irsync or icp between federated zones gives SYS_NO_API_PRIV

[Arthur Franke]

Hi all,

I'd like to use irsync to move files between two federated zones: from
ZoneA to ZoneB. ZoneB is the native zone of the iRODS user that will
be executing the commands. The iRODS user has 'own' permissions in
ZoneB, and 'read' permissions in ZoneA. ZoneB has inheritance
enabled.

Running a command like:

irsync i:/ZoneA/file.dat i:/ZoneB/file.dat

gives an error: ERROR: rsyncUtil: rsync error for /ZoneB/file.dat
status = -13000 SYS_NO_API_PRIV. Upon running an 'ils' of ZoneB, a
new entry for file.dat appears, but the file size is zero.

However, running two separate commands:

irsync i:/ZoneA/file.dat /local/file.dat
irsync /local/file.dat i:/ZoneB/file.dat

works without a problem. The file appears in ZoneB, and has the
proper size and checksum.

Trying to use 'icp' to perform a copy between the two zones produces
the same SYS_NO_API_PRIV error message. The commands 'iget' from
ZoneA and 'iput' to ZoneB work fine.

My iRODS installation is version 2.4.1, API version d.

Thoughts? Suggestions? Thanks!

-Arthur

[she...@diceresearch.org]

This is from iRODS v3.0 release note:

An irsync irods to irods fix. Fix was added to resolve problem in irsync where iRODS to iRODS (i:x i:y) sync did not work. This was patch iRODS_2.5_Patch_2.

--
"iRODS: the Integrated Rule-Oriented Data-management System; A community driven, open source, data grid software solution" https://www.irods.org

iROD-Chat: http://groups.google.com/group/iROD-Chat

[Arthur Franke]

Hi,

Thanks for the fast reply.

I'm not so sure that this is the bug addressed by 2.5p2. Since your
reply, I went through the process of upgrading to iRODS 3.0 (client
and the ZoneB server), but unfortunately I am still experiencing the
same symptoms. Neither irsync nor icp will work across the two zones,
returning the same error message as before.

Looking at the ZoneB server log, I see a pair of associated error
messages:

Feb 27 18:06:28 pid:27182 NOTICE: dataObjCopy: preProcParaGet error
for /ZoneA/file.dat
Feb 27 18:06:28 pid:27182 NOTICE: _rsDataObjClose: size in vault 0 !=
target size 129448823

The same two error messages appear for irsync and icp. As before,
they don't appear if I do irsync from ZoneA to a local directory.

Thanks in advance for any help.

-Arthur

[she...@diceresearch.org]

Hello,  is the destination zone, had default resource set ?

if you did not specific -R  resource

I did  this  in my environment

(two zones: ZoneA , ZoneB)  worked fine.

$ ./irsync -r i:/ZoneA/home/rods/test1/Pictures  i:/ZoneB/home/rods/test1/Pictures

first time , I got error about NO_ACCESS_PERMISSION :

ERROR: rsyncCollToCollUtil: rsyncDataToDataUtil failed for /ZoneB/home/rods/test1/Pictures/iChat Icons/Flags/Argentina.gif.stat=-818000 status = -818000 CAT_NO_ACCESS_PERMISSION
ERROR: rsyncCollToCollUtil: rsyncDataToDataUtil failed for /ZoneB/home/rods/test1/Pictures/iChat Icons/Flags/Australia.gif.stat=-818000 status = -818000 CAT_NO_ACCESS_PERMISSION

....

This is because, I did not provide 'read access ' for  rods#ZoneB in ZoneA

so I did this in ZoneA :

./ichmod -r read rods#ZoneB   /ZoneA/home/rods/test1/Pictures

 

then, run again, success.

[Arthur Franke]

Thank you for the suggestions, but I am still encountering the same
error messages as before.

I did have a default resource set, and even specifying one with -R
still produces the same '-13000 SYS_NO_API_PRIV' error message.

I can verify that I am able to read from ZoneA. Running an irsync
from ZoneA to a local directory or an iget from ZoneA both complete
successfully.

Thanks!

-Arthur

[mw...@diceresearch.org]

Hello Arther,

Can you check the log file in the server/log directory to see the error msg produced ?

One possible cause of the problem is the irods user (in the .irodsEnv) file you used to run

the servers in the 2 zones is not an "irods admin" user.

Mike

[Arthur Franke]

Hi Mike,

Thanks for your reply.

The user accounts currently at my disposal are a rodsadmin user in
ZoneB, and a rodsuser account called "DataDist" that I would like to
use to make the actual file movements. I don't know whether the admin
user on the ZoneB server is also a rodsadmin on the ZoneA server, as I
only have responsibility for the ZoneB server. Is there a way that I
can check this without bugging my counterpart at that site? iuserinfo
only appears to show information for the native zone.

At your suggestion, I restarted the ZoneB server and made sure to do
it while logged in as the rodsadmin user. Same error messages, still.

Below is the server log from the ZoneB server for the time of the
attempted irsync operation using the DataDist user.

