XAPI Questions regarding user permissions needed to function properly

[Ajay Kurani]

Hi XNAT Experts,

   I wanted to touch base as we had some questions for the xapi container permissions as we run some commands within a container.  We are using the following code:

# get cookie using requests, byte decoding cookie

jsess = requests.post(host+'/data/JSESSION', auth=(xnat_user, xnat_pass))

cookie = jsess.content.decode('ascii')

cookies = {'JSESSIONID': cookie,}

url = f"{host}/data/projects/{project}/subjects/{subject_id}/experiments?format=csv&xsiType=xnat:mrSessionData&columns=xnat:subjectData/label

r = requests.get(url, cookies=cookies)

# get user_id and workflow _id from container info

url = f"{host}/xapi/containers/{container_id}/"

r = requests.get(url, cookies=cookies)

r_dict = json.loads(r.text)

workflow_id = r_dict['workflow-id']

For the code above we were using cookies that we generated  with xnat_user and xnat_pass.  Those variables import the XNAT_USER and XNAT_PASS variables that are passed inside the container.

When using this cookie with rest-api call initially, it works.  When I use the cookie with /xapi/containers command this fails.   Then instead of using the XNAT_USER and XNAT variables I tested coding in my login user and credentials directly and the second xapi code that previously failed now works fine.  I happen to be an admin so my questions are as follows:

1) Does the second URL command (f"{host}/xapi/containers/{container_id}/" not work with XNAT_USER/XNAT_PASS variables since they are a coded string instead of the actual login credentials?  

2) Does the /xapi/containers require admin / site access or can a regular user use this command?

Best,

Ajay   

[John Flavin]

Hi Ajay,

The /containers/{id} API is not restricted to admins only, any logged-in user can access it. The information that comes back will be different for admins (and project owners) vs ordinary users, because a lot of the information about a container launch is sensitive, but the API should be accessible. 

In fact, looking through the rest of what you’re trying to do, the workflow ID is not something that is populated for non-admin non-owner users. I bet that's the issue. The user running the second container is trying to get information about the first container, but they don't have the permission they need to see everything.

(This is probably something that should be changed. The workflow ID of a container isn't sensitive and could be shown to non-admins.)

John Flavin

--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/023b8403-4722-4018-9b46-280a26b638b4n%40googlegroups.com.

[Ajay Kurani]

Hi John,

   This looks to be the crux of the issue.  I was able to create a workaround where I created a container_admin credential and pass to the container at runtime for the purpose of the api and clear.  

As a follow up question I wanted to see if using the XNAT_USER and XNAT_PASS will run into a similar issue with the rest api for specific information/fields:

url = f"{host}/data/projects/{project}/subjects/{subject_id}/experiments?format=csv&xsiType=xnat:mrSessionData&columns=xnat:subjectData/label

xnat_user = os.environ.get("XNAT_USER")

xnat_pass = os.environ.get("XNAT_PASS")

jsess = requests.post(host+'/data/JSESSION', auth=(xnat_user, xnat_pass))

cookie = jsess.content.decode('ascii')

cookies = {'JSESSIONID': cookie,}

Thanks,

Ajay

[John Flavin]

I suspect that API call would be fine, so long as the user launching the container has access to that subject and session.

As a side note, I think requests can take care of managing the session cookies for you if you use the Session object. Something like this:

s = requests.Session()
s.auth = (xnat_user, xnat_pass)
s.post(host + '/data/JSESSION')

All the calls you make with the s object after that should use that JSESSIONID cookie automatically, without you needing to manually parse it out and store it. See https://docs.python-requests.org/en/latest/user/advanced/#session-objects

A second, even more aside side note: when you have a response object r, you can call r.json() to parse the response body into a dictionary rather than doing json.loads(r.text).

John Flavin

To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/701b7cc3-f7d7-4546-b9eb-f43c148f2e5en%40googlegroups.com.

[Ajay Kurani]

Hi John,

   Thanks for the suggestions.  So I have a final question.  When launching the container it keeps failing with the following error: Did not start.Could not start container 832b266405053c7b8f2c4b955631ae80cde393d4a287247853ea3252462a742f: Request error: POST http://doc.northwestern.edu:1111/containers/832b266405053c7b8f2c4b955631ae80cde393d4a287247853ea3252462a742f/start: 500

However, when I log into the docker server and run the following it works just fine:

docker run -i -t doc.northwestern.edu:6000/mriqc:v1.0 /bin/sh

python /usr/local/bin/mriqc.py --project=TEST --subject=/archive/subjects/XNAT_S02070 "--session=/archive/subjects/XNAT_S02070/experiments/XNAT_E02222" --analysis_name=mriqc --overwrite=No "--t1w=/archive/subjects/XNAT_S02070/experiments/XNAT_E02222/scans/3"

In checking the configuration page for containers everything looks ok on status and I even removed and readded the resources to ensure it was saying ok.  I'm not sure if this issue has been encountered on XNAT 1.8.9.1?  There is no std.out and std.err since it only writes out a file at the end of the day.

