Opened 9 years ago

Closed 8 years ago

#57 closed enhancement (fixed)

iRODs issue: iput -f fails

Reported by: divyashri.bhat@gmail.com Owned by: adetorcy@email.unc.edu
Priority: major Milestone: GEC19
Component: iRODS Version: Sprint6
Keywords: Cc: shuang@renci.org
Dependencies:

Description

LabWiki, running as user gimiadmin can add new files to folders but does not have the permissions to update existing files. 'iput <filename>' command works but 'iput -f <filename> does not. LabWiki requires these permissions in order to integrate with iRODs.

Change History (12)

comment:1 Changed 9 years ago by divyashri.bhat@gmail.com

Type: taskenhancement

Currently, this issue has been resolved by executing the following:

ichmod -M -r own gimiadmin /geniRenci/home/ ichmod inherit /geniRenci/home/

However, not sure if we want to give gimiadmin access to all directory and files as LabWiki? only needs access to experimentScripts folder for now.

comment:2 Changed 9 years ago by johren@bbn.com

We discussed this on a status call this afternoon and decided that it would be best to only give gimiadmin access to the experimentScripts directory. However, we will leave the current fix in place until the rest of the functionality is complete and the more restricted fix has been tested completely on a test iRODS server. If time and risk allow, we can fix before GEC18. Otherwise this will wait until after GEC18.

comment:3 Changed 9 years ago by johren@bbn.com

Version: Sprint6WrapUp

comment:4 Changed 9 years ago by johren@bbn.com

Milestone: GEC18GEC19
Version: WrapUpBacklog

comment:5 Changed 9 years ago by johren@bbn.com

Version: BacklogSprint1

Investigate the root issue. Inheritance doesn't work as we thought? Reproduce and discuss with iRODS team.

comment:6 Changed 8 years ago by johren@bbn.com

Version: Sprint1Sprint2

Try to reproduce to the problem we were seeing to get to the root cause.

comment:7 Changed 8 years ago by johren@bbn.com

I'm not sure that we still have an issue. Here is what I am seeing:

I had created a new user in the portal for testing shortly before GEC. That username is geni-johren2. Therefore, I believe this user was created after the ichmod commands shown above were done.

Even though I see that inheritance is enabled and there is an ACL for gimiadmin#geniRenci:own on /geniRenci/home:

johren@alfheim:~$ ils -A /geniRenci/home /geniRenci/home:

ACL - gimi01#geniRenci:own gimi02#geniRenci:own gimi03#geniRenci:own gimi04#geniRenci:own gimi05#geniRenci:own gimi06#geniRenci:own gimi07#geniRenci:own gimi08#geniRenci:own gimi09#geniRenci:own gimi10#geniRenci:own gimi11#geniRenci:own gimi12#geniRenci:own gimi13#geniRenci:own gimi14#geniRenci:own gimi15#geniRenci:own gimi16#geniRenci:own gimi17#geniRenci:own gimi18#geniRenci:own gimi19#geniRenci:own gimi20#geniRenci:own gimiadmin#geniRenci:own rods#geniRenci:own rodsBoot#geniRenci:own Inheritance - Enabled

I notice that /geniRenci/home/geni-johren2 does not have gimiadmin#geniRenci:own ACL:

johren@alfheim:~$ ils -A /geniRenci/home/geni-johren2 /geniRenci/home/geni-johren2:

ACL - geni-johren2#geniRenci:own Inheritance - Disabled

I do see that /geniRencii/home/geni-johren2/experimentScripts has gimiadmin#geniRenci:modify object

/geniRenci/home/geni-johren2/experimentScripts:

ACL - geni-johren2#geniRenci:own gimiadmin#geniRenci:modify object labwiki#geniRenci:modify object Inheritance - Enabled

I believe this is what is configured by the REST interface when a new user is created. With this configuration, I am able to log in to Labwiki as geni-johren2 and I am able to create and modify scripts in my experimentScripts collection.

So I went ahead and removed the gimiadmin#geniRenci:own ACL from /geniRenci/home. I am still able to create and modify scripts in my experimentScripts directory.

