Bug #3908
closed
replication data user permission error
Added by Michael Daigle over 15 years ago.
Updated over 15 years ago.
Description
From Jing
I observed some error message during the replication from LTER to KNB:
Failed to write doc pisco_recruitment.314.1 into db because User does not have
permission to update of access rules for data file pisco_recruitment.120
[edu.ucsb.nceas.metacat.ReplicationHandler]
Metacat: [ERROR]: error to handle update doc in xml_documents in time
replicationUser does not have permission to update of access rules for data
file pisco_recruitment.120 [edu.ucsb.nceas.metacat.ReplicationHandler]
Metacat: [ERROR]: Error in Eml200SAXHanlder.handleOnlineUrlDataFile is User
does not have permission to update of access rules for data file
pisco_recruitment.120 [edu.ucsb.nceas.metacat.Eml200SAXHandler]
I think this is an issue ( which may NOT relative to Margaret's one). During
the replication, there no user login, so the user is null and it should have
all permission to write documents into the db. Obviously, this access control
rule was modified.
looking into documents on LTER metacat:
pisco_recruitment.120 is a data file in the package pisco_recruitment.123.
There is an additionalMetadata element that specifies permissions for data 120:
additionalMetadata
|___text '\n '
|___element 'describes'
| |___text 'pisco_recruitment.120'
|___text '\n '
|___element 'access'
| | \___attribute 'authSystem' = 'ldap://ldap.ecoinformatics.org:389/dc=ecoinformatics,dc=org'
| | \___attribute 'order' = 'denyFirst'
| |___text '\n '
| |___element 'allow'
| | |___text '\n '
| | |___element 'principal'
| | | |___text 'public'
| | |___text '\n '
| | |___element 'permission'
| | | |___text 'read'
| | |___text '\n '
| |___text '\n '
| |___element 'allow'
| | |___text '\n '
| | |___element 'principal'
| | | |___text 'cn=data-managers,o=PISCOGROUPS,dc=ecoinformatics,dc=org'
| | |___text '\n '
| | |___element 'permission'
| | | |___text 'all'
| | |___text '\n '
| |___text '\n '
| |___element 'allow'
| | |___text '\n '
| | |___element 'principal'
| | | |___text 'cn=pisco-intertidal-write,o=PISCOGROUPS,dc=ecoinformatics,dc=org'
| | |___text '\n '
| | |___element 'permission'
| | | |___text 'all'
| | |___text '\n '
| |___text '\n '
|___text '\n'
looking at the error message again, and looking at the Ids involved:
i found EML doc "pisco_recruitment.123.1" that specifies access for data file "pisco_recruitment.120.1"
but the log message indicates that "pisco_recruitment.314.1" is trying to ALSO specify access for data file "pisco_recruitment.120.1"
Is this perhaps what the problem is?
Also note: I cannot find the eml file "pisco_recruitment.314.1" on the LTER server.
Hi, ben. I think this is perhaps the issue: "pisco_recruitment.314.1" is trying to ALSO specify access for data file "pisco_recruitment.120.1"
The replication system was getting a user from the post request for certain read operations. It should have ALL permissions. Added a "replication" user that has ALL permissions and use that user for all replication read and write calls.
Note, the replication user was added to the SessionService (next to the public user) so that it is always logged in.
Original Bugzilla ID was 3908
Also available in: Atom
PDF