Thanks,

Ajay 

[John Flavin]

From that description I can't really say why that is happening. Can you find any additional details in the containers.log file, or any other logs?

John Flavin

To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/ba615598-b81f-457f-a8af-dd9de75f1735n%40googlegroups.com.

[Ajay Kurani]

Hi John,

   Here are some additional logs from container service.  The setup is the app VM and docker VM are two different virtual machines with connections across.  I am running XNAT 1.8.9.1 and container plugin 3.4.2-fat 

2024-06-19 12:17:24,481 [DefaultMessageListenerContainer-5] ERROR org.nrg.containers.api.DockerControlApi - Request error: POST http://doc.northwestern.edu:2375/containers/5cc9cf0300ffd8f49ca0537fd308eb08e59b887b4ec24ae7a8ed0f351e9ff1e0/start: 500

2024-06-19 12:17:24,694 [DefaultMessageListenerContainer-5] ERROR org.nrg.containers.services.impl.ContainerServiceImpl - Container launch failed for wfid 53753.

org.nrg.containers.exceptions.ContainerException: Failed to start

at org.nrg.containers.services.impl.ContainerServiceImpl.start(ContainerServiceImpl.java:719)

at org.nrg.containers.services.impl.ContainerServiceImpl.launchResolvedDockerCommand(ContainerServiceImpl.java:702)

at org.nrg.containers.services.impl.ContainerServiceImpl.launchResolvedCommand(ContainerServiceImpl.java:635)

at org.nrg.containers.services.impl.ContainerServiceImpl.launchResolvedCommand(ContainerServiceImpl.java:620)

at org.nrg.containers.services.impl.ContainerServiceImpl.consumeResolveCommandAndLaunchContainer(ContainerServiceImpl.java:595)

at org.nrg.containers.jms.listeners.ContainerStagingRequestListener.onRequest(ContainerStagingRequestListener.java:49)

at sun.reflect.GeneratedMethodAccessor2060.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at org.springframework.messaging.handler.invocation.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:180)

at org.springframework.messaging.handler.invocation.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:112)

at org.springframework.jms.listener.adapter.MessagingMessageListenerAdapter.invokeHandler(MessagingMessageListenerAdapter.java:104)

at org.springframework.jms.listener.adapter.MessagingMessageListenerAdapter.onMessage(MessagingMessageListenerAdapter.java:69)

at org.springframework.jms.listener.AbstractMessageListenerContainer.doInvokeListener(AbstractMessageListenerContainer.java:719)

at org.springframework.jms.listener.AbstractMessageListenerContainer.invokeListener(AbstractMessageListenerContainer.java:679)

at org.springframework.jms.listener.AbstractMessageListenerContainer.doExecuteListener(AbstractMessageListenerContainer.java:649)

at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.doReceiveAndExecute(AbstractPollingMessageListenerContainer.java:317)

at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.receiveAndExecute(AbstractPollingMessageListenerContainer.java:255)

at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:1167)

at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.executeOngoingLoop(DefaultMessageListenerContainer.java:1159)

at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:1056)

at java.lang.Thread.run(Thread.java:750)

I did use telnet to test the connections between the VM and docker host VM and it worked and when I go on the docker VM and run the container manually it runs.  Any suggestions would be appreciated.

Best,

Ajay

[Ajay Kurani]

Hi John,

  As an additional piece of info we are running Docker version 20.10.18, build b40c2f6 on RedHat

Best,

Ajay

[John Flavin]

I checked in the code, and while I don't have an answer I do have another place to look. The message that gets logged when a container fails to start isn't really that helpful, but if you look up that container in the container history UI it should have at least a little information from the error message that was received from docker (via the docker-client library, which may have done its own interpretation of that message).

To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/3aceede4-2880-404e-8e45-30a8a8d5e6b1n%40googlegroups.com.

[Ajay Kurani]

Hi John,

   Thanks for the suggestion.  I was able to use docker inspect and saw that since on the XNAT container plugin there is a user to launch, I needed to add that user into the build of the container itself.  Once  I made that change it works through the container plugin.

Thanks,

Ajay