search

datalad-datasets / human-connectome-project-openaccess

WU-Minn HCP1200 Data: 3T/7T MR scans from young healthy adults twins and non-twin siblings (ages 22-35) [T1w, T2w, resting-state and task fMRI, high angular resolution dMRI]
https://db.humanconnectome.org/data/projects/HCP_1200
37 stars 6 forks source link

datalad get keeps asking keyring password #22

Open soichih opened 3 years ago

soichih commented 3 years ago

When I run datalad get for the first time, it asks me to enter the AWS id/key as well as my python-keyring password.

brlife@wrangler2:/mnt/datalad/datasets.datalad.org/hcp-openaccess/HCP1200/100206/T1w$ datalad get ribbon.nii.gz
You need to authenticate with 'hcp-s3' credentials. https://wiki.humanconnectome.org/display/PublicData/Connecting+to+Connectome+Data+via+AWS provides information on how to gain access
key_id: XXXXXXXXXXXXXXX

Please set a password for your new keyring: 
Please confirm the password: 
You need to authenticate with 'hcp-s3' credentials. https://wiki.humanconnectome.org/display/PublicData/Connecting+to+Connectome+Data+via+AWS provides information on how to gain access
secret_id: 
get(ok): ribbon.nii.gz (file) [from datalad...]

When I download another file, it doesn't ask me for AWS id/key, but it asks me for the python keyring password.

brlife@wrangler2:/mnt/datalad/datasets.datalad.org/hcp-openaccess/HCP1200/100206/T1w$ datalad get T2w_acpc_dc.nii.gz
Please enter password for encrypted keyring: 
get(ok): T2w_acpc_dc.nii.gz (file) [from datalad...]

Basically I just need to enter the keyring password everytime I run datalad get. I am running datalad get as part of backend service for brainlife (to cache the data on behalf of all of our users) so I need to provide the password via non-interactive method. Is there a way to do that?

I see this in the README.

you will be asked to supply your AWS credentials the first time you use datalad get to retrieve file content of your choice from the HCP Open Access dataset. You should only need to provide credentials once, and all subsequent datalad get commands will retrieve data without asking them again.

Maybe there is a way to disable passphrase for keyring? The server that I am running datalad get can only be accessed by our backend service, so there is "some" level of trust so that not having keyring password is probably not the worst thing that I am doing.

Do you have any suggestion?

yarikoptic commented 3 years ago

https://github.com/datalad/datalad/wiki/FAQ#how-to-configure-insecure-local-credentials-store May be there is something similar in handbook, didn't check

soichih commented 3 years ago

Thanks @yarikoptic

I've tried a few different options for keyringrc.cfg but so far none of them seems to have any effect. It's still asking me to enter password for the keyring.

I've tried

[backend]
default-keyring=keyrings.alt.file.PlaintextKeyring

and

[backend]
default-keyring=keyring.backend.UncryptedFileKeyring

I am not even sure if it's actually read by the keyring module that datalad is using though. I've used the path ~/.local/share/python_keyring/keyringrc.cfg

yarikoptic commented 3 years ago

Just a quick one: I usually just strace the process in such cases to see what files it does try to read, might give a clue. Probably keyring changed the config location saying time recently , worth checking, will do later

soichih commented 3 years ago

For some reason, strace wasn't showing anything about keyring.. maybe it's spawning a new process when I run datalad get?

Anyway, I've tested the keyring python module and found this error message generated.

RuntimeError: Keyring config exists only in the old location /home/brlife/.local/share/python_keyring/keyringrc.cfg and should be moved to /home/brlife/.config/python_keyring/keyringrc.cfg to work with this version of keyring.

I've moved the config to ~/.config/python_keyring directory, and now it's working!

$ datalad get aparc.a2009s+aseg.nii.gz
get(ok): aparc.a2009s+aseg.nii.gz (file) [from datalad...]
soichih commented 3 years ago

I've updated the path on the wiki page.

yarikoptic commented 3 years ago

For some reason, strace wasn't showing anything about keyring.. maybe it's spawning a new process when I run datalad get?

yes, it would spawn git-annex-remote-datalad to access those non-openly available HCP files. I usually run strace -f (forgot to mention, sorry)

Anyway, I've tested the keyring python module and found this error message generated.

RuntimeError: Keyring config exists only in the old location /home/brlife/.local/share/python_keyring/keyringrc.cfg and should be moved to /home/brlife/.config/python_keyring/keyringrc.cfg to work with this version of keyring.

hm, and we (datalad) shown nothing? not good :-/

I've updated the path on the wiki page.

Thanks! someone will need to tune it up to mention previous path and version of keyring when that switch happened.