search

irods / python-irodsclient

A Python API for iRODS
Other
63 stars 73 forks source link

User certificate management #70

Closed pdonorio closed 7 years ago

pdonorio commented 7 years ago

Hello,

I've seen the user management class and the tests but I could not find the equivalent of the icommand iadmin for options 'lua', 'aua' and 'rua'; please see here.

Am I missing something or maybe these options are not yet available?

Thanks

adetorcy commented 7 years ago

For an equivalent to iadmin aua and iadmin rua you should be able to do something like: session.users.modify(bobby, 'addAuth', '...') and session.users.modify(bobby, 'rmAuth', '...') respectively. I have not tried it so please let me know if it works.

For iadmin lua I will have to add support for the "simple query" API. Is this something you need?

pdonorio commented 7 years ago

you should be able to do something like: session.users.modify(bobby, 'addAuth', '...')

Ok! Thank you, I was trying session.users.modify(bobby, 'dn', '...') but of course it didn't make sense :) The addAuth syntax works instead.

For iadmin lua I will have to add support for the "simple query" API. Is this something you need?

I was investigating with the use of the icat queries if I can reach the same info. Maybe you can help me, I am trying:

        from irods.models import User
        res = obj.query(User.name, User.dn).all()
        for element in res:
            print(element)

This prints things like:

{<irods.column.Column 202 USER_NAME>: 'guest', <irods.column.Column 205 USER_DN>: None}

So the DN looks empty but actually it's not because I just set it with addAuth and is also confirmed with iadmin lua:

$ iadmin lua
guest /O=Grid/OU=GlobusTest/OU=simpleCA-rodserver.dockerized.io/OU=Globus Simple CA/CN=guest
adetorcy commented 7 years ago

It's because the user DN is stored in a separate iCAT table. Please try the patch below. 

diff --git a/irods/models.py b/irods/models.py
index 768a674..4c438c7 100644
--- a/irods/models.py
+++ b/irods/models.py
@@ -29,7 +29,7 @@ class User(Model):
     name = Column(String, 'USER_NAME', 202)
     type = Column(String, 'USER_TYPE', 203)
     zone = Column(String, 'USER_ZONE', 204)
-    dn = Column(String, 'USER_DN', 205)
+    dn = Column(String, 'USER_DN', 1601)
     info = Column(String, 'USER_INFO', 206)
     comment = Column(String, 'USER_COMMENT', 207)
     create_time = Column(DateTime, 'USER_CREATE_TIME', 208)
pdonorio commented 7 years ago

Trying the patch it looks like it now works with GSI authentication for that query. Unluckily it breaks normal credentials actions like sess.users.get(user) raising irods.exception.UserDoesNotExist. How come? I also looked at the irods codes and the number you gave is correct. Can I help in some other ways?

adetorcy commented 7 years ago

What is likely happening here is that the general query interface joins r_user_main and r_user_auth, and not all users are in r_user_auth (only those explicitely added through iadmin aua or equivalent). iadmin lua uses a simple query but that might be overkill here. Let me see if I can come up with a workaround...

pdonorio commented 7 years ago

Thank you for your work, and as usual let me know if we can help

adetorcy commented 7 years ago

No worries. I pushed a fix. Let me know how it goes. We can make further changes if needed.

pdonorio commented 7 years ago

This push solved the sess.users.get, thank you. You may close this issue for me, as I was able to do the actions I had with the icommands.