search

cyverse / gocommands

iRODS Command-line Tools written in Go
Other
28 stars 18 forks source link

Native authentication fails with GoCommands v0.10.2 #58

Closed stsnel closed 2 months ago

stsnel commented 2 months ago

Good day,

I was testing GoCommands version v0.10.2 with our Yoda development environment, and would like to report a possible regression. It seems that v0.10.2 fails with authentication errors for commands that work as expected with older GoCommands versions, as well as iCommands. The rodsLog output indicates that the problem may be related to SSL/TLS settings.

Example output for iCommands, older GoCommands versions, and v0.10.2:

irods@combined:~$ ils /
/:
  C- /tempZone
irods@combined:~$ /var/lib/irods/gocommands/0.9.12/gocmd ls /
  C- /
  C- /tempZone
irods@combined:~$ /var/lib/irods/gocommands/0.10.1/gocmd ls /
  C- /
  C- /tempZone
irods@combined:~$ /var/lib/irods/gocommands/0.10.2/gocmd ls /
Authentication failed (auth scheme: "native", username: "rods", zone: "tempZone")!

Debug output for GoCommands v0.10.2:

irods@combined:~$ /var/lib/irods/gocommands/0.10.2/gocmd ls / --debug
time="2024-09-23 16:46:57.090" level=debug msg="use sessionID - 280485" function=ProcessCommonFlags package=flag
time="2024-09-23 16:46:57.091" level=debug msg="reading icommands configuration file \"/var/lib/irods/.irods/irods_environment.json\"" function=Load package=icommands struct=ICommandsEnvironmentManager
time="2024-09-23 16:46:57.091" level=debug msg="reading icommands session file \"/var/lib/irods/.irods/irods_environment.json.280485\"" function=Load package=icommands struct=ICommandsEnvironmentManager
time="2024-09-23 16:46:57.091" level=debug msg="reading icommands password file \"/var/lib/irods/.irods/.irodsA\"" function=Load package=icommands struct=ICommandsEnvironmentManager
time="2024-09-23 16:46:57.092" level=debug msg="Connecting to combined.yoda.test:1247" function=connectTCP package=connection struct=IRODSConnection
time="2024-09-23 16:46:57.092" level=debug msg="Start up an iRODS connection" function=startup package=connection struct=IRODSConnection
time="2024-09-23 16:46:57.372" level=debug msg="Logging in using native authentication method" function=loginNative package=connection struct=IRODSConnection
time="2024-09-23 16:46:57.392" level=error msg="failed to login to irods:\n    github.com/cyverse/go-irodsclient/irods/connection.(*IRODSConnection).Connect\n        /go/pkg/mod/github.com/cyverse/go-irodsclient@v0.15.3/irods/connection/connection.go:329\n  - failed to receive authentication challenge message body (failed to receive a response message: failed to read header size: failed to receive data: failed to read from socket: read tcp 127.0.0.1:50390->127.0.2.1:1247: read: connection reset by peer):\n    github.com/cyverse/go-irodsclient/irods/connection.(*IRODSConnection).login\n        /go/pkg/mod/github.com/cyverse/go-irodsclient@v0.15.3/irods/connection/connection.go:514\n  - authentication error (auth scheme: \"native\", username: \"rods\", zone: \"tempZone\")" function=Connect package=connection struct=IRODSConnection
time="2024-09-23 16:46:57.392" level=error msg="failed to get iRODS FS Client:\n    github.com/cyverse/gocommands/cmd/subcmd.(*LsCommand).Process\n        /github/workspace/cmd/subcmd/ls.go:123\n  - failed to create connection pool:\n    github.com/cyverse/go-irodsclient/irods/session.NewIRODSSession\n        /go/pkg/mod/github.com/cyverse/go-irodsclient@v0.15.3/irods/session/session.go:85\n  - failed to init connection pool:\n    github.com/cyverse/go-irodsclient/irods/session.NewConnectionPool\n        /go/pkg/mod/github.com/cyverse/go-irodsclient@v0.15.3/irods/session/pool.go:54\n  - failed to connect to irods server:\n    github.com/cyverse/go-irodsclient/irods/session.(*ConnectionPool).init\n        /go/pkg/mod/github.com/cyverse/go-irodsclient@v0.15.3/irods/session/pool.go:148\n  - failed to login to irods:\n    github.com/cyverse/go-irodsclient/irods/connection.(*IRODSConnection).Connect\n        /go/pkg/mod/github.com/cyverse/go-irodsclient@v0.15.3/irods/connection/connection.go:329\n  - failed to receive authentication challenge message body (failed to receive a response message: failed to read header size: failed to receive data: failed to read from socket: read tcp 127.0.0.1:50390->127.0.2.1:1247: read: connection reset by peer):\n    github.com/cyverse/go-irodsclient/irods/connection.(*IRODSConnection).login\n        /go/pkg/mod/github.com/cyverse/go-irodsclient@v0.15.3/irods/connection/connection.go:514\n  - authentication error (auth scheme: \"native\", username: \"rods\", zone: \"tempZone\")" function=main package=main
failed to get iRODS FS Client:
    github.com/cyverse/gocommands/cmd/subcmd.(*LsCommand).Process
        /github/workspace/cmd/subcmd/ls.go:123
  - failed to create connection pool:
    github.com/cyverse/go-irodsclient/irods/session.NewIRODSSession
        /go/pkg/mod/github.com/cyverse/go-irodsclient@v0.15.3/irods/session/session.go:85
  - failed to init connection pool:
    github.com/cyverse/go-irodsclient/irods/session.NewConnectionPool
        /go/pkg/mod/github.com/cyverse/go-irodsclient@v0.15.3/irods/session/pool.go:54
  - failed to connect to irods server:
    github.com/cyverse/go-irodsclient/irods/session.(*ConnectionPool).init
        /go/pkg/mod/github.com/cyverse/go-irodsclient@v0.15.3/irods/session/pool.go:148
  - failed to login to irods:
    github.com/cyverse/go-irodsclient/irods/connection.(*IRODSConnection).Connect
        /go/pkg/mod/github.com/cyverse/go-irodsclient@v0.15.3/irods/connection/connection.go:329
  - failed to receive authentication challenge message body (failed to receive a response message: failed to read header size: failed to receive data: failed to read from socket: read tcp 127.0.0.1:50390->127.0.2.1:1247: read: connection reset by peer):
    github.com/cyverse/go-irodsclient/irods/connection.(*IRODSConnection).login
        /go/pkg/mod/github.com/cyverse/go-irodsclient@v0.15.3/irods/connection/connection.go:514
  - authentication error (auth scheme: "native", username: "rods", zone: "tempZone")
Authentication failed (auth scheme: "native", username: "rods", zone: "tempZone")!