Therefore, it looks like the gimiadmin#geniRenci:modify object ACL that gets added to the experimentScripts directory when it is created is enough for this to work.

comment:8 Changed 8 years ago by johren@bbn.com

I did some troubleshooting with Divya and discovered that I was not seeing the issue because the changes seemed to be saved locally in Labwiki but were not acutally getting pushed through to iRODS. I was testing that my changes showed up in Labwiki but I was not doing an iget and checking that the changes made it through to iRODS.

This issue was more obvious to Divya because she is using the 4601 instance of Labwiki which was not caching the changes locally. Therefore, her changes were not preserved at all and she had to create a new file for every change she made.

Divya emailed the list:

I am having permissions issue with the gimiadmin user on iRODS. There are 2 issues:

1. As gimiadmin user, iput -f and irm on another user's file does not work
e.g
gimiadmin@emmy9:/var/lib/omfwebapps/exp_repos/geni-dbhat/repo/oidl$ iput -f step2-routing-latest.rb
ERROR: putUtil: put error for /geniRenci/home/geni-dbhat/experimentScripts/step2-routing-latest.rb, status = -809000 status = -809000 CATALOG_ALREADY_HAS_ITEM_BY_THAT_NAME

gimiadmin@emmy9:/var/lib/omfwebapps/exp_repos/geni-dbhat/repo/oidl$ irm step2-routing-new.rb
ERROR: rmUtil: rm error for /geniRenci/home/geni-dbhat/experimentScripts/step2-routing-new.rb, status = -818000 status = -818000 CAT_NO_ACCESS_PERMISSION


2. The error messages when I do iput -f are different each time
e.g
gimiadmin@emmy9:/var/lib/omfwebapps/exp_repos/geni-dbhat/repo/oidl$ iput -f step2-routing-latest.rb
ERROR: putUtil: put error for /geniRenci/home/geni-dbhat/experimentScripts/step2-routing-latest.rb, status = -818000 status = -818000 CAT_NO_ACCESS_PERMISSION
gimiadmin@emmy9:/var/lib/omfwebapps/exp_repos/geni-dbhat/repo/oidl$ iput -f step2-routing-latest.rb
ERROR: putUtil: put error for /geniRenci/home/geni-dbhat/experimentScripts/step2-routing-latest.rb, status = -818000 status = -818000 CAT_NO_ACCESS_PERMISSION
gimiadmin@emmy9:/var/lib/omfwebapps/exp_repos/geni-dbhat/repo/oidl$ iput -f step2-routing-latest.rb
ERROR: putUtil: put error for /geniRenci/home/geni-dbhat/experimentScripts/step2-routing-latest.rb, status = -818000 status = -818000 CAT_NO_ACCESS_PERMISSION
gimiadmin@emmy9:/var/lib/omfwebapps/exp_repos/geni-dbhat/repo/oidl$ iput -f step2-routing-latest.rb
ERROR: putUtil: put error for /geniRenci/home/geni-dbhat/experimentScripts/step2-routing-latest.rb, status = -809000 status = -809000 CATALOG_ALREADY_HAS_ITEM_BY_THAT_NAME


Here is the output of ienv:

NOTICE: Release Version = rods3.3, API Version = d
NOTICE: irodsHost=geni-gimi.renci.org
NOTICE: irodsPort=1247
NOTICE: irodsUserName=gimiadmin
NOTICE: irodsZone=geniRenci
NOTICE: created irodsHome=/geniRenci/home/gimiadmin
NOTICE: created irodsCwd=/geniRenci/home/gimiadmin
NOTICE: irodsCwd=/geniRenci/home/geni-dbhat/experimentScripts


Could you help me set the right permissions for gimiadmin that allows the execution of the above commands?

Shu found some inconsistencies in the database and asked Antoine to take a look.

Antoine pushed a tentative fix...

The problem was in iRODS' ODBC layer and there might be several parts of the code that need sanitizing, so feel free to give it a shot and let’s see what happens… 

comment:9 Changed 8 years ago by johren@bbn.com

Version: Sprint2Sprint3

comment:10 Changed 8 years ago by johren@bbn.com

Cc: shuang@renci.org added
Owner: changed from shuang@renci.org to adetorcy@email.unc.edu
Summary: iRODs issue: Gimiadmin permissionsiRODs issue: iput -f fails
Version: Sprint3Sprint4

comment:11 Changed 8 years ago by johren@bbn.com

Version: Sprint4Sprint6

comment:12 Changed 8 years ago by johren@bbn.com

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.