Opened 11 years ago
Closed 10 years ago
#57 closed enhancement (fixed)
iRODs issue: iput -f fails
| Reported by: | divyashri.bhat@gmail.com | Owned by: | adetorcy@email.unc.edu |
|---|---|---|---|
| Priority: | major | Milestone: | GEC19 |
| Component: | iRODS | Version: | Sprint6 |
| Keywords: | Cc: | shuang@renci.org | |
| Dependencies: |
Description
LabWiki, running as user gimiadmin can add new files to folders but does not have the permissions to update existing files. 'iput <filename>' command works but 'iput -f <filename> does not. LabWiki requires these permissions in order to integrate with iRODs.
Change History (12)
comment:1 Changed 11 years ago by
| Type: | task → enhancement |
|---|
comment:2 Changed 11 years ago by
We discussed this on a status call this afternoon and decided that it would be best to only give gimiadmin access to the experimentScripts directory. However, we will leave the current fix in place until the rest of the functionality is complete and the more restricted fix has been tested completely on a test iRODS server. If time and risk allow, we can fix before GEC18. Otherwise this will wait until after GEC18.
comment:3 Changed 11 years ago by
| Version: | Sprint6 → WrapUp |
|---|
comment:4 Changed 10 years ago by
| Milestone: | GEC18 → GEC19 |
|---|---|
| Version: | WrapUp → Backlog |
comment:5 Changed 10 years ago by
| Version: | Backlog → Sprint1 |
|---|
Investigate the root issue. Inheritance doesn't work as we thought? Reproduce and discuss with iRODS team.
comment:6 Changed 10 years ago by
| Version: | Sprint1 → Sprint2 |
|---|
Try to reproduce to the problem we were seeing to get to the root cause.
comment:7 Changed 10 years ago by
I'm not sure that we still have an issue. Here is what I am seeing:
I had created a new user in the portal for testing shortly before GEC. That username is geni-johren2. Therefore, I believe this user was created after the ichmod commands shown above were done.
Even though I see that inheritance is enabled and there is an ACL for gimiadmin#geniRenci:own on /geniRenci/home:
johren@alfheim:~$ ils -A /geniRenci/home /geniRenci/home:
ACL - gimi01#geniRenci:own gimi02#geniRenci:own gimi03#geniRenci:own gimi04#geniRenci:own gimi05#geniRenci:own gimi06#geniRenci:own gimi07#geniRenci:own gimi08#geniRenci:own gimi09#geniRenci:own gimi10#geniRenci:own gimi11#geniRenci:own gimi12#geniRenci:own gimi13#geniRenci:own gimi14#geniRenci:own gimi15#geniRenci:own gimi16#geniRenci:own gimi17#geniRenci:own gimi18#geniRenci:own gimi19#geniRenci:own gimi20#geniRenci:own gimiadmin#geniRenci:own rods#geniRenci:own rodsBoot#geniRenci:own Inheritance - Enabled
I notice that /geniRenci/home/geni-johren2 does not have gimiadmin#geniRenci:own ACL:
johren@alfheim:~$ ils -A /geniRenci/home/geni-johren2 /geniRenci/home/geni-johren2:
ACL - geni-johren2#geniRenci:own Inheritance - Disabled
I do see that /geniRencii/home/geni-johren2/experimentScripts has gimiadmin#geniRenci:modify object
/geniRenci/home/geni-johren2/experimentScripts:
ACL - geni-johren2#geniRenci:own gimiadmin#geniRenci:modify object labwiki#geniRenci:modify object Inheritance - Enabled
I believe this is what is configured by the REST interface when a new user is created. With this configuration, I am able to log in to Labwiki as geni-johren2 and I am able to create and modify scripts in my experimentScripts collection.
So I went ahead and removed the gimiadmin#geniRenci:own ACL from /geniRenci/home. I am still able to create and modify scripts in my experimentScripts directory.
Therefore, it looks like the gimiadmin#geniRenci:modify object ACL that gets added to the experimentScripts directory when it is created is enough for this to work.
comment:8 Changed 10 years ago by
I did some troubleshooting with Divya and discovered that I was not seeing the issue because the changes seemed to be saved locally in Labwiki but were not acutally getting pushed through to iRODS. I was testing that my changes showed up in Labwiki but I was not doing an iget and checking that the changes made it through to iRODS.
