basemount - user permissions

[Tobias Meißner]

Hi,

I have mounted basespace using basemount -o allow_other /data/basespace/ . The issue I am facing is that as a non-root user I can browse directories just fine, but I am not able to access the /Files directories:

as root:

root@master:~# ls -lah /data/basespace/Projects/SU_MP1/Samples/SU_MP1_A1

total 5.0K

dr-xr-xr-x 2 root root  13G Aug  5 08:10 .

drwxr-xr-x 2 root root    0 Aug 11 19:33 ..

-r-------- 1 root root  140 Aug 11 19:34 .curl

lrwxrwxrwx 1 root root   52 Aug 11 19:34 Files -> /tmp/basemount.root.17241/Samples/27387389/bsfs/data

-r--r--r-- 1 root root 3.7K Aug 11 19:34 .json

ls -lah /data/basespace/Projects/SU_MP1/Samples/SU_MP1_A1/Files/

total 13G

dr-xr-xr-x 2 root root    0 Aug 12 22:45 .

dr-xr-xr-x 2 root root    0 Aug 12 22:45 ..

-r--r--r-- 1 root root 1.6G Aug  5 08:42 BT474-P_S1_L001_R1_001.fastq.gz

-r--r--r-- 1 root root 1.7G Aug  5 08:42 BT474-P_S1_L001_R2_001.fastq.gz

-r--r--r-- 1 root root 1.6G Aug  5 08:42 BT474-P_S1_L002_R1_001.fastq.gz

-r--r--r-- 1 root root 1.7G Aug  5 08:42 BT474-P_S1_L002_R2_001.fastq.gz

-r--r--r-- 1 root root 1.7G Aug  5 08:42 BT474-P_S1_L003_R1_001.fastq.gz

-r--r--r-- 1 root root 1.8G Aug  5 08:42 BT474-P_S1_L003_R2_001.fastq.gz

-r--r--r-- 1 root root 1.7G Aug  5 08:42 BT474-P_S1_L004_R1_001.fastq.gz

-r--r--r-- 1 root root 1.8G Aug  5 08:42 BT474-P_S1_L004_R2_001.fastq.gz

as user:

tobias@master:/root$ ls -lah /data/basespace/Projects/SU_MP1/Samples/SU_MP1_A1

total 5.0K

dr-xr-xr-x 2 root root  13G Aug  5 08:10 .

drwxr-xr-x 2 root root    0 Aug 11 19:33 ..

-r-------- 1 root root  140 Aug 11 19:34 .curl

lrwxrwxrwx 1 root root   52 Aug 11 19:34 Files -> /tmp/basemount.root.17241/Samples/27387389/bsfs/data

-r--r--r-- 1 root root 3.7K Aug 11 19:34 .json

tobias@master:/root$ ls -lah /data/basespace/Projects/SU_MP1/Samples/SU_MP1_A1/Files/

ls: cannot access /data/basespace/Projects/SU_MP1/Samples/SU_MP1_A1/Files/: Permission denied

Any advice on how to access the /Files directories as user?

Cheers,

Tobias

[Lilian Janin]

Hi Tobias,

You shouldn't run BaseMount as root: you should just launch it as your intended user, and everything will hopefully work...

Lilian

[Tobias Meißner]

The idea is to mount is once and have all users on the system access the mountpoint, as I think multiple users won't be able to mount basespace at the same time..

Tobias

[Lilian Janin]

For this first version, we restricted ourselves to single user access, mainly to avoid having to deal with security issues when multiple users can view the same data.

However, as you seem to be willing to take the risks yourself, feel free to share your password or access token with other users, but be aware that this is even worse than sharing your linux password, as you currently have no way to revoke your access tokens.

>  [..]] as I think multiple users won't be able to mount basespace at the same time..

Multiple users can actually mount the same BaseSpace account at the same time.

Lilian

[JvanEyll]

Hey,

I've slightly related question :

I mounted BaseSpace account on a host machine with a user "user1" and I can read my files in the host.

However, some of my analytical algorithms are running in a Docker container on the host that shares the host's file system where Basemount has been done.

In the container (and hosted programs), I can see the folder but I cannot access the files, even in read access.

Is there an option/trick to allow the docker container to read access the Basemount on the host ?

Thanks in advance,

Jonathan.

I'd like to offer permission to read not to physical users but to 

[Lilian Janin]

Hi Jonathan,

It seems related indeed, and in response to the original post, BaseMount v0.11+ should now work with -o allow_other even at the Files level, as long as you don't use the BSFS plugin.

I don't know Docker much, so others may have a better solution.

Anyway, here are 2 methods that seem to work, even though they don't seem ideal from a security point of view:

- Running BaseMount with "-o allow_root" (on a blank Amazon instance I had to uncomment user_allow_other in /etc/fuse.conf, and make this file readable to all)

- Running BaseMount inside the Docker container (need `docker --privileged` or the weird options mentioned in the doc: https://help.basespace.illumina.com/articles/descriptive/introduction-to-basemount/ , "Docker" section)

Lilian

[JvanEyll]

Hi Lilian,

Thanks a lot for your quick response.

I already tried to mount BS directly in the container and that works fine. The issue is that you need to remount it for every docker container you need it in and that's why I wanted to mount it once on the host and then share with the different containers running.

I tested your proposal to "allow_root" (/etc/fuse.conf file was already modified before) but it didn't give me any better read permissions once in the container.

In the meantime, I've tried to map the first sub-folder in the Basemount FS directly to the container and that works as a charm. This is achieved by passing the argument "-v /home/user1/.../.../BSmount/Projects:/home/user1/BSmount_Projects" to the docker run command.

I guess, once we've passed the first mapped folder and authorizations, the folder can be shared directly...

Thanks for your kind help and inspiration provided !

Jonathan.

[Wei]

Hi,

I encountered a similar issue with permissions, but perhaps less complex than Jonathan's?

I tried using basemount according to the online manual, all steps went as expected, but when I get to the stage of:

# Create a file there (or copy one with `cp`)

echo "Hello BaseSpace" > Files/hello.txt

I ran into the error of "Permission denied". Neither can I copy a BAM file via the cp command (same error). I also tried going root with sudo, and changing the etc/fuse.conf, which didn't solve the problem. Would there be a solution to this?

I am running Ubuntu on VMWare, and would like to use the Cufflinks, DESeq2 and RNA Express apps on both FASTQ and BAM.

Thank you.

Wei

[Lilian Janin]

Hi Wei,

I'm really not sure.

Could you please post the output of `ls -la` just after the mkdir, then enter the directory you just created, and run `ls -la` again. and `ls -la Files`? That'll tell us about directory permissions (which should reflect basespace's write ability)...

Or it could also be an access token problem. If you could run basemount with the "-f" option, as explained there: https://help.basespace.illumina.com/articles/descriptive/introduction-to-basemount/#Troubleshooting

Could you send me a private message (private because it may contain your access token) with the last 1000 lines of basemount output just after trying the `echo "Hello BaseSpace" > Files/hello.txt`?

Thanks,

Lilian <Away from office, response may be delayed>

[Sarah]

Hello,

I am running into a similar issue as discussed here by JvanEyll in 2016. Has a better way been developed to allow a docker container to access basemount, other than enabling allow_root or passing a map to a subfolder of basemount to the docker run?

My goal is to access basemount FASTQ files from an NVIDIA server to launch Parabricks pipelines, skipping a FASTQ or run/project download step. If there is a better way to do this that does not relate to my question above, please let me know!

Thank you,

Sarah