irods-contrib / irods-cloud-browser

DFC Web Based cloud browser
BSD 2-Clause "Simplified" License
18 stars 13 forks source link

Download problem when user isn't specifically listed in the ACL list #177

Open carrgilson opened 8 years ago

carrgilson commented 8 years ago

In a setup where the iRODS server [4.1.8] is configured with the STRICT ACL policy, if a file does not have that user explicitly listed in the ACL (i.e. not as a member of a group), the file will not download and will instead provide this error message:

{"error":{"cause":null,"class":"java.io.FileNotFoundException","localizedMessage":"no access to the file","message":"no access to the file","stackTrace":[{"class":"java.lang.StackTraceElement","className":"org.irods.jargon.idrop.web.services.FileService","fileName":"FileService.groovy","lineNumber":124,"methodName":"obtainInputStreamForDownloadSingleFile","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"org.irods.jargon.idrop.web.controllers.DownloadController","fileName":"DownloadController.groovy","lineNumber":43,"methodName":"show","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"grails.plugin.cache.web.filter.PageFragmentCachingFilter","fileName":"PageFragmentCachingFilter.java","lineNumber":198,"methodName":"doFilter","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"grails.plugin.cache.web.filter.AbstractFilter","fileName":"AbstractFilter.java","lineNumber":63,"methodName":"doFilter","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"com.brandseye.cors.CorsFilter","fileName":"CorsFilter.java","lineNumber":82,"methodName":"doFilter","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"java.util.concurrent.ThreadPoolExecutor","fileName":"ThreadPoolExecutor.java","lineNumber":1142,"methodName":"runWorker","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"java.util.concurrent.ThreadPoolExecutor$Worker","fileName":"ThreadPoolExecutor.java","lineNumber":617,"methodName":"run","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"java.lang.Thread","fileName":"Thread.java","lineNumber":745,"methodName":"run","nativeMethod":false}],"suppressed":[]}}

Users are able to view information on data objects as expected while having permissions through group membership but cannot download the data object unless they are explicitly listed in the ACL.

For example: This file can be downloaded by usera:

$ ils -A file.jpg
  /tempZone/home/usera/file.jpg
        ACL - usera#tempZone:own

While this file can be listed by usera but errors when download is attempted:

$ ils -A file.jpg
  /tempZone/home/usera/file.jpg
        ACL - public#tempZone:read object
michael-conway commented 8 years ago

thanks! That sounds like a bug, I'll give that a unit test

On 07/21/2016 12:26 PM, Adam Carrgilson wrote:

In a setup where the iRODS server [4.1.8] is configured with the STRICT ACL policy, if a file does not have that user explicitly listed in the ACL (i.e. not as a member of a group), the file will not download and will instead provide this error message:

{"error":{"cause":null,"class":"java.io.FileNotFoundException","localizedMessage":"no access to the file","message":"no access to the file","stackTrace":[{"class":"java.lang.StackTraceElement","className":"org.irods.jargon.idrop.web.services.FileService","fileName":"FileService.groovy","lineNumber":124,"methodName":"obtainInputStreamForDownloadSingleFile","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"org.irods.jargon.idrop.web.controllers.DownloadController","fileName":"DownloadController.groovy","lineNumber":43,"methodName":"show","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"grails.plugin.cache.web.filter.PageFragmentCachingFilter","fileName":"PageFragmentCachingFilter.java","lineNumber":198,"methodName":"doFilter","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"grails.plugin.cache.web.filter.AbstractFilter","fileName":"AbstractFilter.java","lineNumber":63,"methodName":"doFilter","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"com.brandseye.cors.CorsFilter","fileName":"CorsFilter.java","lineNumber":82,"methodName":"doFilter","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"java.util.concurrent.ThreadPoolExecutor","fileName":"ThreadPoolExecutor.java","lineNumber":1142,"methodName":"runWorker","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"java.util.concurrent.ThreadPoolExecutor$Worker","fileName":"ThreadPoolExecutor.java","lineNumber":617,"methodName":"run","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"java.lang.Thread","fileName":"Thread.java","lineNumber":745,"methodName":"run","nativeMethod":false}],"suppressed":[]}}

Users are able to view information on data objects as expected while having permissions through group membership but cannot download the data object unless they are explicitly listed in the ACL.

For example: This file can be downloaded by usera:

|$ ils -A file.jpg /tempZone/home/usera/file.jpg ACL - usera#tempZone:own |

While this file can be listed by usera but errors when download is attempted:

|$ ils -A file.jpg /tempZone/home/usera/file.jpg ACL - public#tempZone:read object |

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/DICE-UNC/irods-cloud-browser/issues/177, or mute the thread https://github.com/notifications/unsubscribe-auth/ABC-LS7_kXfldsus_xWwMoLKv28TYO7yks5qX52egaJpZM4JR-jZ.

michael-conway commented 8 years ago

This may be down in jargon....it does a pre-check before allowing download.