This issue was more obvious to Divya because she is using the 4601 instance of Labwiki which was not caching the changes locally. Therefore, her changes were not preserved at all and she had to create a new file for every change she made.
Divya emailed the list:
I am having permissions issue with the gimiadmin user on iRODS. There are 2 issues: 1. As gimiadmin user, iput -f and irm on another user's file does not work e.g gimiadmin@emmy9:/var/lib/omfwebapps/exp_repos/geni-dbhat/repo/oidl$ iput -f step2-routing-latest.rb ERROR: putUtil: put error for /geniRenci/home/geni-dbhat/experimentScripts/step2-routing-latest.rb, status = -809000 status = -809000 CATALOG_ALREADY_HAS_ITEM_BY_THAT_NAME gimiadmin@emmy9:/var/lib/omfwebapps/exp_repos/geni-dbhat/repo/oidl$ irm step2-routing-new.rb ERROR: rmUtil: rm error for /geniRenci/home/geni-dbhat/experimentScripts/step2-routing-new.rb, status = -818000 status = -818000 CAT_NO_ACCESS_PERMISSION 2. The error messages when I do iput -f are different each time e.g gimiadmin@emmy9:/var/lib/omfwebapps/exp_repos/geni-dbhat/repo/oidl$ iput -f step2-routing-latest.rb ERROR: putUtil: put error for /geniRenci/home/geni-dbhat/experimentScripts/step2-routing-latest.rb, status = -818000 status = -818000 CAT_NO_ACCESS_PERMISSION gimiadmin@emmy9:/var/lib/omfwebapps/exp_repos/geni-dbhat/repo/oidl$ iput -f step2-routing-latest.rb ERROR: putUtil: put error for /geniRenci/home/geni-dbhat/experimentScripts/step2-routing-latest.rb, status = -818000 status = -818000 CAT_NO_ACCESS_PERMISSION gimiadmin@emmy9:/var/lib/omfwebapps/exp_repos/geni-dbhat/repo/oidl$ iput -f step2-routing-latest.rb ERROR: putUtil: put error for /geniRenci/home/geni-dbhat/experimentScripts/step2-routing-latest.rb, status = -818000 status = -818000 CAT_NO_ACCESS_PERMISSION gimiadmin@emmy9:/var/lib/omfwebapps/exp_repos/geni-dbhat/repo/oidl$ iput -f step2-routing-latest.rb ERROR: putUtil: put error for /geniRenci/home/geni-dbhat/experimentScripts/step2-routing-latest.rb, status = -809000 status = -809000 CATALOG_ALREADY_HAS_ITEM_BY_THAT_NAME Here is the output of ienv: NOTICE: Release Version = rods3.3, API Version = d NOTICE: irodsHost=geni-gimi.renci.org NOTICE: irodsPort=1247 NOTICE: irodsUserName=gimiadmin NOTICE: irodsZone=geniRenci NOTICE: created irodsHome=/geniRenci/home/gimiadmin NOTICE: created irodsCwd=/geniRenci/home/gimiadmin NOTICE: irodsCwd=/geniRenci/home/geni-dbhat/experimentScripts Could you help me set the right permissions for gimiadmin that allows the execution of the above commands?
Shu found some inconsistencies in the database and asked Antoine to take a look.
Antoine pushed a tentative fix...
The problem was in iRODS' ODBC layer and there might be several parts of the code that need sanitizing, so feel free to give it a shot and let’s see what happens…
comment:9 Changed 10 years ago by
| Version: | Sprint2 → Sprint3 |
|---|
comment:10 Changed 10 years ago by
| Cc: | shuang@renci.org added |
|---|---|
| Owner: | changed from shuang@renci.org to adetorcy@email.unc.edu |
| Summary: | iRODs issue: Gimiadmin permissions → iRODs issue: iput -f fails |
| Version: | Sprint3 → Sprint4 |
comment:11 Changed 10 years ago by
| Version: | Sprint4 → Sprint6 |
|---|
comment:12 Changed 10 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Currently, this issue has been resolved by executing the following:
ichmod -M -r own gimiadmin /geniRenci/home/ ichmod inherit /geniRenci/home/
However, not sure if we want to give gimiadmin access to all directory and files as LabWiki? only needs access to experimentScripts folder for now.