Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

federated users cannot access iRODS via NFSRODS #171

Open
jbeal-work opened this issue Aug 4, 2022 · 14 comments
Open

federated users cannot access iRODS via NFSRODS #171

jbeal-work opened this issue Aug 4, 2022 · 14 comments
Assignees
@korydraughn
Milestone
2.4.0

Comments

@jbeal-work
Copy link

jbeal-work commented Aug 4, 2022
edited
Loading

On the client some access does work for example ls /home works

jb23@farm5-humgen-nfsrods:~$ cd /mnt/humgen/home/j
******  jc18#Sanger1/  *****
jb23#Sanger1/   *****
jb23@farm5-humgen-nfsrods:~$ cd /mnt/humgen/home/jb23#Sanger1/
jb23@farm5-humgen-nfsrods:/mnt/humgen/home/jb23#Sanger1$ ls
ls: reading directory '.': Remote I/O error

2022-08-04 14:15:09.354 DEBUG Thread-27 [IRODSVirtualFileSystem] - statPath - User ID           = 12296
statPath - Group ID          = 65534
statPath - Permissions       = drwx------
statPath - Stat              = drwx------    1 12296 65534    0 Sep 19 10:56
2022-08-04 14:15:09.354 DEBUG Thread-27 [IRODSIdMapper] - uidToPrincipal - _id = 12296
2022-08-04 14:15:09.354 DEBUG Thread-27 [IRODSIdMapper] - gidToPrincipal - _id = 65534
2022-08-04 14:15:09.354 DEBUG Thread-28 [IRODSVirtualFileSystem] - vfs::checkAcl
2022-08-04 14:15:09.354 DEBUG Thread-28 [IRODSIdMapper] - resolveUser - _userID = 12296
2022-08-04 14:15:09.354 DEBUG Thread-28 [IRODSVirtualFileSystem] - checkAcl - Returning cached access result for [/humgen/home/jb23#Sanger1] ...
2022-08-04 14:15:09.354 DEBUG Thread-28 [IRODSVirtualFileSystem] - vfs::getattr
2022-08-04 14:15:09.354 DEBUG Thread-28 [IRODSVirtualFileSystem] - statPath - _inodeNumber          = 344
statPath - _path                 = /humgen/home/jb23#Sanger1
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSIdMapper] - resolveUser - _userID = 12296
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSVirtualFileSystem] - statPath - Returning cached stat information for [/humgen/home/jb23#Sanger1] ...
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSVirtualFileSystem] - vfs::checkAcl
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSIdMapper] - resolveUser - _userID = 12296
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSVirtualFileSystem] - checkAcl - _subject uid         = 12296
checkAcl - _subject primary gid = 1105
checkAcl - _inode path          = /humgen/home/jb23#Sanger1
checkAcl - _accessMask          = 1
checkAcl - username             = jb23
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSVirtualFileSystem] - checkAcl - _accessMask & ACE4_READ_DATA         = 1
checkAcl - _accessMask & ACE4_LIST_DIRECTORY    = 1
checkAcl - _accessMask & ACE4_WRITE_DATA        = 0
checkAcl - _accessMask & ACE4_ADD_FILE          = 0
checkAcl - _accessMask & ACE4_APPEND_DATA       = 0
checkAcl - _accessMask & ACE4_ADD_SUBDIRECTORY  = 0
checkAcl - _accessMask & ACE4_READ_NAMED_ATTRS  = 0
checkAcl - _accessMask & ACE4_WRITE_NAMED_ATTRS = 0
checkAcl - _accessMask & ACE4_EXECUTE           = 0
checkAcl - _accessMask & ACE4_DELETE_CHILD      = 0
checkAcl - _accessMask & ACE4_READ_ATTRIBUTES   = 0
checkAcl - _accessMask & ACE4_WRITE_ATTRIBUTES  = 0
checkAcl - _accessMask & ACE4_DELETE            = 0
checkAcl - _accessMask & ACE4_READ_ACL          = 0
checkAcl - _accessMask & ACE4_WRITE_ACL         = 0
checkAcl - _accessMask & ACE4_WRITE_OWNER       = 0
checkAcl - _accessMask & ACE4_SYNCHRONIZE       = 0
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSVirtualFileSystem] - checkAcl - No attribute/ACL operations requested.
2022-08-04 14:15:09.355 DEBUG Thread-28 [IRODSVirtualFileSystem] - getPermissions - Returning cached permissions for [/humgen/home/jb23#Sanger1] [perms=[
UserFilePermission
    userName:jb23
