Download problem when user isn't specifically listed in the ACL list

[carrgilson]

In a setup where the iRODS server [4.1.8] is configured with the STRICT ACL policy, if a file does not have that user explicitly listed in the ACL (i.e. not as a member of a group), the file will not download and will instead provide this error message:

{"error":{"cause":null,"class":"java.io.FileNotFoundException","localizedMessage":"no access to the file","message":"no access to the file","stackTrace":[{"class":"java.lang.StackTraceElement","className":"org.irods.jargon.idrop.web.services.FileService","fileName":"FileService.groovy","lineNumber":124,"methodName":"obtainInputStreamForDownloadSingleFile","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"org.irods.jargon.idrop.web.controllers.DownloadController","fileName":"DownloadController.groovy","lineNumber":43,"methodName":"show","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"grails.plugin.cache.web.filter.PageFragmentCachingFilter","fileName":"PageFragmentCachingFilter.java","lineNumber":198,"methodName":"doFilter","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"grails.plugin.cache.web.filter.AbstractFilter","fileName":"AbstractFilter.java","lineNumber":63,"methodName":"doFilter","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"com.brandseye.cors.CorsFilter","fileName":"CorsFilter.java","lineNumber":82,"methodName":"doFilter","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"java.util.concurrent.ThreadPoolExecutor","fileName":"ThreadPoolExecutor.java","lineNumber":1142,"methodName":"runWorker","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"java.util.concurrent.ThreadPoolExecutor$Worker","fileName":"ThreadPoolExecutor.java","lineNumber":617,"methodName":"run","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"java.lang.Thread","fileName":"Thread.java","lineNumber":745,"methodName":"run","nativeMethod":false}],"suppressed":[]}}

Users are able to view information on data objects as expected while having permissions through group membership but cannot download the data object unless they are explicitly listed in the ACL.

For example:
This file can be downloaded by usera:

$ ils -A file.jpg
  /tempZone/home/usera/file.jpg
        ACL - usera#tempZone:own

While this file can be listed by usera but errors when download is attempted:

$ ils -A file.jpg
  /tempZone/home/usera/file.jpg
        ACL - public#tempZone:read object

[michael-conway]

thanks! That sounds like a bug, I'll give that a unit test

On 07/21/2016 12:26 PM, Adam Carrgilson wrote:

In a setup where the iRODS server [4.1.8] is configured with the
STRICT ACL policy, if a file does not have that user explicitly listed
in the ACL (i.e. not as a member of a group), the file will not
download and will instead provide this error message:

|{"error":{"cause":null,"class":"java.io.FileNotFoundException","localizedMessage":"no
access to the file","message":"no access to the
file","stackTrace":[{"class":"java.lang.StackTraceElement","className":"org.irods.jargon.idrop.web.services.FileService","fileName":"FileService.groovy","lineNumber":124,"methodName":"obtainInputStreamForDownloadSingleFile","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"org.irods.jargon.idrop.web.controllers.DownloadController","fileName":"DownloadController.groovy","lineNumber":43,"methodName":"show","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"grails.plugin.cache.web.filter.PageFragmentCachingFilter","fileName":"PageFragmentCachingFilter.java","lineNumber":198,"methodName":"doFilter","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"grails.plugin.cache.web.filter.AbstractFilter","fileName":"AbstractFilter.java","lineNumber":63,"methodName":"doFilter","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"com.brandseye.cors.CorsFilter","fileName":"CorsFilter.java","lineNumber":82,"methodName":"doFilter","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"java.util.concurrent.ThreadPoolExecutor","fileName":"ThreadPoolExecutor.java","lineNumber":1142,"methodName":"runWorker","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"java.util.concurrent.ThreadPoolExecutor$Worker","fileName":"ThreadPoolExecutor.java","lineNumber":617,"methodName":"run","nativeMethod":false},{"class":"java.lang.StackTraceElement","className":"java.lang.Thread","fileName":"Thread.java","lineNumber":745,"methodName":"run","nativeMethod":false}],"suppressed":[]}}
|

Users are able to view information on data objects as expected while
having permissions through group membership but cannot download the
data object unless they are explicitly listed in the ACL.

For example:
This file can be downloaded by usera:

|$ ils -A file.jpg /tempZone/home/usera/file.jpg ACL - usera#tempZone:own |

While this file can be listed by usera but errors when download is
attempted:

|$ ils -A file.jpg /tempZone/home/usera/file.jpg ACL -
public#tempZone:read object |

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#177, or mute
the thread
https://github.com/notifications/unsubscribe-auth/ABC-LS7_kXfldsus_xWwMoLKv28TYO7yks5qX52egaJpZM4JR-jZ.

[michael-conway]

This may be down in jargon....it does a pre-check before allowing download.