Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Globus, Repo] - Hide Collection contents #1142

Open
JoshuaSBrown opened this issue Nov 23, 2024 · 8 comments
Open

[Globus, Repo] - Hide Collection contents #1142

JoshuaSBrown opened this issue Nov 23, 2024 · 8 comments
Assignees
@JoshuaSBrown
Labels
Component: GridFTP Auth Module Relates to GridFTP authorization library Priority: High Highest priority

Comments

@JoshuaSBrown
Copy link
Collaborator

Description

The current authz library is not passing lookup and chdir commands to the central services, allows someone to see things in Globus.

Acceptance

Pass authorization to Central services for lookup and chdir commands.
@JoshuaSBrown
Copy link
Collaborator Author

Running into the following error even though auth now appears to be correctly setup. This is being reported by Globus when a transfer starts

Error (make directories)
Endpoint: DataFedCI Collection Guest (a52433eb-9e9d-4620-826e-ff12f1327f59)
Server: 128.219.185.43:443
File: /datafed/datafedci-home/user/datafed89/39885
Command: MKD /datafed/datafedci-home
Message: Fatal FTP response
---
Details: 553-GlobusError: v=1 c=PATH_EXISTS\r\n553-GridFTP-Errno: 17\r\n553-GridFTP-Reason: System error in mkdir\r\n553-GridFTP-Error-String: File exists\r\n553 End.\r\n

@JoshuaSBrown
Copy link
Collaborator Author

Output from authz logs indicates a permission denied error might be at fault.

[INFO] Allowed collection path: /mnt, action: lookup, object is ftp://ci-datafed-globus2/mnt/datafed
[ERROR] gsi_authz_authorize_async, handle: 0x5620d08f4140, act: lookup, obj: ftp://ci-datafed-globus2/mnt/datafed
[INFO] Auth client: /C=US/O=Globus Consortium/OU=Globus Online/OU=Transfer User/CN=__transfer__, file: ftp://ci-datafed-globus2/mnt/datafed, action: lookup
[DEBUG] Authz: PASSED
[INFO] Allowed collection path: /mnt, action: lookup, object is ftp://ci-datafed-globus2/mnt/datafed/datafedci-home
[ERROR] gsi_authz_authorize_async, handle: 0x5620d08f[414](https://code.ornl.gov/dlsw/datafed/datafed/-/jobs/2841695#L414)0, act: lookup, obj: ftp://ci-datafed-globus2/mnt/datafed/datafedci-home
[INFO] Auth client: /C=US/O=Globus Consortium/OU=Globus Online/OU=Transfer User/CN=__transfer__, file: ftp://ci-datafed-globus2/mnt/datafed/datafedci-home, action: lookup
[INFO] libauthz.c Auth client_id: -, file: ftp://ci-datafed-globus2/mnt/datafed/datafedci-home, action: lookup
[INFO] libauthz.c checkAuthorization FAIL.
[INFO] Authz: FAILED
[INFO] Allowed collection path: /mnt, action: lookup, object is ftp://ci-datafed-globus2/mnt/datafed/datafedci-home/user
[ERROR] gsi_authz_authorize_async, handle: 0x5620d08f4140, act: lookup, obj: ftp://ci-datafed-globus2/mnt/datafed/datafedci-home/user
[INFO] Auth client: /C=US/O=Globus Consortium/OU=Globus Online/OU=Transfer User/CN=__transfer__, file: ftp://ci-datafed-globus2/mnt/datafed/datafedci-home/user, action: lookup
[DEBUG] Authz: PASSED

@JoshuaSBrown
Copy link
Collaborator Author

Lookup ftp://ci-datafed-globus2/mnt/datafed PASS
Lookup ftp://ci-datafed-globus2/mnt/datafed/datafedci-home FAIL
Lookup ftp://ci-datafed-globus2/mnt/datafed/datafedci-home/user PASS

@JoshuaSBrown
Copy link
Collaborator Author

JoshuaSBrown commented Dec 2, 2024
edited
Loading

Arangodb log output

/gridftp start authz client - repo repo/datafedci-home file /datafed act lookup
Checking that repo base path  /datafed/datafedci-home/  starts with  /datafed
/gridftp start authz client - repo repo/datafedci-home file /datafed/datafedci-home/user act lookup
Checking that repo base path  /datafed/datafedci-home/  starts with  /datafed/datafedci-home/user

For some reason the path /datafed/datafedci-home is not making it to the foxx authorization route. This suggests that the path is being denied somewhere in the authz library.

@JoshuaSBrown
Copy link
Collaborator Author

Output from core service

"message": "authz/gridftp repo: repo/datafedci-home file /datafed act lookup"
"message": "authz/gridftp repo: repo/datafedci-home file /datafed/datafedci-home/user act lookup"

Again confirms that account lookup is not failing in the core service or foxx authz route.

@JoshuaSBrown
Copy link
Collaborator Author

Contents of authz module on failure event.

[INFO] gsi_authz_authorize_async
[DEBUG] libauthz.c GLOBUS_GRIDFTP_GUEST_IDENTITY_IDS: -
[DEBUG] libauthz.c GLOBUS_GRIDFTP_MAPPED_USERNAME: datafed
[DEBUG] libauthz.c GLOBUS_GRIDFTP_MAPPED_IDENTITY_ID: -
[INFO] Allowed collection path: /mnt, action: lookup, object is ftp://ci-datafed-globus2/mnt/datafed/datafedci-home
[ERROR] gsi_authz_authorize_async, handle: 0x5620d08f[414](https://code.ornl.gov/dlsw/datafed/datafed/-/jobs/2841695#L414)0, act: lookup, obj: ftp://ci-datafed-globus2/mnt/datafed/datafedci-home
[INFO] Auth client: /C=US/O=Globus Consortium/OU=Globus Online/OU=Transfer User/CN=__transfer__, file: ftp://ci-datafed-globus2/mnt/datafed/datafedci-home, action: lookup
[INFO] Using client CN for authz
[DEBUG] libauthz.c GLOBUS_GRIDFTP_GUEST_IDENTITY_IDS: -
[INFO] libauthz.c client_id(s): -
[INFO] libauthz.c Auth client_id: -, file: ftp://ci-datafed-globus2/mnt/datafed/datafedci-home, action: lookup
[INFO] libauthz.c checkAuthorization FAIL.
[INFO] Authz: FAILED

@JoshuaSBrown
Copy link
Collaborator Author

JoshuaSBrown commented Dec 2, 2024
edited
Loading

Last known statements indicate that checkAuthorization is not returning 0.

if (checkAuthorization(client_id, object, action, &g_config) == 0) {
      result = GLOBUS_SUCCESS;
} else {
      AUTHZ_LOG_INFO("libauthz.c Auth client_id: %s, file: %s, action: %s\n", client_id, object, action);
      AUTHZ_LOG_INFO("libauthz.c checkAuthorization FAIL.\n");
}

@JoshuaSBrown
Copy link
Collaborator Author

JoshuaSBrown commented Dec 7, 2024
edited
Loading

Implementation of this feature is being broken down into several small components.

#1161 - Refactor and unit testing of Authz cpp class.
#1168 - Adds authz unit tests to CI

@JoshuaSBrown JoshuaSBrown self-assigned this Dec 7, 2024
@JoshuaSBrown JoshuaSBrown added Component: GridFTP Auth Module Relates to GridFTP authorization library Priority: High Highest priority labels Dec 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JoshuaSBrown JoshuaSBrown

Labels
Component: GridFTP Auth Module Relates to GridFTP authorization library Priority: High Highest priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JoshuaSBrown