rodsLog output when trying to use v0.10.2:

Sep 23 16:53:42 pid:282040 remote addresses: 127.0.0.1, 127.0.2.1 ERROR: [-]    /irods_source/server/core/src/rodsAgent.cpp:522:int runIrodsAgentFactory(sockaddr_un) :  status [SYS_INVALID_INPUT_PARAM]  errno [] -- message [SSL is required by the server but not requested by the client]
        [-]     /irods_source/server/core/src/irods_server_negotiation.cpp:101:irods::error irods::client_server_negotiation_for_server(irods::network_object_ptr, std::string &) :  status [SYS_INVALID_INPUT_PARAM]  errno [] -- message [SSL is required by the server but not requested by the client]

Sep 23 16:53:42 pid:1478  ERROR: Agent process [282040] exited with status [1]

I'm running GoCommands from the irods service account on the server, with native authentication. The server is running iRODS 4.2.12 and has irods_client_server_policy set to CS_NEG_REQUIRE.

iychoi commented 2 months ago

Can you show me what values do you have for following fields in ~/.irods/irods_environment.json?

irods_client_server_negotiation should be set to request_server_negotiation and irods_client_server_policy should be set to CS_NEG_REQUIRE or CS_NEG_DONT_CARE.

iychoi commented 2 months ago

Can you check if the new release v0.10.3 fixes the issue? https://github.com/cyverse/gocommands/releases/tag/v0.10.3

stsnel commented 2 months ago

Thank you for the fix! The issue no longer occurs with v0.10.3 in our development environment.

For the record, our irods_client_server_negotiation and irods_client_server_policy settings are:

irods@combined:~$ grep irods_client .irods/irods_environment.json
    "irods_client_server_negotiation": "request_server_negotiation",
    "irods_client_server_policy": "CS_NEG_REQUIRE",
iychoi commented 2 months ago

Thank you for the check! Glad it worked!