search

irods / irods_client_nfsrods

An nfs4j Virtual File System implementation supporting the iRODS Data Grid
BSD 3-Clause "New" or "Revised" License
8 stars 9 forks source link

federated users cannot access iRODS via NFSRODS #171

Open jbeal-work opened 1 year ago

jbeal-work commented 1 year ago

On the client some access does work for example ls /home works

jb23@farm5-humgen-nfsrods:~$ cd /mnt/humgen/home/j
******  jc18#Sanger1/  *****
jb23#Sanger1/   *****
jb23@farm5-humgen-nfsrods:~$ cd /mnt/humgen/home/jb23#Sanger1/
jb23@farm5-humgen-nfsrods:/mnt/humgen/home/jb23#Sanger1$ ls
ls: reading directory '.': Remote I/O error
2022-08-04 14:15:09.354 DEBUG Thread-27 [IRODSVirtualFileSystem] - statPath - User ID           = 12296
statPath - Group ID          = 65534
statPath - Permissions       = drwx------
statPath - Stat              = drwx------    1 12296 65534    0 Sep 19 10:56
2022-08-04 14:15:09.354 DEBUG Thread-27 [IRODSIdMapper] - uidToPrincipal - _id = 12296
2022-08-04 14:15:09.354 DEBUG Thread-27 [IRODSIdMapper] - gidToPrincipal - _id = 65534
2022-08-04 14:15:09.354 DEBUG Thread-28 [IRODSVirtualFileSystem] - vfs::checkAcl
2022-08-04 14:15:09.354 DEBUG Thread-28 [IRODSIdMapper] - resolveUser - _userID = 12296
2022-08-04 14:15:09.354 DEBUG Thread-28 [IRODSVirtualFileSystem] - checkAcl - Returning cached access result for [/humgen/home/jb23#Sanger1] ...
2022-08-04 14:15:09.354 DEBUG Thread-28 [IRODSVirtualFileSystem] - vfs::getattr
2022-08-04 14:15:09.354 DEBUG Thread-28 [IRODSVirtualFileSystem] - statPath - _inodeNumber          = 344
statPath - _path                 = /humgen/home/jb23#Sanger1
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSIdMapper] - resolveUser - _userID = 12296
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSVirtualFileSystem] - statPath - Returning cached stat information for [/humgen/home/jb23#Sanger1] ...
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSVirtualFileSystem] - vfs::checkAcl
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSIdMapper] - resolveUser - _userID = 12296
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSVirtualFileSystem] - checkAcl - _subject uid         = 12296
checkAcl - _subject primary gid = 1105
checkAcl - _inode path          = /humgen/home/jb23#Sanger1
checkAcl - _accessMask          = 1
checkAcl - username             = jb23
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSVirtualFileSystem] - checkAcl - _accessMask & ACE4_READ_DATA         = 1
checkAcl - _accessMask & ACE4_LIST_DIRECTORY    = 1
checkAcl - _accessMask & ACE4_WRITE_DATA        = 0
checkAcl - _accessMask & ACE4_ADD_FILE          = 0
checkAcl - _accessMask & ACE4_APPEND_DATA       = 0
checkAcl - _accessMask & ACE4_ADD_SUBDIRECTORY  = 0
checkAcl - _accessMask & ACE4_READ_NAMED_ATTRS  = 0
checkAcl - _accessMask & ACE4_WRITE_NAMED_ATTRS = 0
checkAcl - _accessMask & ACE4_EXECUTE           = 0
checkAcl - _accessMask & ACE4_DELETE_CHILD      = 0
checkAcl - _accessMask & ACE4_READ_ATTRIBUTES   = 0
checkAcl - _accessMask & ACE4_WRITE_ATTRIBUTES  = 0
checkAcl - _accessMask & ACE4_DELETE            = 0
checkAcl - _accessMask & ACE4_READ_ACL          = 0
checkAcl - _accessMask & ACE4_WRITE_ACL         = 0
checkAcl - _accessMask & ACE4_WRITE_OWNER       = 0
checkAcl - _accessMask & ACE4_SYNCHRONIZE       = 0
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSVirtualFileSystem] - checkAcl - No attribute/ACL operations requested.
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSVirtualFileSystem] - getPermissions - Returning cached permissions for [/humgen/home/jb23#Sanger1] [perms=[
UserFilePermission
    userName:jb23
    userId:10630
    filePermissionEnum:OWN
   userType:RODS_UNKNOWN
   userZone:Sanger1, 
UserFilePermission
    userName:mercury
    userId:19667546
    filePermissionEnum:OWN
   userType:RODS_UNKNOWN
   userZone:humgen]] ...
2022-08-04 14:15:09.357 DEBUG Thread-28 [IRODSVirtualFileSystem] - checkAcl - User is an owner, access allowed.
2022-08-04 14:15:09.357 DEBUG Thread-28 [IRODSVirtualFileSystem] - vfs::list
list - _cookie = 0
2022-08-04 14:15:09.357 DEBUG Thread-28 [IRODSIdMapper] - resolveUser - _userID = 12296
2022-08-04 14:15:09.359 DEBUG Thread-28 [IRODSVirtualFileSystem] - list - Listing contents of [/humgen/home/jb23#Sanger1] ...
2022-08-04 14:15:09.616 ERROR Thread-28 [CachedIrodsProtocolManager] - error creating connection
org.irods.jargon.core.exception.InvalidClientUserException: invalid client user
