIncludeFileNames was set to false. Check your Zowe CLI profile and property group settings and if you have not already done so, switch to the "DEBUG" log level for more information.

On z/OS:

M 0080000 GMVS     22194 14:07:08.54 STC98668 00000090  ICH408I USER(J070188 ) GROUP(DCTR99D ) NAME(FALLAI DENIS        ) 677       
E                                         677 00000090    LOGON/JOB INITIATION - INVALID PASSWORD                                   
M 0080000 GMVS     22194 14:07:21.33 STC98668 00000090  ICH408I USER(J070188 ) GROUP(DCTR99D ) NAME(FALLAI DENIS        ) 325       
E                                         325 00000090    LOGON/JOB INITIATION - INVALID PASSWORD                                   
M 0080000 GMVS     22194 14:07:21.48 STC98668 00000090  ICH408I USER(J070188 ) GROUP(DCTR99D ) NAME(FALLAI DENIS        ) 350       
E                                         350 00000090    LOGON/JOB INITIATION - INVALID PASSWORD                                   
M 0080000 GMVS     22194 14:07:23.52 STC98668 00000090  ICH408I USER(J070188 ) GROUP(DCTR99D ) NAME(FALLAI DENIS        ) 446    
E                                         446 00000090    LOGON/JOB INITIATION - EXCESSIVE PASSWORD OR PASS PHRASE ATTEMPTS      
M 0080000 GMVS     22194 14:07:23.64 STC98668 00000090  ICH408I USER(J070188 ) GROUP(DCTR99D ) NAME(FALLAI DENIS        ) 449      
E                                         449 00000090    LOGON/JOB INITIATION - REVOKED USER ACCESS ATTEMPT                       
M 0080000 GMVS     22194 14:07:25.55 STC98668 00000090  ICH408I USER(J070188 ) GROUP(DCTR99D ) NAME(FALLAI DENIS        ) 473     
E                                         473 00000090    LOGON/JOB INITIATION - REVOKED USER ACCESS ATTEMPT                      
...

Account revoked !

Twice in a row with the same workspace, with restarting VS Code between the two times.

phaumer commented 2 years ago

Added a fix with 2.1.1

IBM / zopeneditor-about