Feb 28 12:08:16 pid:7915 NOTICE: Agent process 8232 started for
puser=DataDist and cuser=DataDist from 129.236.0.0
Feb 28 12:08:16 pid:8232 NOTICE: rsAuthCheck user DataDist#ZoneB
Feb 28 12:08:16 pid:8232 NOTICE: rsAuthResponse set proxy authFlag to
3, client authFlag to 3, user:DataDist#ZoneB proxy:DataDist
client:DataDist
Feb 28 12:08:16 pid:8232 NOTICE: readAndProcClientMsg: received
disconnect msg from client
Feb 28 12:08:16 pid:8232 NOTICE: Agent exiting with status = 0
Feb 28 12:08:25 pid:7915 NOTICE: Agent process 8232 exited with status
0
Feb 28 12:08:25 pid:7915 NOTICE: Agent process 8236 started for
puser=DataDist and cuser=DataDist from 129.236.0.0
Feb 28 12:08:25 pid:8236 NOTICE: rsAuthCheck user DataDist#ZoneB
Feb 28 12:08:25 pid:8236 NOTICE: rsAuthResponse set proxy authFlag to
3, client authFlag to 3, user:DataDist#ZoneB proxy:DataDist
client:DataDist
Feb 28 12:08:26 pid:7915 NOTICE: Agent process 8238 started for
puser=rods and cuser=DataDist from 134.158.0.0
Feb 28 12:08:26 pid:8238 NOTICE: rsAuthCheck user DataDist#ZoneB
Feb 28 12:08:26 pid:8238 NOTICE: readAndProcClientMsg: received
disconnect msg from client
Feb 28 12:08:26 pid:8238 NOTICE: Agent exiting with status = 0
Feb 28 12:08:27 pid:8236 NOTICE: procApiRequest: readAndProcApiReply
failed. status = -808000 status = -808000 CAT_NO_ROWS_FOUND
Feb 28 12:10:01 pid:7915 NOTICE: Agent process 8238 exited with status
0
Feb 28 12:10:01 pid:7915 NOTICE: Agent process 8256 started for
puser=rods and cuser=DataDist from 134.158.0.0
Feb 28 12:10:01 pid:8256 NOTICE: rsAuthCheck user DataDist#ZoneB
Feb 28 12:10:01 pid:8256 NOTICE: readAndProcClientMsg: received
disconnect msg from client
Feb 28 12:10:01 pid:8256 NOTICE: Agent exiting with status = 0
Feb 28 12:10:02 pid:8236 NOTICE: procApiRequest: readAndProcApiReply
failed. status = -13000 status = -13000 SYS_NO_API_PRIV
Feb 28 12:10:02 pid:8236 NOTICE: dataObjCopy: preProcParaGet error
for /ZoneA/file.dat
Feb 28 12:10:02 pid:8236 NOTICE: _rsDataObjClose: size in vault 0 !=
target size 129448823
Feb 28 12:10:02 pid:8236 NOTICE: readAndProcClientMsg: received
disconnect msg from client
Feb 28 12:10:02 pid:8236 NOTICE: Agent exiting with status = 0

[mw...@diceresearch.org]

Arther,

>I don't know whether the admin
>user on the ZoneB server is also a rodsadmin on the ZoneA server

The admin user in ZoneB needs to be registered as a "remote admin" user.

"remote admin" user does not have the same privilege as a normal admin user.

I think currently only "admin" user can run iadmin to list user privilege.

[Jean-Yves Nief]

hello Arthur,

Arthur Franke wrote:
> Hi Mike,
>
> Thanks for your reply.
>
> The user accounts currently at my disposal are a rodsadmin user in
> ZoneB, and a rodsuser account called "DataDist" that I would like to
> use to make the actual file movements. I don't know whether the admin
> user on the ZoneB server is also a rodsadmin on the ZoneA server, as I
> only have responsibility for the ZoneB server. Is there a way that I
> can check this without bugging my counterpart at that site?

it is not possible as an irods user from your zone will always have
limited privileges in the other zone. Don't worry, you can ask me
without any problem :-). I was in and out in the last few days so I
could not have a look at this.
I am puzzled by what the error that you have. I see you connecting to
the CC-IN2P3 zone but no error there.
Can you send me your zone informations offline (iadmin lz) so I can
check that your zone is set up properly on our side ?
cheers,
JY

[Roger Downing]

Hi JY,

We have hit a similar problem on our federation testing for EUDAT. Could you let me know what was done to resolve this in your situation?

Thanks a lot,

Roger

[mw...@diceresearch.org]

Hello Roger,

What version of iRODS are you using ?

There is a fix in 3.2 that fixed a problem of icp involving 3 zones. e.g.,

if you are in Zone A and tried to copy a file from zone B to zone C.

[Roger Downing]

Hi Mike,

Ah we're still using iRODS 3.0 for some scalability testing we have been doing, but we're going to run version 3.2 in production. I guess we should upgrade to 3.2 and try this federation test again. What you describe is not exactly the situation we have, though there are indeed 3 zones in the federation.

Thanks,

Roger

[Jean-Yves Nief]

hello Roger,

Arthur zone was a v3.0 zone; However, our zone was (and is
still) a v2.5 zone as we have not a lot of freedom to make the upgrade.
And there was also a bug in 2.5 regarding interzone operations. You
should upgrade to the latest one.
cheers,
JY

Roger Downing wrote:
> Hi JY,
> We have hit a similar problem on our federation testing for EUDAT.
> Could you let me know what was done to resolve this in your situation?
>
> Thanks a lot,
>
> Roger
>
> On 1 March 2012 17:03, Jean-Yves Nief <ni...@cc.in2p3.fr