    at org.irods.jargon.core.connection.IRODSErrorScanner.checkSpecificCodesAndThrowIfExceptionLocated(IRODSErrorScanner.java:190) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSErrorScanner.inspectAndThrowIfNeeded(IRODSErrorScanner.java:112) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSMidLevelProtocol.processMessageInfoLessThanZero(IRODSMidLevelProtocol.java:1606) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSMidLevelProtocol.readMessage(IRODSMidLevelProtocol.java:1110) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSMidLevelProtocol.readMessage(IRODSMidLevelProtocol.java:1078) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSMidLevelProtocol.irodsFunction(IRODSMidLevelProtocol.java:445) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSMidLevelProtocol.irodsFunction(IRODSMidLevelProtocol.java:571) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.StandardIRODSAuth.sendStandardPassword(StandardIRODSAuth.java:54) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.StandardIRODSAuth.processAuthenticationAfterStartup(StandardIRODSAuth.java:124) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.AuthMechanism.authenticate(AuthMechanism.java:198) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.authenticate(AbstractIRODSMidLevelProtocolFactory.java:212) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.instance(AbstractIRODSMidLevelProtocolFactory.java:95) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSProtocolManager.createNewProtocol(IRODSProtocolManager.java:139) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSSimpleProtocolManager.getIRODSProtocol(IRODSSimpleProtocolManager.java:56) ~[nfsrods.jar:?]
    at org.irods.jargon.pool.conncache.JargonPooledObjectFactory.create(JargonPooledObjectFactory.java:67) ~[nfsrods.jar:?]
    at org.irods.jargon.pool.conncache.JargonPooledObjectFactory.create(JargonPooledObjectFactory.java:23) ~[nfsrods.jar:?]
    at org.apache.commons.pool2.BaseKeyedPooledObjectFactory.makeObject(BaseKeyedPooledObjectFactory.java:82) ~[nfsrods.jar:?]
    at org.apache.commons.pool2.impl.GenericKeyedObjectPool.create(GenericKeyedObjectPool.java:780) ~[nfsrods.jar:?]
    at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:439) ~[nfsrods.jar:?]
    at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:350) ~[nfsrods.jar:?]
    at org.irods.jargon.pool.conncache.CachedIrodsProtocolManager.getIRODSProtocol(CachedIrodsProtocolManager.java:64) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:519) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:438) ~[nfsrods.jar:?]
    at org.irods.jargon.core.pub.IRODSGenericAO.<init>(IRODSGenericAO.java:61) ~[nfsrods.jar:?]
    at org.irods.jargon.core.pub.CollectionAndDataObjectListAndSearchAOImpl.<init>(CollectionAndDataObjectListAndSearchAOImpl.java:69) ~[nfsrods.jar:?]
    at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.getCollectionAndDataObjectListAndSearchAO(IRODSAccessObjectFactoryImpl.java:464) ~[nfsrods.jar:?]
    at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.listDataObjectsAndCollectionsUnderPathWithPermissions(IRODSVirtualFileSystem.java:902) ~[nfsrods.jar:?]
    at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.list(IRODSVirtualFileSystem.java:983) ~[nfsrods.jar:?]
    at org.dcache.nfs.vfs.PseudoFs.list(PseudoFs.java:211) ~[nfsrods.jar:?]
    at org.dcache.nfs.v4.OperationREADDIR.process(OperationREADDIR.java:108) ~[nfsrods.jar:?]
    at org.dcache.nfs.v4.AbstractOperationExecutor.execute(AbstractOperationExecutor.java:58) ~[nfsrods.jar:?]
    at org.dcache.nfs.v4.NFSServerV41.NFSPROC4_COMPOUND_4(NFSServerV41.java:188) ~[nfsrods.jar:?]
    at org.dcache.nfs.v4.xdr.nfs4_prot_NFS4_PROGRAM_ServerStub.dispatchOncRpcCall(nfs4_prot_NFS4_PROGRAM_ServerStub.java:48) ~[nfsrods.jar:?]
    at org.dcache.oncrpc4j.rpc.RpcDispatcher$1.lambda$run$0(RpcDispatcher.java:100) ~[nfsrods.jar:?]
    at java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
    at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?]
    at org.dcache.oncrpc4j.rpc.RpcDispatcher$1.run(RpcDispatcher.java:99) ~[nfsrods.jar:?]
    at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593) ~[nfsrods.jar:?]
    at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573) ~[nfsrods.jar:?]
    at java.lang.Thread.run(Thread.java:833) [?:?]
2022-08-04 14:15:09.616 ERROR Thread-28 [CachedIrodsProtocolManager] - jargon exception
2022-08-04 14:15:09.616 ERROR Thread-28 [IRODSVirtualFileSystem] - org.irods.jargon.core.exception.InvalidClientUserException: invalid client user
2022-08-04 14:15:09.616 ERROR Thread-28 [NFSServerV41] - Unhandled exception:
java.io.IOException: org.irods.jargon.core.exception.JargonException: org.irods.jargon.core.exception.InvalidClientUserException: invalid client user
    at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.list(IRODSVirtualFileSystem.java:1022) ~[nfsrods.jar:?]
    at org.dcache.nfs.vfs.PseudoFs.list(PseudoFs.java:211) ~[nfsrods.jar:?]
    at org.dcache.nfs.v4.OperationREADDIR.process(OperationREADDIR.java:108) ~[nfsrods.jar:?]
    at org.dcache.nfs.v4.AbstractOperationExecutor.execute(AbstractOperationExecutor.java:58) ~[nfsrods.jar:?]
    at org.dcache.nfs.v4.NFSServerV41.NFSPROC4_COMPOUND_4(NFSServerV41.java:188) ~[nfsrods.jar:?]
    at org.dcache.nfs.v4.xdr.nfs4_prot_NFS4_PROGRAM_ServerStub.dispatchOncRpcCall(nfs4_prot_NFS4_PROGRAM_ServerStub.java:48) ~[nfsrods.jar:?]
    at org.dcache.oncrpc4j.rpc.RpcDispatcher$1.lambda$run$0(RpcDispatcher.java:100) ~[nfsrods.jar:?]
