hang using PAM
Closed this issue · 7 comments
ref [iROD-Chat:14003]
I would like to add that I also see this error in iRODS while using jargon-4.0.2.3-RELEASE (via irods-webdav) to communicate with iRODS 4.1.3.
Although I am not sure if it's related to irods-webdav + PAM, but the error triggers my attention when I also saw the following error in tomcat:
#985481 [http-nio-8443-exec-5] WARN org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocol - partial connection, not authenticated, forcefully shut down the socket
When irods-webdav uses PAM to authenticate user. Although the error says the user is not authenticated, in the iRODS log it says the user is authenticated with
Jul 15 11:39:36 pid:6308 NOTICE: Agent process 11252 started for puser=honlee and cuser=honlee from 131.174.75.106
Authenticated
Jul 15 11:39:37 pid:6308 NOTICE: Agent process 11263 started for puser=honlee and cuser=honlee from 131.174.75.106
Jul 15 11:39:37 pid:11252 ERROR: [-] iRODS/server/core/src/rsApiHandler.cpp:470:readAndProcClientMsg : status [SYS_HEADER_READ_LEN_ERR] errno [] -- message []
[-] iRODS/lib/core/src/sockComm.cpp:199:readMsgHeader : status [SYS_HEADER_READ_LEN_ERR] errno [] -- message [failed to call 'read header']
[-] libtcp.cpp:240:tcp_read_msg_header : status [SYS_HEADER_READ_LEN_ERR] errno [] -- message [read 0 expected 4]
Jul 15 11:39:37 pid:11252 NOTICE: Agent exiting with status = -4000
Jul 15 11:39:37 pid:6308 NOTICE: Agent process 11252 exited with status 24576
When it happens, the webdav client (Cyberduck) complains about connection timeout error.
webdav log
57186 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.BasicAuthFilter - doFilter()
57186 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.WebDavAuthUtils - getIRODSAccountFromBasicAuthValues
57186 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.WebDavAuthUtils - index of end of basic prefix:5
57186 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.WebDavAuthUtils - index of end of basic prefix:5
57186 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.WebDavAuthUtils - credentials:honlee
57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.WebDavAuthUtils - webDavConfig:WebDavConfig [host=irods-icat.uci.ru.nl, zone=rdmtst, port=1247, defaultStorageResource=rdmResOL, authScheme=PAM, realm=irods, cacheFileDemographics=true, defaultStartingLocationEnum=PROVIDED, providedDefaultStartingLocation=/rdmtst/di, usePackingStreams=true]
57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.BasicAuthFilter - account for auth:honlee
57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.IrodsAuthService - authenticate()
57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.IrodsAuthService - look in cache for cached login
57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.IrodsAuthService - login to irods and cache
57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.IrodsAuthService - getIrodsAccountFromAuthValues
57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.IrodsAuthService - using PAM
57187 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.IrodsAuthService - authenticating:irods://honlee@irods-icat.uci.ru.nl:1247
57187 [http-nio-8443-exec-1] INFO org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl - authenticateIRODSAccount()
57187 [http-nio-8443-exec-1] WARN org.irods.jargon.core.connection.IRODSSession - closing session that is already closed, silently ignore
57408 [http-nio-8443-exec-1] WARN org.irods.jargon.core.connection.AbstractIRODSMidLevelProtocol - partial connection, not authenticated, forcefully shut down the socket
111102 [http-nio-8443-exec-1] INFO org.irods.jargon.core.pub.IRODSAccessObjectFactoryImpl - authResponse:org.irods.jargon.core.connection.auth.AuthResponse@258d643c
111102 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.BasicAuthFilter - authResponse:org.irods.jargon.core.connection.auth.AuthResponse@258d643c
111102 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.authfilter.BasicAuthFilter - success!
111102 [http-nio-8443-exec-1] DEBUG org.irods.jargon.webdav.resource.IrodsFileSystemResourceFactory - getResource: host: rdmapptst.uci.ru.nl:8443 - url:/irods-webdav-pam/dccn/dac_t00001/
Another piece of information to add:
I have tried standard auth, everything worked.
I can also confirm that with PAM authentication, the error seems to be reproducible following a restart of the tomcat server. (ps. It doesn't happen to the very first connection, but after few clicks into a collection where many data objects reside, about 40 collections and 1200 data objects.) After retrying the client connection (click retry button in Cyberduck), everything seems to pass through and work fine again.
we can retest w/Pam when RC1 is ready. Jargon has many PAM improvements and I would like to see if this resolves itself.
I'm also encountering this error using jargon-core-4.0.2.4-RELEASE.jar
OK I am in the middle of testing and upgrading it to get to the 4.0.2.4
release and pam tests will be a part of this
It will probably be mid week next week before I'm done. iPlant's QA
will also be taking a look at it.
MC
On 11/19/2015 03:15 PM, Piet van Dongen wrote:
I'm also encountering this error using jargon-core-4.0.2.4-RELEASE.jar
—
Reply to this email directly or view it on GitHub
#16 (comment).
Correction: the combination of iRODS 4.1.6 and jargon-core-4.0.2.4-RELEASE.jar and PAM authentication does work. I unknowingly tried to authenticate a STANDARD type authentication over PAM. I've just tried authorizing another account with PAM and it works.
great to hear. I am currently testing WebDav with our new keys using
davfs and working out a few things. We have a license from Milton.io
and can distribute a pre-packaged .war file that has the enterprise
Milton code supporting WebDav2
MC
On 11/20/2015 01:48 AM, Piet van Dongen wrote:
Correction: the combination of iRODS 4.1.6 and
jargon-core-4.0.2.4-RELEASE.jar and PAM authentication does work. I
unknowingly tried to authenticate a STANDARD type authentication over
PAM. I've just tried authorizing another account with PAM and it works.—
Reply to this email directly or view it on GitHub
#16 (comment).