    userId:10630
    filePermissionEnum:OWN
   userType:RODS_UNKNOWN
   userZone:Sanger1, 
UserFilePermission
    userName:mercury
    userId:19667546
    filePermissionEnum:OWN
   userType:RODS_UNKNOWN
   userZone:humgen]] ...
2022-08-04 14:15:09.357 DEBUG Thread-28 [IRODSVirtualFileSystem] - checkAcl - User is an owner, access allowed.
2022-08-04 14:15:09.357 DEBUG Thread-28 [IRODSVirtualFileSystem] - vfs::list
list - _cookie = 0
2022-08-04 14:15:09.357 DEBUG Thread-28 [IRODSIdMapper] - resolveUser - _userID = 12296
2022-08-04 14:15:09.359 DEBUG Thread-28 [IRODSVirtualFileSystem] - list - Listing contents of [/humgen/home/jb23#Sanger1] ...
2022-08-04 14:15:09.616 ERROR Thread-28 [CachedIrodsProtocolManager] - error creating connection
org.irods.jargon.core.exception.InvalidClientUserException: invalid client user
	at org.irods.jargon.core.connection.IRODSErrorScanner.checkSpecificCodesAndThrowIfExceptionLocated(IRODSErrorScanner.java:190) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSErrorScanner.inspectAndThrowIfNeeded(IRODSErrorScanner.java:112) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSMidLevelProtocol.processMessageInfoLessThanZero(IRODSMidLevelProtocol.java:1606) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSMidLevelProtocol.readMessage(IRODSMidLevelProtocol.java:1110) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSMidLevelProtocol.readMessage(IRODSMidLevelProtocol.java:1078) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSMidLevelProtocol.irodsFunction(IRODSMidLevelProtocol.java:445) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSMidLevelProtocol.irodsFunction(IRODSMidLevelProtocol.java:571) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.StandardIRODSAuth.sendStandardPassword(StandardIRODSAuth.java:54) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.StandardIRODSAuth.processAuthenticationAfterStartup(StandardIRODSAuth.java:124) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.AuthMechanism.authenticate(AuthMechanism.java:198) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.authenticate(AbstractIRODSMidLevelProtocolFactory.java:212) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.instance(AbstractIRODSMidLevelProtocolFactory.java:95) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSProtocolManager.createNewProtocol(IRODSProtocolManager.java:139) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSSimpleProtocolManager.getIRODSProtocol(IRODSSimpleProtocolManager.java:56) ~[nfsrods.jar:?]
	at org.irods.jargon.pool.conncache.JargonPooledObjectFactory.create(JargonPooledObjectFactory.java:67) ~[nfsrods.jar:?]
	at org.irods.jargon.pool.conncache.JargonPooledObjectFactory.create(JargonPooledObjectFactory.java:23) ~[nfsrods.jar:?]
	at org.apache.commons.pool2.BaseKeyedPooledObjectFactory.makeObject(BaseKeyedPooledObjectFactory.java:82) ~[nfsrods.jar:?]
	at org.apache.commons.pool2.impl.GenericKeyedObjectPool.create(GenericKeyedObjectPool.java:780) ~[nfsrods.jar:?]
	at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:439) ~[nfsrods.jar:?]
	at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:350) ~[nfsrods.jar:?]
	at org.irods.jargon.pool.conncache.CachedIrodsProtocolManager.getIRODSProtocol(CachedIrodsProtocolManager.java:64) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:519) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:438) ~[nfsrods.jar:?]
	at org.irods.jargon.core.pub.IRODSGenericAO.<init>(IRODSGenericAO.java:61) ~[nfsrods.jar:?]
	at org.irods.jargon.core.pub.CollectionAndDataObjectListAndSearchAOImpl.<init>(CollectionAndDataObjectListAndSearchAOImpl.java:69) ~[nfsrods.jar:?]
	at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.getCollectionAndDataObjectListAndSearchAO(IRODSAccessObjectFactoryImpl.java:464) ~[nfsrods.jar:?]