    at java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
    at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?]
    at org.dcache.oncrpc4j.rpc.RpcDispatcher$1.run(RpcDispatcher.java:99) ~[nfsrods.jar:?]
    at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593) ~[nfsrods.jar:?]
    at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573) ~[nfsrods.jar:?]
    at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: org.irods.jargon.core.exception.JargonException: org.irods.jargon.core.exception.InvalidClientUserException: invalid client user
    at org.irods.jargon.pool.conncache.CachedIrodsProtocolManager.getIRODSProtocol(CachedIrodsProtocolManager.java:72) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:519) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:438) ~[nfsrods.jar:?]
    at org.irods.jargon.core.pub.IRODSGenericAO.<init>(IRODSGenericAO.java:61) ~[nfsrods.jar:?]
    at org.irods.jargon.core.pub.CollectionAndDataObjectListAndSearchAOImpl.<init>(CollectionAndDataObjectListAndSearchAOImpl.java:69) ~[nfsrods.jar:?]
    at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.getCollectionAndDataObjectListAndSearchAO(IRODSAccessObjectFactoryImpl.java:464) ~[nfsrods.jar:?]
    at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.listDataObjectsAndCollectionsUnderPathWithPermissions(IRODSVirtualFileSystem.java:902) ~[nfsrods.jar:?]
    at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.list(IRODSVirtualFileSystem.java:983) ~[nfsrods.jar:?]
    ... 12 more
Caused by: org.irods.jargon.core.exception.InvalidClientUserException: invalid client user
    at org.irods.jargon.core.connection.IRODSErrorScanner.checkSpecificCodesAndThrowIfExceptionLocated(IRODSErrorScanner.java:190) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSErrorScanner.inspectAndThrowIfNeeded(IRODSErrorScanner.java:112) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSMidLevelProtocol.processMessageInfoLessThanZero(IRODSMidLevelProtocol.java:1606) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSMidLevelProtocol.readMessage(IRODSMidLevelProtocol.java:1110) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSMidLevelProtocol.readMessage(IRODSMidLevelProtocol.java:1078) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSMidLevelProtocol.irodsFunction(IRODSMidLevelProtocol.java:445) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSMidLevelProtocol.irodsFunction(IRODSMidLevelProtocol.java:571) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.StandardIRODSAuth.sendStandardPassword(StandardIRODSAuth.java:54) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.StandardIRODSAuth.processAuthenticationAfterStartup(StandardIRODSAuth.java:124) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.AuthMechanism.authenticate(AuthMechanism.java:198) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.authenticate(AbstractIRODSMidLevelProtocolFactory.java:212) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.instance(AbstractIRODSMidLevelProtocolFactory.java:95) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSProtocolManager.createNewProtocol(IRODSProtocolManager.java:139) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSSimpleProtocolManager.getIRODSProtocol(IRODSSimpleProtocolManager.java:56) ~[nfsrods.jar:?]
    at org.irods.jargon.pool.conncache.JargonPooledObjectFactory.create(JargonPooledObjectFactory.java:67) ~[nfsrods.jar:?]
    at org.irods.jargon.pool.conncache.JargonPooledObjectFactory.create(JargonPooledObjectFactory.java:23) ~[nfsrods.jar:?]
    at org.apache.commons.pool2.BaseKeyedPooledObjectFactory.makeObject(BaseKeyedPooledObjectFactory.java:82) ~[nfsrods.jar:?]
    at org.apache.commons.pool2.impl.GenericKeyedObjectPool.create(GenericKeyedObjectPool.java:780) ~[nfsrods.jar:?]
    at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:439) ~[nfsrods.jar:?]
    at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:350) ~[nfsrods.jar:?]
    at org.irods.jargon.pool.conncache.CachedIrodsProtocolManager.getIRODSProtocol(CachedIrodsProtocolManager.java:64) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:519) ~[nfsrods.jar:?]
    at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:438) ~[nfsrods.jar:?]
    at org.irods.jargon.core.pub.IRODSGenericAO.<init>(IRODSGenericAO.java:61) ~[nfsrods.jar:?]
    at org.irods.jargon.core.pub.CollectionAndDataObjectListAndSearchAOImpl.<init>(CollectionAndDataObjectListAndSearchAOImpl.java:69) ~[nfsrods.jar:?]
    at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.getCollectionAndDataObjectListAndSearchAO(IRODSAccessObjectFactoryImpl.java:464) ~[nfsrods.jar:?]
    at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.listDataObjectsAndCollectionsUnderPathWithPermissions(IRODSVirtualFileSystem.java:902) ~[nfsrods.jar:?]
    at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.list(IRODSVirtualFileSystem.java:983) ~[nfsrods.jar:?]
    ... 12 more

