DICE-UNC/irods-webdav

hang using PAM

Closed this issue · 7 comments

ref [iROD-Chat:14003]

I would like to add that I also see this error in iRODS while using jargon-4.0.2.3-RELEASE (via irods-webdav) to communicate with iRODS 4.1.3.

Although I am not sure if it's related to irods-webdav + PAM, but the error triggers my attention when I also saw the following error in tomcat:

#985481 [http-nio-8443-exec-5] WARN org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocol - partial connection, not authenticated, forcefully shut down the socket

When irods-webdav uses PAM to authenticate user. Although the error says the user is not authenticated, in the iRODS log it says the user is authenticated with

Jul 15 11:39:36 pid:6308 NOTICE: Agent process 11252 started for puser=honlee and cuser=honlee from 131.174.75.106
Authenticated
Jul 15 11:39:37 pid:6308 NOTICE: Agent process 11263 started for puser=honlee and cuser=honlee from 131.174.75.106
Jul 15 11:39:37 pid:11252 ERROR: [-] iRODS/server/core/src/rsApiHandler.cpp:470:readAndProcClientMsg : status [SYS_HEADER_READ_LEN_ERR] errno [] -- message []
[-] iRODS/lib/core/src/sockComm.cpp:199:readMsgHeader : status [SYS_HEADER_READ_LEN_ERR] errno [] -- message [failed to call 'read header']
[-] libtcp.cpp:240:tcp_read_msg_header : status [SYS_HEADER_READ_LEN_ERR] errno [] -- message [read 0 expected 4]

Jul 15 11:39:37 pid:11252 NOTICE: Agent exiting with status = -4000

Jul 15 11:39:37 pid:6308 NOTICE: Agent process 11252 exited with status 24576

When it happens, the webdav client (Cyberduck) complains about connection timeout error.

webdav log


57186 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.BasicAuthFilter  - doFilter()

57186 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.WebDavAuthUtils  - getIRODSAccountFromBasicAuthValues

57186 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.WebDavAuthUtils  - index of end of basic prefix:5

57186 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.WebDavAuthUtils  - index of end of basic prefix:5

57186 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.WebDavAuthUtils  - credentials:honlee

57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.WebDavAuthUtils  - webDavConfig:WebDavConfig [host=irods-icat.uci.ru.nl, zone=rdmtst, port=1247, defaultStorageResource=rdmResOL, authScheme=PAM, realm=irods, cacheFileDemographics=true, defaultStartingLocationEnum=PROVIDED, providedDefaultStartingLocation=/rdmtst/di, usePackingStreams=true]

57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.BasicAuthFilter  - account for auth:honlee

57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.IrodsAuthService  - authenticate()

57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.IrodsAuthService  - look in cache for cached login

57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.IrodsAuthService  - login to irods and cache

57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.IrodsAuthService  - getIrodsAccountFromAuthValues

57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.IrodsAuthService  - using PAM

57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.IrodsAuthService  - authenticating:irods://honlee@irods-icat.uci.ru.nl:1247

57187 [http-nio-8443-exec-1] INFO  org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl  - authenticateIRODSAccount()

57187 [http-nio-8443-exec-1] WARN  org.irods.jargon.core.connection.IRODSSession  - closing session that is already closed, silently ignore

57408 [http-nio-8443-exec-1] WARN  org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocol  - partial connection, not authenticated, forcefully shut down the socket

111102 [http-nio-8443-exec-1] INFO  org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl  - authResponse:org.irods.jargon.core.connection.auth.AuthResponse@258d643c

111102 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.BasicAuthFilter  - authResponse:org.irods.jargon.core.connection.auth.AuthResponse@258d643c

111102 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.BasicAuthFilter  - success!

111102 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.resource.IrodsFileSystemResourceFactory  - getResource: host: rdmapptst.uci.ru.nl:8443 - url:/irods-webdav-pam/dccn/dac_t00001/


Another piece of information to add:

I have tried standard auth, everything worked.

I can also confirm that with PAM authentication, the error seems to be reproducible following a restart of the tomcat server. (ps. It doesn't happen to the very first connection, but after few clicks into a collection where many data objects reside, about 40 collections and 1200 data objects.) After retrying the client connection (click retry button in Cyberduck), everything seems to pass through and work fine again.

we can retest w/Pam when RC1 is ready. Jargon has many PAM improvements and I would like to see if this resolves itself.

I'm also encountering this error using jargon-core-4.0.2.4-RELEASE.jar

OK I am in the middle of testing and upgrading it to get to the 4.0.2.4
release and pam tests will be a part of this

It will probably be mid week next week before I'm done. iPlant's QA
will also be taking a look at it.

MC

On 11/19/2015 03:15 PM, Piet van Dongen wrote:

I'm also encountering this error using jargon-core-4.0.2.4-RELEASE.jar


Reply to this email directly or view it on GitHub
#16 (comment).

Correction: the combination of iRODS 4.1.6 and jargon-core-4.0.2.4-RELEASE.jar and PAM authentication does work. I unknowingly tried to authenticate a STANDARD type authentication over PAM. I've just tried authorizing another account with PAM and it works.

great to hear. I am currently testing WebDav with our new keys using
davfs and working out a few things. We have a license from Milton.io
and can distribute a pre-packaged .war file that has the enterprise
Milton code supporting WebDav2

MC

On 11/20/2015 01:48 AM, Piet van Dongen wrote:

Correction: the combination of iRODS 4.1.6 and
jargon-core-4.0.2.4-RELEASE.jar and PAM authentication does work. I
unknowingly tried to authenticate a STANDARD type authentication over
PAM. I've just tried authorizing another account with PAM and it works.


Reply to this email directly or view it on GitHub
#16 (comment).