	at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.listDataObjectsAndCollectionsUnderPathWithPermissions(IRODSVirtualFileSystem.java:902) ~[nfsrods.jar:?]
	at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.list(IRODSVirtualFileSystem.java:983) ~[nfsrods.jar:?]
	at org.dcache.nfs.vfs.PseudoFs.list(PseudoFs.java:211) ~[nfsrods.jar:?]
	at org.dcache.nfs.v4.OperationREADDIR.process(OperationREADDIR.java:108) ~[nfsrods.jar:?]
	at org.dcache.nfs.v4.AbstractOperationExecutor.execute(AbstractOperationExecutor.java:58) ~[nfsrods.jar:?]
	at org.dcache.nfs.v4.NFSServerV41.NFSPROC4_COMPOUND_4(NFSServerV41.java:188) ~[nfsrods.jar:?]
	at org.dcache.nfs.v4.xdr.nfs4_prot_NFS4_PROGRAM_ServerStub.dispatchOncRpcCall(nfs4_prot_NFS4_PROGRAM_ServerStub.java:48) ~[nfsrods.jar:?]
	at org.dcache.oncrpc4j.rpc.RpcDispatcher$1.lambda$run$0(RpcDispatcher.java:100) ~[nfsrods.jar:?]
	at java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
	at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?]
	at org.dcache.oncrpc4j.rpc.RpcDispatcher$1.run(RpcDispatcher.java:99) ~[nfsrods.jar:?]
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593) ~[nfsrods.jar:?]
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573) ~[nfsrods.jar:?]
	at java.lang.Thread.run(Thread.java:833) [?:?]
2022-08-04 14:15:09.616 ERROR Thread-28 [CachedIrodsProtocolManager] - jargon exception
2022-08-04 14:15:09.616 ERROR Thread-28 [IRODSVirtualFileSystem] - org.irods.jargon.core.exception.InvalidClientUserException: invalid client user
2022-08-04 14:15:09.616 ERROR Thread-28 [NFSServerV41] - Unhandled exception:
java.io.IOException: org.irods.jargon.core.exception.JargonException: org.irods.jargon.core.exception.InvalidClientUserException: invalid client user
	at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.list(IRODSVirtualFileSystem.java:1022) ~[nfsrods.jar:?]
	at org.dcache.nfs.vfs.PseudoFs.list(PseudoFs.java:211) ~[nfsrods.jar:?]
	at org.dcache.nfs.v4.OperationREADDIR.process(OperationREADDIR.java:108) ~[nfsrods.jar:?]
	at org.dcache.nfs.v4.AbstractOperationExecutor.execute(AbstractOperationExecutor.java:58) ~[nfsrods.jar:?]
	at org.dcache.nfs.v4.NFSServerV41.NFSPROC4_COMPOUND_4(NFSServerV41.java:188) ~[nfsrods.jar:?]
	at org.dcache.nfs.v4.xdr.nfs4_prot_NFS4_PROGRAM_ServerStub.dispatchOncRpcCall(nfs4_prot_NFS4_PROGRAM_ServerStub.java:48) ~[nfsrods.jar:?]
	at org.dcache.oncrpc4j.rpc.RpcDispatcher$1.lambda$run$0(RpcDispatcher.java:100) ~[nfsrods.jar:?]
	at java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
	at javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?]
	at org.dcache.oncrpc4j.rpc.RpcDispatcher$1.run(RpcDispatcher.java:99) ~[nfsrods.jar:?]
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593) ~[nfsrods.jar:?]
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573) ~[nfsrods.jar:?]
	at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: org.irods.jargon.core.exception.JargonException: org.irods.jargon.core.exception.InvalidClientUserException: invalid client user
	at org.irods.jargon.pool.conncache.CachedIrodsProtocolManager.getIRODSProtocol(CachedIrodsProtocolManager.java:72) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:519) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:438) ~[nfsrods.jar:?]
	at org.irods.jargon.core.pub.IRODSGenericAO.<init>(IRODSGenericAO.java:61) ~[nfsrods.jar:?]
	at org.irods.jargon.core.pub.CollectionAndDataObjectListAndSearchAOImpl.<init>(CollectionAndDataObjectListAndSearchAOImpl.java:69) ~[nfsrods.jar:?]
	at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.getCollectionAndDataObjectListAndSearchAO(IRODSAccessObjectFactoryImpl.java:464) ~[nfsrods.jar:?]
