Ticket troubles

[wpbonelli]

Hello, I'm working with the ticket system and am struggling to determine what is my own user error vs. a possible issue. In particular I have hit a few stumbling blocks:

• tickets granted via Python return None

from irods.session import iRODSSession
from irods.ticket import Ticket

me = iRODSSession(host='data.cyverse.org', port=1247, user='wbonelli', password='********', zone='iplant')

read_ticket = Ticket(me).issue('read', '/iplant/home/wbonelli/a_test_folder')    # None
write_ticket = Ticket(me).issue('write', '/iplant/home/wbonelli/a_test_folder')  # also None

Invoking issue returns silently as if successful but the return value is None. I've confirmed it's not a malformed path or anything (adding a slash to the end produces irods.exception.CAT_UNKNOWN_COLLECTION)

• ticket-authorized anonymous uploads fail

To workaround the above I have been obtaining tickets from the Terrain API, e.g.

POST https://de.cyverse.org/terrain/secured/filesystem/tickets?mode=read&public=false&uses-limit=10
{
    "paths": [
        "/iplant/home/wbonelli/a_test_folder/"
    ]
}

This succeeds and returns e.g.

{
    "user": "wbonelli",
    "tickets": [
        {
            "path": "/iplant/home/wbonelli/a_test_folder",
            "ticket-id": "********-****-****-****-************",
            ...
        }
    ]
}

Read and write tickets are both sufficient (as expected) to download items from an anonymous session. For instance, with a read-authorized ticket:

from irods.session import iRODSSession
from irods.ticket import Ticket
from irods.models import Collection
from irods.collection import iRODSCollection

anon = iRODSSession(host='data.cyverse.org', port=1247, user='anonymous', password='', zone='iplant')
Ticket(anon, '<read ticket>').supply()

coll = anon.query(Collection).one()
collection = iRODSCollection(anon.collections, coll)

for o in collection.data_objects:
    print(o.path)                                     # this works
    anon.data_objects.get(o.path, '/tmp/' + o.name)   # this works but throws an error

This successfully downloads the file but then produces a irods.exception.CAT_SQL_ERR (easily caught and smothered but seems to point to something strange going on under the hood).

However uploads consistently fail, e.g.:

from irods.session import iRODSSession
from irods.ticket import Ticket
from irods.models import Collection
from irods.collection import iRODSCollection

anon = iRODSSession(host='data.cyverse.org', port=1247, user='anonymous', password='', zone='iplant')
Ticket(anon, '<write ticket>').supply()

anon.data_objects.put('/Users/wes/Desktop/test2.txt', '/iplant/home/wbonelli/a_test_folder/test2.txt')

This gives irods.exception.CAT_NO_ACCESS_PERMISSION: no permission to update collection '/iplant/home/wbonelli/a_test_folder'. The same method (session.data_objects.put) works fine with a password-authenticated session.

Thanks in advance for any help

[d-w-moore]

Will try to reproduce! thanks.

[trel]

What version of iRODS server are you connecting to?

I don't think that is going to be the issue, but it could narrow the search space.

[wpbonelli]

I'm just connecting to the data.cyverse.org host. I'm not sure how to check that server's version.

Sorry that's not very helpful, please let me know if I am misunderstanding something or can provide any other info. Thanks

[trel]

No worries - if you have iCommands available/connected, you can run imiscsvrinfo.

[wpbonelli]

Ah ok, thanks. Running that after connecting with the same info gives

RCAT_ENABLED
relVersion=rods4.2.8
apiVersion=d
rodsZone=iplant
up 33 days, 5:17

[d-w-moore]

ok will repro with 4.2.8, thanks again @w-bonelli @trel

[wpbonelli]

thank you @trel @d-w-moore !

[d-w-moore]

@w-bonelli Well, unfortunately I haven't been able to reproduce the first part of this issue, that is the None being returned from Ticket.issue( ) function. On Ubuntu 18 and iRODS 4.2.8, with python-irodsclient checked out from current tip of main , this does work for me:

$ python -ic 'from irods.test.helpers import make_session;from irods.ticket import Ticket; from irods.session import iRODSSession'
>>> ses = iRODSSession(user='dan',password='dpass',port=1247,host='localhost',zone='tempZone')
>>> ses.collections.create('/tempZone/home/dan/newcoll')
<iRODSCollection 10021 b'newcoll'>
>>> t1 = Ticket(ses).issue('read','/tempZone/home/dan/newcoll') 
>>> t1
<irods.ticket.Ticket object at 0x7f71f4ca0e48>
>>> t1.string
'1w9g5px5TECwKBe'
>>> t2 = Ticket(ses).issue('write','/tempZone/home/dan/newcoll') 
>>> t2       
<irods.ticket.Ticket object at 0x7f71f4ca0e10>
>>> t2.string
'EyWfZlH2YnEEKy8'
>>> ses.server_version
(4, 2, 8)

[d-w-moore]

@w-bonelli I'm also not able to reproduce the CAT_SQL_ERR using the anon session downloading script you provided above. Let's please be sure you're using an install of v1.0.0 of the python irodsclient, or as recent as possible a checkout from the main branch.

[d-w-moore]

@w-bonelli However the inability to upload to a collection via a write ticket on the collection is a known problem!

[wpbonelli]

Thanks @d-w-moore ! Didn't catch the write ticket issue on the iRODS repo before.

Is there any workaround you'd suggest for a service aiming to do least-privilege writes on users' behalf? Currently we use Terrain, but for any large data it seems much better to create an archive and ibun it straight to iRODS. Don't want to DoS the science apis...

[wpbonelli]

Just tested the Ticket.issue issue again and it does not occur with an install from source. I'm seeing it with v1.0.0 installed via pip on both OSX Monterey and Ubuntu 18.04 though.

[d-w-moore]

Ah, ok - I'll try it again via pip install, and will also look into the write functionality.

[d-w-moore]

Just tested the Ticket.issue issue again and it does not occur with an install from source. I'm seeing it with v1.0.0 installed via pip on both OSX Monterey and Ubuntu 18.04 though.

Ah yes , that makes perfect sense. Explains why I haven't duplicated any of the problems you see. The ticket "functionality" in v1.0.0 is near-null in terms of added value. Tbh we should've released a new PRC by now or at least made it clear in the README that the discussed Ticket functionality applies only to the forthcoming release v1.1.0 (due within the week). If you wish to have that functionality, you should fetch the tip of branch main in the repo, or wait for the release to be cut, which is actually imminent.

Sorry for the confusion!

[trel]

So, if everyone agrees this is moot - we can close the issue. Thanks!

[wpbonelli]

Ah, got it- Thanks both for the help.

I did in fact find a way to get even the pip-installed version to work... after creating a Ticket instance and invoking issue, even though that method's return value has no ticket, I was able to successfully supply an anonymous session with the Ticket instance's ticket property. Originally I thought each issue call returned a new ticket string, now I see it grants permissions to an existing string set in the ctor and passed along with the API request. Makes sense.

Thanks again!