The nfs server config is 


    "nfs_server": {
        "port": 2049,
        "irods_mount_point": "/humgen",
        "user_information_refresh_time_in_milliseconds": 3600000,
        "file_information_refresh_time_in_milliseconds": 1000,
        "user_access_refresh_time_in_milliseconds": 1000,
        "object_type_refresh_time_in_milliseconds": 300000,
        "user_permissions_refresh_time_in_milliseconds": 300000,
        "user_type_refresh_time_in_milliseconds": 300000,
        "list_operation_query_results_refresh_time_in_milliseconds": 30000,
        "allow_overwrite_of_existing_files": false,
        "using_oracle_database": false
    },```
korydraughn commented 1 year ago

I see an invalid client user error.

Q. Are you trying to access a federated zone via NFSRODS? Q. What rodsadmin user is NFSRODS configured to use? Q. What Unix username are you attempting to access the mount point as? Q. Is /etc/hosts being used to resolve Unix usernames to iRODS usernames?

jbeal-work commented 1 year ago

Q. Are you trying to access a federated zone via NFSRODS?

I think so the machine is part of the humgen zone and I am accessing something in the SANGER zone

Q. What rodsadmin user is NFSRODS configured to use?

    "irods_client": {
        "zone": "humgen",
        "host": "irods-hum-nfsrods01.internal.sanger.ac.uk",
        "port": 1247,
        "default_resource": "demoResc",
        "ssl_negotiation_policy": "CS_NEG_REQUIRE",
        "connection_timeout_in_seconds": 600,
        "proxy_admin_account": {
            "username": "nfsrods",
            "password": "*****"
        }
    }

Q. What Unix username are you attempting to access the mount point as?

jb23

Q. Is /etc/hosts being used to resolve Unix usernames to iRODS usernames?

I am not sure I understand the question /etc/hosts and Unix usernames -> iRODS usernames ?