	at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.listDataObjectsAndCollectionsUnderPathWithPermissions(IRODSVirtualFileSystem.java:902) ~[nfsrods.jar:?]
	at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.list(IRODSVirtualFileSystem.java:983) ~[nfsrods.jar:?]
	... 12 more
Caused by: org.irods.jargon.core.exception.InvalidClientUserException: invalid client user
	at org.irods.jargon.core.connection.IRODSErrorScanner.checkSpecificCodesAndThrowIfExceptionLocated(IRODSErrorScanner.java:190) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSErrorScanner.inspectAndThrowIfNeeded(IRODSErrorScanner.java:112) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSMidLevelProtocol.processMessageInfoLessThanZero(IRODSMidLevelProtocol.java:1606) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSMidLevelProtocol.readMessage(IRODSMidLevelProtocol.java:1110) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSMidLevelProtocol.readMessage(IRODSMidLevelProtocol.java:1078) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSMidLevelProtocol.irodsFunction(IRODSMidLevelProtocol.java:445) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSMidLevelProtocol.irodsFunction(IRODSMidLevelProtocol.java:571) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.StandardIRODSAuth.sendStandardPassword(StandardIRODSAuth.java:54) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.StandardIRODSAuth.processAuthenticationAfterStartup(StandardIRODSAuth.java:124) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.AuthMechanism.authenticate(AuthMechanism.java:198) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.authenticate(AbstractIRODSMidLevelProtocolFactory.java:212) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocolFactory.instance(AbstractIRODSMidLevelProtocolFactory.java:95) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSProtocolManager.createNewProtocol(IRODSProtocolManager.java:139) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSSimpleProtocolManager.getIRODSProtocol(IRODSSimpleProtocolManager.java:56) ~[nfsrods.jar:?]
	at org.irods.jargon.pool.conncache.JargonPooledObjectFactory.create(JargonPooledObjectFactory.java:67) ~[nfsrods.jar:?]
	at org.irods.jargon.pool.conncache.JargonPooledObjectFactory.create(JargonPooledObjectFactory.java:23) ~[nfsrods.jar:?]
	at org.apache.commons.pool2.BaseKeyedPooledObjectFactory.makeObject(BaseKeyedPooledObjectFactory.java:82) ~[nfsrods.jar:?]
	at org.apache.commons.pool2.impl.GenericKeyedObjectPool.create(GenericKeyedObjectPool.java:780) ~[nfsrods.jar:?]
	at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:439) ~[nfsrods.jar:?]
	at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:350) ~[nfsrods.jar:?]
	at org.irods.jargon.pool.conncache.CachedIrodsProtocolManager.getIRODSProtocol(CachedIrodsProtocolManager.java:64) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSSession.connectAndAddToProtocolsMap(IRODSSession.java:519) ~[nfsrods.jar:?]
	at org.irods.jargon.core.connection.IRODSSession.currentConnection(IRODSSession.java:438) ~[nfsrods.jar:?]
	at org.irods.jargon.core.pub.IRODSGenericAO.<init>(IRODSGenericAO.java:61) ~[nfsrods.jar:?]
	at org.irods.jargon.core.pub.CollectionAndDataObjectListAndSearchAOImpl.<init>(CollectionAndDataObjectListAndSearchAOImpl.java:69) ~[nfsrods.jar:?]
	at org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl.getCollectionAndDataObjectListAndSearchAO(IRODSAccessObjectFactoryImpl.java:464) ~[nfsrods.jar:?]
	at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.listDataObjectsAndCollectionsUnderPathWithPermissions(IRODSVirtualFileSystem.java:902) ~[nfsrods.jar:?]
	at org.irods.nfsrods.vfs.IRODSVirtualFileSystem.list(IRODSVirtualFileSystem.java:983) ~[nfsrods.jar:?]
	... 12 more

