Closed mstfdkmn closed 5 months ago
What version of the PRC are you using? What version of iRODS are you experiencing this against?
What version of the PRC are you using?
>>> import irods
>>> irods.__version__
'2.0.0'
What version of iRODS are you experiencing this against?
>>> session.server_version
(4, 3, 1)
Oh right, the PRC version is in the title.
Anyway, have you adjusted your PAM TTL settings according to the following section?
If yes, can you share what you have for each option?
these are:
[irods@gbiomed ~]$ iadmin get_grid_configuration authentication password_max_time
1209600
[irods@gbiomed ~]$ iadmin get_grid_configuration authentication password_min_time
121
[irods@gbiomed ~]$ iadmin get_grid_configuration authentication password_extend_lifetime
1
The real issue here is that in the v1 client the default password lifetime is 60 hours https://github.com/irods/python-irodsclient/blob/v1.1.9/irods/connection.py#L440 (although the naming of that variable is confusing).
In v2 the default is that the server should decide on the lifetime https://github.com/irods/python-irodsclient/blob/ed2e73cb79dcf08efedeed4a19f3e2a43db90f9c/irods/connection.py#L461-L462 apparently without possibility for the client to overwrite it and ask another value. And the default lifetime of the server is the minimal one, 121 seconds.
Everything is more configurable with 'seconds', so that was the new standard - so I think that part is expected/desired.
you're sure it was being treated as 'hours' in 1.1.9? that seems... surprising.
One thing that sticks out is the message at the end of stacktrace(?).
RuntimeError: Time To Live has expired for the PAM password, and no new password is given in legacy_auth.pam.password_for_auto_renew. Please run iinit.
That is generated here: https://github.com/irods/python-irodsclient/blob/1d8433e760abbd26859873054812fee6b9a187f3/irods/connection.py#L475-L477
Seems you may want to review this section. There are several PAM related option described there and they are referenced in the code leading to that exception.
See the following for the full function impl. Notice the lines starting from line 470. https://github.com/irods/python-irodsclient/blob/1d8433e760abbd26859873054812fee6b9a187f3/irods/connection.py#L457-L480
you're sure it was being treated as 'hours' in 1.1.9? that seems... surprising.
https://github.com/irods/irods/blob/main/plugins/database/src/db_plugin.cpp#L7102
The number passed over the wire is multiplied by 3600, so it always has been hours. So this is the regression for the python client: by default v1 attempted to generate a native password with validity of 60 hours, and v2 takes the shorter 121 seconds from server side.
Actually correct code snippet is
https://github.com/irods/irods/blob/main/plugins/database/src/db_plugin.cpp#L7241-L7252
I think adding a settings file will allow you to make progress. The option you want to set in that file appears to be legacy_auth.pam.time_to_live_in_hours
.
You may also need legacy_auth.pam.password_for_auto_renew
.
Confused with this. Btw, we don't use the native authentication in our flow.
Note this line too, showing that eventually _login_pam
routes through _login_native
anyway, with a transformed value it receives from the server, as part of its own internal workings. Yes , it's been that way for a while! : )
I am closing this - because we decided to use the native scheme. And apparently we are touching on an issue that existed in older versions.
Hi, we have an iinit snippet (iinit.exe too) that is used by our windows users to setup the necessary files to authenticate against irods. It writes the irods environment file and the .irodsA file. So that the obfuscated password file helps users grant access for 60 hours. Basically it mimics
iinit
of iCommands. Before the v2.0.0 all was working normal. However it seems with the v2.0.0 there is something broken in the flow. I explain it below.iinit snippet to be executed in an interactive shell/interpreter:
any script that contains session connection to be executed:
If the script that contains a session connection is executed immediately just after the iinit script, the flows work normal. But if it is executed later (my impression is 120 sec), we are getting the error here:
Confused with this. Btw, we don't use the native authentication in our flow.
Could you look into this issue? Meanwhile, please let us know if there is any workaround or if we are doing something missing. We tried several thing but didn't work. Thanks.