search

kbase / dts

A data transfer service
https://kbase.github.io/dts/
MIT License
0 stars 0 forks source link

Globus file status checks require an identity from an allowed domain #48

Closed jeff-cohere closed 6 months ago

jeff-cohere commented 7 months ago

When the DTS attempts to obtain a list of the contents of a directory on the Globus endpoint used by the JGI Data Portal, after negotiating some consent/scope related issues, it gets the following error message from the endpoint:

Command Failed: Error (login)
Endpoint: NERSC SHARE (b6534bbc-5bb1-11e9-bf33-0edbf3a4e7ee)
Server: 128.55.200.27:443
Message: Login Failed
---
Details: 530-Login incorrect. : GlobusError: v=1 c=LOGIN_DENIED\r\n530-GridFTP-Message: Identity set contains an identity from an allowed domain, but it does not map to a valid username for this connector\r\n530-GridFTP-JSON-Result: {"DATA_TYPE": "result#1.0.0", "code": "permission_denied", "detail": {"DATA_TYPE": "invalid_user#1.0.0"}, "has_next_page": false, "http_response_code": 403, "message": "Identity set contains an identity from an allowed domain, but it does not map to a valid username for this connector"}\r\n530 End.\r\n
 (ExternalError.DirListingFailed.LoginFailed)

Currently, we don't create a mapping from the Globus account used by the DTS to a local user--as far as I know, we just use the default mapping. I guess we need to figure out a local user that has the proper access privileges to conduct DTS business.

jeff-cohere commented 6 months ago

According to Kjiersten, both JAMO and JAWS actually have dedicated user accounts, so maybe this is how they get around the issue. These users retain ownership of the files they transfer, but the permissions are such that users can manipulate them as needed.

jeff-cohere commented 6 months ago

I think I've resolved this issue by following the instructions provided by Rachana Ananthakrishnan at Globus. Specifically, I had to create a Guest Share pointing to the NERSC SHARE endpoint, associate the DTS client ID with it so it has read permissions, and use the Guest Share's UUID instead of the NERSC SHARE UUID. I think this will work pretty easily, but I'll keep this issue open till I am able to see a complete transfer through.

jeff-cohere commented 6 months ago

We've resolved this issue.