The nfs server config is

    "nfs_server": {
        "port": 2049,
        "irods_mount_point": "/humgen",
        "user_information_refresh_time_in_milliseconds": 3600000,
        "file_information_refresh_time_in_milliseconds": 1000,
        "user_access_refresh_time_in_milliseconds": 1000,
        "object_type_refresh_time_in_milliseconds": 300000,
        "user_permissions_refresh_time_in_milliseconds": 300000,
        "user_type_refresh_time_in_milliseconds": 300000,
        "list_operation_query_results_refresh_time_in_milliseconds": 30000,
        "allow_overwrite_of_existing_files": false,
        "using_oracle_database": false
    },```
@korydraughn
Copy link
Collaborator

I see an invalid client user error.

Q. Are you trying to access a federated zone via NFSRODS?
Q. What rodsadmin user is NFSRODS configured to use?
Q. What Unix username are you attempting to access the mount point as?
Q. Is /etc/hosts being used to resolve Unix usernames to iRODS usernames?

@korydraughn korydraughn self-assigned this Aug 4, 2022
@jbeal-work
Copy link
Author

Q. Are you trying to access a federated zone via NFSRODS?

I think so the machine is part of the humgen zone and I am accessing something in the SANGER zone

Q. What rodsadmin user is NFSRODS configured to use?

    "irods_client": {
        "zone": "humgen",
        "host": "irods-hum-nfsrods01.internal.sanger.ac.uk",
        "port": 1247,
        "default_resource": "demoResc",
        "ssl_negotiation_policy": "CS_NEG_REQUIRE",
        "connection_timeout_in_seconds": 600,
        "proxy_admin_account": {
            "username": "nfsrods",
            "password": "*****"
        }
    }

Q. What Unix username are you attempting to access the mount point as?

jb23

Q. Is /etc/hosts being used to resolve Unix usernames to iRODS usernames?

I am not sure I understand the question /etc/hosts and Unix usernames -> iRODS usernames ?

We are using DNS for hostname lookup, our users are in LDAP via sssd

@korydraughn
Copy link
Collaborator

Q. Is /etc/hosts being used to resolve Unix usernames to iRODS usernames?

I am not sure I understand the question /etc/hosts and Unix usernames -> iRODS usernames ?

We are using DNS for hostname lookup, our users are in LDAP via sssd

Sorry, I meant /etc/passwd instead of /etc/hosts. You provided what I wanted to know though :-).

I'm wondering if the problem has to do with the username seen by NFSRODS and iRODS. We'll look into reproducing this issue.

What OS and version of iRODS are you running?

@jbeal-work
Copy link
Author

Sorry stupid architecture question, the docker container with nfsrods is a iRODS client talking to a local server ?

jb23@irods-hum-nfsrods01:/$ cat /etc/issue
Ubuntu 18.04.4 LTS \n \l

jb23@irods-hum-nfsrods01:/$ apt-cache policy irods-server     
irods-server:
  Installed: 4.2.7
  Candidate: 4.2.11-1~xenial
  Version table:
     4.2.11-1~xenial 500
        500 https://packages.irods.org/apt xenial/main amd64 Packages
     4.2.10 500
        500 https://packages.irods.org/apt xenial/main amd64 Packages
     4.2.9 500
        500 https://packages.irods.org/apt xenial/main amd64 Packages
     4.2.8 500
        500 https://packages.irods.org/apt xenial/main amd64 Packages
 *** 4.2.7 500
        500 https://packages.irods.org/apt xenial/main amd64 Packages
        100 /var/lib/dpkg/status

@korydraughn
Copy link
Collaborator

Yes. It translates NFS operations into iRODS API calls.

@jbeal-work
Copy link
Author

Any thoughts ?

@korydraughn
Copy link
Collaborator

Nothing yet. We'll update the issue once we know more.

What version of NFSRODS are you using?

