search

irods-contrib / metalnx-web

Metalnx Web Application
https://metalnx.github.io/
BSD 3-Clause "New" or "Revised" License
36 stars 36 forks source link

Question: Problem setting up metadada search (possibly SSL related) #281

Open kalylian opened 2 years ago

kalylian commented 2 years ago

Hi,

I have a problem with metadata search. I can search for object names, but when I search for other attributes, the page just gives no result and refreshes.

It works when I set CS_NEG_DONT_CARE instead of CS_NEG_REQUIRE in /etc/irods/core.re. So I think it's an SSL issue. I've switched around the cert used as /tmp/cert/server.crt but couldn't get in to work. I need to pass the iRODS cert right? The one defined with irods_ssl_certificate_chain_file in /var/lib/irods/.irods/irods_environment.json.

iRODS gives me this error:

Oct 14 10:06:51 pid:15312 remote addresses: 172.18.0.3, ::1 ERROR: [-] /irods/server/core/src/rodsAgent.cpp:507:int runIrodsAgentFactory(sockaddr_un) : status [SYS_HEADER_TYPE_LEN_ERR] errno [] -- message [wrong message type [RODS_API_REQ] expected [RODS_CS_NEG_T]] [-] /irods/server/core/src/irods_server_negotiation.cpp:151:irods::error irods::client_server_negotiation_for_server(irods::network_object_ptr, std::string &) : status [SYS_HEADER_TYPE_LEN_ERR] errno [] -- message [wrong message type [RODS_API_REQ] expected [RODS_CS_NEG_T]] [-] /irods/lib/core/src/irods_client_negotiation.cpp:526:irods::error irods::read_client_server_negotiation_message(irods::network_object_ptr, boost::shared_ptr &) : status [SYS_HEADER_TYPE_LEN_ERR] errno [] -- message [wrong message type [RODS_API_REQ] expected [RODS_CS_NEG_T]]

Oct 14 10:06:51 pid:15312 remote addresses: 172.18.0.3, ::1 ERROR: [-] /irods/server/core/src/rodsAgent.cpp:511:int runIrodsAgentFactory(sockaddr_un) : status [SYS_HEADER_TYPE_LEN_ERR] errno [] -- message [wrong message type [RODS_API_REQ] expected [RODS_CS_NEG_T]] [-] /irods/server/core/src/irods_server_negotiation.cpp:151:irods::error irods::client_server_negotiation_for_server(irods::network_object_ptr, std::string &) : status [SYS_HEADER_TYPE_LEN_ERR] errno [] -- message [wrong message type [RODS_API_REQ] expected [RODS_CS_NEG_T]] [-] /irods/lib/core/src/irods_client_negotiation.cpp:526:irods::error irods::read_client_server_negotiation_message(irods::network_object_ptr, boost::shared_ptr &) : status [SYS_HEADER_TYPE_LEN_ERR] errno [] -- message [wrong message type [RODS_API_REQ] expected [RODS_CS_NEG_T]]

Oct 14 10:06:51 pid:1018 ERROR: Agent process [15312] exited with status [1]

The stacktrace is attached here: stacktrace.txt

I think I screwed up SSL somewhere and I don't know where. It looks like the metadata search connection to iRODS is not using SSL correctly. I have tried setting ssl.negotiation.policy to both CS_NEG_REQUIRE and CS_NEG_DONT_CARE in metalnx.properties, without much success.

The SSL Setup for iRODS itself was done like describen in the metalnx-doku, except it's not a self-signed cert. I tried both using an LDAP rodsadmin user (via PAM) and an iRODS rodsadmin user with STANDARD auth scheme as jobs user. LDAP authentication via PAM works fine at login, so SSL seems to work there.

Kind regards

Gudrun

trel commented 2 years ago

If your SSL is not configured correctly - nothing should work - the iRODS Server should not let you in the front door.

If SSL is required and configured correctly - and you're still getting some metadata search issues, then that's very strange.

I'd suggest you make sure that the iCommands are working and configured correctly - and then... Metalnx is just another client (with admin privileges) and should be configured the same way.

kalylian commented 2 years ago

Hi,

thanks for your response.

If your SSL is not configured correctly - nothing should work - the iRODS Server should not let you in the front door.

Yes, that's what I'm confused about. An iRODS Server requiring SSL will probably reject a non-SSL-connection though, so this currently is my best guess, especially since the iRODS error message indicates that an RODS_CS_NEG_T message was expected (that sounds like the iRODS SSL configuration options, so it's probably SSL related), but an RODS_API_REQ was received (I'm assuming this is API related). Even more confusing, searching for data object names and checksums does work, all the other search options don't.

If I understand correctly, the searches are done via the jobs user. I'm currently using the (native) user rods as the jobs user:

:~# grep jobs metalnx.properties
jobs.irods.username=rods
jobs.irods.password=$MYPASSWORD
jobs.irods.auth.scheme=STANDARD

Logging into Metalnx as this user works just fine. CLI login works, too:

:~# grep \"rods\" ~/.irods/irods_environment.json
    "irods_user_name": "rods", 
:~# iinit
Enter your current iRODS password:
:~# ipwd
/testZone/home/rods
:~# iuserinfo | grep type
type: rodsadmin

I've passed the iRODS cert as server.crt into the container and I've set ssl.negotiation.policy to CS_NEG_REQUIRE in metalnx.properties. Is there a config option I'm not aware of?

Kind reagrds,

Gudrun