We are using DNS for hostname lookup, our users are in LDAP via sssd

korydraughn commented 1 year ago

Q. Is /etc/hosts being used to resolve Unix usernames to iRODS usernames?

I am not sure I understand the question /etc/hosts and Unix usernames -> iRODS usernames ?

We are using DNS for hostname lookup, our users are in LDAP via sssd

Sorry, I meant /etc/passwd instead of /etc/hosts. You provided what I wanted to know though :-).

I'm wondering if the problem has to do with the username seen by NFSRODS and iRODS. We'll look into reproducing this issue.

What OS and version of iRODS are you running?

jbeal-work commented 1 year ago

Sorry stupid architecture question, the docker container with nfsrods is a iRODS client talking to a local server ?

jb23@irods-hum-nfsrods01:/$ cat /etc/issue
Ubuntu 18.04.4 LTS \n \l

jb23@irods-hum-nfsrods01:/$ apt-cache policy irods-server     
irods-server:
  Installed: 4.2.7
  Candidate: 4.2.11-1~xenial
  Version table:
     4.2.11-1~xenial 500
        500 https://packages.irods.org/apt xenial/main amd64 Packages
     4.2.10 500
        500 https://packages.irods.org/apt xenial/main amd64 Packages
     4.2.9 500
        500 https://packages.irods.org/apt xenial/main amd64 Packages
     4.2.8 500
        500 https://packages.irods.org/apt xenial/main amd64 Packages
 *** 4.2.7 500
        500 https://packages.irods.org/apt xenial/main amd64 Packages
        100 /var/lib/dpkg/status
korydraughn commented 1 year ago

Yes. It translates NFS operations into iRODS API calls.

jbeal-work commented 1 year ago

Any thoughts ?

korydraughn commented 1 year ago

Nothing yet. We'll update the issue once we know more.

What version of NFSRODS are you using?

jbeal-work commented 1 year ago

We are using 2.1.0

korydraughn commented 1 year ago

Please confirm the following. I want to make sure I've captured the correct info.

I just noticed the default resource in your NFSRODS config is set to demoResc. Is that correct? Is this a testing environment?

And can you explain these lines from your first post?

jb23@farm5-humgen-nfsrods:~$ cd /mnt/humgen/home/j
******  jc18#Sanger1/  *****
jb23#Sanger1/   *****
jbeal-work commented 1 year ago

The default resource is set to demoResc, neither the hugen or the Sanger1 zone are testing enviroments.

I just deleted the output that may have been private.

kript commented 1 year ago
  • You're trying to access the Sanger1 zone through NFSRODS/humgen as jb23

No, he is accessing /humgen/home/jb23#Sanger1 i.e. a local to the zone homedir, with a local to the zone account, however, due to the way (AIUI) NFSRODS does its mappings, it wont resolve jb23#Sanger but instead will lookup system uid jb23 to jb23#humgen user. So the jb23 NFSRODS tries to access /humgen/home/jb23#Sanger1 with is actually jb23#humgen - there is no way to have it in fact be jb23#Sanger. However, for historical reasons, a lot of users dont have humgen zone accounts - like James it seems!

kript commented 1 year ago

In case its not clear, the only account in that zone for jb23 was jb23#Sanger1

korydraughn commented 1 year ago

Based on what has been said, the behavior you're seeing is expected. NFSRODS is implemented to present a single collection within a zone. It assumes that every user accessing the mount point is a member of the zone it is configured to handle. This explains why you received an invalid client user exception in the log file.

Notice line 40 below. NFSRODS instantiates all iRODS users using the zone defined in the config file. https://github.com/irods/irods_client_nfsrods/blob/6f316fc9b3b75440b8a2e5bad515a13dcc2b9f7e/irods-vfs-impl/src/main/java/org/irods/nfsrods/vfs/IRODSUser.java#L22-L44

Is the behavior you're seeing surprising? What do you feel NFSRODS should do in this case?

trel commented 9 months ago

I don't think NFSRODS can do anything about this scenario.

Ideas welcome.