https://projects.ecoinformatics.org/ecoinfo/https://projects.ecoinformatics.org/ecoinfo/ecoinfo/favicon.ico?14691340362013-09-06T23:46:30ZEcoinformatics RedmineMetacat - Bug #6086: publish service call fails to authenticate properlyhttps://projects.ecoinformatics.org/ecoinfo/issues/6086?journal_id=207442013-09-06T23:46:30ZMatt Jonesjones@nceas.ucsb.edu
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/ecoinfo/journals/20744/diff?detail_id=545">diff</a>)</li></ul> Metacat - Bug #6086: publish service call fails to authenticate properlyhttps://projects.ecoinformatics.org/ecoinfo/issues/6086?journal_id=207452013-09-09T15:22:39Zben leinfelderleinfelder@nceas.ucsb.edu
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul><p>Well, for the first issue, you cannot expect a client certificate to work if you aren't using https. If the URL in the curl command is accurate, then that'd be your "no session" error.</p>
<p>For generating an identifier, we are not requiring that the person be logged in. You'll see in our implementation the following note:<br /><pre>
// TODO: reserve the identifier with the CN. We can only do this when
// 1) the MN is part of a CN cluster
// 2) the request is from an authenticated user
</pre></p>
<p>I think it is not unusual for someone to be doing work locally (say in Morpho) and requesting identifiers from the MN when they are not logged in yet (packaging up stuff before saving to the network) or when their MN is not actually a MN in a CN cluster yet. <br />And since we don't do any MN-side identifier reservations, I don't see a compelling reason to force them to authenticate before generating an identifier. EZID will give us a unique DOI each time it is called -- essentially a reservation -- so I've been assuming we can rely on that. If we'd like to clear out old minted IDs that are not fully registered after X days, I think we could do that as well.</p> Metacat - Bug #6086: publish service call fails to authenticate properlyhttps://projects.ecoinformatics.org/ecoinfo/issues/6086?journal_id=207482013-09-09T22:11:28Zben leinfelderleinfelder@nceas.ucsb.edu
<ul></ul><p>I should also mention that you should not call publish() on the KNB until Metacat 2.1.1 is installed since there is a somewhat severe bug fixed by that patch release. See. <a class="external" href="https://projects.ecoinformatics.org/ecoinfo/issues/6057">https://projects.ecoinformatics.org/ecoinfo/issues/6057</a></p> Metacat - Bug #6086: publish service call fails to authenticate properlyhttps://projects.ecoinformatics.org/ecoinfo/issues/6086?journal_id=207892013-09-16T21:34:14ZMatt Jonesjones@nceas.ucsb.edu
<ul></ul><p>Part of the issue was not running under SSL. Fixing that, the correct update() command would be:</p>
<pre>
# curl -X PUT -E /var/metacat/certs/urn_node_KNB.pem -F "pid=solson.11.5" -F "object=@eml.xml" -F "newPid=doi:10.5063/F1WD3XHP" -F "sysmeta=@sysmeta-fo.xml" https://knb.ecoinformatics.org/knb/d1/mn/v1/object
<?xml version="1.0" encoding="UTF-8"?>
<error detailCode="1310" errorCode="500" name="ServiceFailure">
<description>Error inserting or updating document: &lt;?xml version="1.0"?&gt;&lt;error&gt;User CN=urn:node:KNB,DC=dataone,DC=org does not have permission to update XML Document #solson.11.5&lt;/error&gt;</description>
</error>
</pre>
<p>which generates a permission error from Metacat, showing that the node cert is not being allowed to undertake the requested function. Need to fix this for update() to work as the node administrator. In general, we need the DataONE API and the Metacat API to allow the same ops by the same users, and they should include the administrators defined through both the node cert and the administrators list.</p>
<p>Regarding the mint() operation, I do not think it should be possible to mint() without authenticating.</p> Metacat - Bug #6086: publish service call fails to authenticate properlyhttps://projects.ecoinformatics.org/ecoinfo/issues/6086?journal_id=207902013-09-16T22:49:24Zben leinfelderleinfelder@nceas.ucsb.edu
<ul></ul><p>Added the dataone.subject to the list of metacat admins. This identity will enjoy the perks of being an admin when accessing the system via the DataONE API using the Node's client certificate.</p> Metacat - Bug #6086: publish service call fails to authenticate properlyhttps://projects.ecoinformatics.org/ecoinfo/issues/6086?journal_id=207912013-09-16T23:34:23Zben leinfelderleinfelder@nceas.ucsb.edu
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li></ul><p>Now requiring authentication (session) to generate an identifier. Not reserving it with the CN at this point.</p> Metacat - Bug #6086: publish service call fails to authenticate properlyhttps://projects.ecoinformatics.org/ecoinfo/issues/6086?journal_id=208362013-10-02T16:46:32Zben leinfelderleinfelder@nceas.ucsb.edu
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Closed</i></li></ul>