@jbeal-work
Copy link
Author

We are using 2.1.0

@korydraughn
Copy link
Collaborator

Please confirm the following. I want to make sure I've captured the correct info.

  • Ubuntu 18.04
  • iRODS 4.2.7
  • NFSRODS 2.1.0 presenting the humgen zone
  • humgen zone federated with Sanger1
  • You're trying to access the Sanger1 zone through NFSRODS/humgen as jb23

I just noticed the default resource in your NFSRODS config is set to demoResc. Is that correct? Is this a testing environment?

And can you explain these lines from your first post?

jb23@farm5-humgen-nfsrods:~$ cd /mnt/humgen/home/j
******  jc18#Sanger1/  *****
jb23#Sanger1/   *****

@jbeal-work
Copy link
Author

The default resource is set to demoResc, neither the hugen or the Sanger1 zone are testing enviroments.

I just deleted the output that may have been private.

@kript
Copy link

kript commented Aug 16, 2022

  • You're trying to access the Sanger1 zone through NFSRODS/humgen as jb23

No, he is accessing /humgen/home/jb23#Sanger1 i.e. a local to the zone homedir, with a local to the zone account, however, due to the way (AIUI) NFSRODS does its mappings, it wont resolve jb23#Sanger but instead will lookup system uid jb23 to jb23#humgen user.
So the jb23 NFSRODS tries to access /humgen/home/jb23#Sanger1 with is actually jb23#humgen - there is no way to have it in fact be jb23#Sanger. However, for historical reasons, a lot of users dont have humgen zone accounts - like James it seems!

@kript
Copy link

kript commented Aug 16, 2022

In case its not clear, the only account in that zone for jb23 was jb23#Sanger1

@korydraughn
Copy link
Collaborator

Based on what has been said, the behavior you're seeing is expected. NFSRODS is implemented to present a single collection within a zone. It assumes that every user accessing the mount point is a member of the zone it is configured to handle. This explains why you received an invalid client user exception in the log file.

Notice line 40 below. NFSRODS instantiates all iRODS users using the zone defined in the config file.

irods_client_nfsrods/irods-vfs-impl/src/main/java/org/irods/nfsrods/vfs/IRODSUser.java

Lines 22 to 44 in 6f316fc

public IRODSUser(String _username, int _uid, int _gid, ServerConfig _config, IRODSAccessObjectFactory _factory)
{
NFSServerConfig nfsSvrConfig = _config.getNfsServerConfig();
IRODSClientConfig rodsSvrConfig = _config.getIRODSClientConfig();
IRODSProxyAdminAccountConfig proxyConfig = rodsSvrConfig.getIRODSProxyAdminAcctConfig();
String adminAcct = proxyConfig.getUsername();
String adminPw = proxyConfig.getPassword();
String zone = rodsSvrConfig.getZone();
String rootPath = Paths.get(nfsSvrConfig.getIRODSMountPoint()).toString();
log_.debug("IRODSUser - iRODS mount point = {}", rootPath);
log_.debug("IRODSUser - Creating proxy for username [{}] ...", _username);
userID_ = _uid;
groupID_ = _gid;
// @formatter:off
proxiedAcct_ = IRODSAccount.instanceWithProxy(rodsSvrConfig.getHost(), rodsSvrConfig.getPort(), _username,
adminPw, rootPath, zone, rodsSvrConfig.getDefaultResource(),
adminAcct, zone);
// @formatter:on
}

Is the behavior you're seeing surprising? What do you feel NFSRODS should do in this case?

@trel
Copy link
Member

trel commented Oct 13, 2023

I don't think NFSRODS can do anything about this scenario.

Ideas welcome.

@trel trel changed the title access via nfsrods not working well. federated users cannot access iRODS via NFSRODS Oct 13, 2023
@korydraughn korydraughn added this to the 2.3.0 milestone Feb 1, 2024
@korydraughn korydraughn modified the milestones: 2.3.0, 2.4.0 May 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@korydraughn korydraughn

Labels
None yet
Milestone
2.4.0
Development

No branches or pull requests
4 participants
@trel @kript @korydraughn @jbeal-work