Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: Problem setting up metadada search (possibly SSL related) #281

Open
kalylian opened this issue Oct 14, 2021 · 2 comments
Open

Question: Problem setting up metadada search (possibly SSL related) #281

kalylian opened this issue Oct 14, 2021 · 2 comments
Milestone
Backlog

Comments

@kalylian
Copy link

Hi,

I have a problem with metadata search. I can search for object names, but when I search for other attributes, the page just gives no result and refreshes.

It works when I set CS_NEG_DONT_CARE instead of CS_NEG_REQUIRE in /etc/irods/core.re. So I think it's an SSL issue. I've switched around the cert used as /tmp/cert/server.crt but couldn't get in to work. I need to pass the iRODS cert right? The one defined with irods_ssl_certificate_chain_file in /var/lib/irods/.irods/irods_environment.json.

iRODS gives me this error:

Oct 14 10:06:51 pid:15312 remote addresses: 172.18.0.3, ::1 ERROR: [-] /irods/server/core/src/rodsAgent.cpp:507:int runIrodsAgentFactory(sockaddr_un) : status [SYS_HEADER_TYPE_LEN_ERR] errno [] -- message [wrong message type [RODS_API_REQ] expected [RODS_CS_NEG_T]]
[-] /irods/server/core/src/irods_server_negotiation.cpp:151:irods::error irods::client_server_negotiation_for_server(irods::network_object_ptr, std::string &) : status [SYS_HEADER_TYPE_LEN_ERR] errno [] -- message [wrong message type [RODS_API_REQ] expected [RODS_CS_NEG_T]]
[-] /irods/lib/core/src/irods_client_negotiation.cpp:526:irods::error irods::read_client_server_negotiation_message(irods::network_object_ptr, boost::shared_ptr<cs_neg_t> &) : status [SYS_HEADER_TYPE_LEN_ERR] errno [] -- message [wrong message type [RODS_API_REQ] expected [RODS_CS_NEG_T]]

Oct 14 10:06:51 pid:15312 remote addresses: 172.18.0.3, ::1 ERROR: [-] /irods/server/core/src/rodsAgent.cpp:511:int runIrodsAgentFactory(sockaddr_un) : status [SYS_HEADER_TYPE_LEN_ERR] errno [] -- message [wrong message type [RODS_API_REQ] expected [RODS_CS_NEG_T]]
[-] /irods/server/core/src/irods_server_negotiation.cpp:151:irods::error irods::client_server_negotiation_for_server(irods::network_object_ptr, std::string &) : status [SYS_HEADER_TYPE_LEN_ERR] errno [] -- message [wrong message type [RODS_API_REQ] expected [RODS_CS_NEG_T]]
[-] /irods/lib/core/src/irods_client_negotiation.cpp:526:irods::error irods::read_client_server_negotiation_message(irods::network_object_ptr, boost::shared_ptr<cs_neg_t> &) : status [SYS_HEADER_TYPE_LEN_ERR] errno [] -- message [wrong message type [RODS_API_REQ] expected [RODS_CS_NEG_T]]

Oct 14 10:06:51 pid:1018 ERROR: Agent process [15312] exited with status [1]

The stacktrace is attached here: stacktrace.txt

I think I screwed up SSL somewhere and I don't know where. It looks like the metadata search connection to iRODS is not using SSL correctly. I have tried setting ssl.negotiation.policy to both CS_NEG_REQUIRE and CS_NEG_DONT_CARE in metalnx.properties, without much success.

The SSL Setup for iRODS itself was done like describen in the metalnx-doku, except it's not a self-signed cert. I tried both using an LDAP rodsadmin user (via PAM) and an iRODS rodsadmin user with STANDARD auth scheme as jobs user. LDAP authentication via PAM works fine at login, so SSL seems to work there.

Kind regards

Gudrun
@trel
Copy link
Contributor

trel commented Oct 15, 2021

If your SSL is not configured correctly - nothing should work - the iRODS Server should not let you in the front door.

If SSL is required and configured correctly - and you're still getting some metadata search issues, then that's very strange.

I'd suggest you make sure that the iCommands are working and configured correctly - and then... Metalnx is just another client (with admin privileges) and should be configured the same way.

@kalylian
Copy link
Author

kalylian commented Oct 18, 2021
edited
Loading

Hi,

thanks for your response.

If your SSL is not configured correctly - nothing should work - the iRODS Server should not let you in the front door.

Yes, that's what I'm confused about. An iRODS Server requiring SSL will probably reject a non-SSL-connection though, so this currently is my best guess, especially since the iRODS error message indicates that an RODS_CS_NEG_T message was expected (that sounds like the iRODS SSL configuration options, so it's probably SSL related), but an RODS_API_REQ was received (I'm assuming this is API related). Even more confusing, searching for data object names and checksums does work, all the other search options don't.

If I understand correctly, the searches are done via the jobs user. I'm currently using the (native) user rods as the jobs user:

:~# grep jobs metalnx.properties
jobs.irods.username=rods
jobs.irods.password=$MYPASSWORD
jobs.irods.auth.scheme=STANDARD

Logging into Metalnx as this user works just fine. CLI login works, too:

:~# grep \"rods\" ~/.irods/irods_environment.json
    "irods_user_name": "rods", 
:~# iinit
Enter your current iRODS password:
:~# ipwd
/testZone/home/rods
:~# iuserinfo | grep type
type: rodsadmin

I've passed the iRODS cert as server.crt into the container and I've set ssl.negotiation.policy to CS_NEG_REQUIRE in metalnx.properties. Is there a config option I'm not aware of?

Kind reagrds,

Gudrun

@trel trel added this to the Backlog milestone Dec 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
Backlog
Development

No branches or pull requests
2 participants
@trel @kalylian