Bug #7915
MN certificate can't modify the system metadata of an object which's authoritative member node is this mn
100%
Description
Chris report this issue the mn certificate can't modify the system metadata of an object and the authoritative member node it the mn:
metacat 20161018-11:10:19: [DEBUG]: D1NodeService.isCNAdmin. Is it a cn admin? false [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: The authoritative node for id df35j.26.13 is urn:node:GOA [edu.ucsb.nceas.metacat.dataone.MNodeService]
metacat 20161018-11:10:19: [DEBUG]: The node id in metacat.properties is urn:node:GOA [edu.ucsb.nceas.metacat.dataone.MNodeService]
metacat 20161018-11:10:19: [DEBUG]: They are matching [edu.ucsb.nceas.metacat.dataone.MNodeService]
metacat 20161018-11:10:19: [DEBUG]: Comparing uid=heller,o=unaffiliated,dc=ecoinformatics,dc=org against authenticatedUser [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Comparing uid=heller,o=unaffiliated,dc=ecoinformatics,dc=org against CN=urn:node:GOA,DC=dataone,DC=org [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Comparing uid=heller,o=unaffiliated,dc=ecoinformatics,dc=org against public [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: authenticatedUser [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: CN=urn:node:GOA,DC=dataone,DC=org [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: public [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: authenticatedUser [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: CN=urn:node:GOA,DC=dataone,DC=org [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: public [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: authenticatedUser [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: CN=urn:node:GOA,DC=dataone,DC=org [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: public [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: authenticatedUser [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: CN=urn:node:GOA,DC=dataone,DC=org [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: public [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [ERROR]: D1ResourceHandler: Serializing exception with code 401: The client -CN=urn:node:GOA,DC=dataone,DC=orgis not authorized for updating the system metadata of the object df35j.26.13 [edu.ucsb.nceas.metacat.restservice.D1ResourceHandler]
org.dataone.service.exceptions.NotAuthorized: The client -CN=urn:node:GOA,DC=dataone,DC=orgis not authorized for updating the system metadata of the object df35j.26.13
at edu.ucsb.nceas.metacat.dataone.MNodeService.updateSystemMetadata(MNodeService.java:2536)
at edu.ucsb.nceas.metacat.restservice.v2.MNResourceHandler.updateSystemMetadata(MNResourceHandler.java:1679)
at edu.ucsb.nceas.metacat.restservice.v2.MNResourceHandler.handle(MNResourceHandler.java:271)
at edu.ucsb.nceas.metacat.restservice.D1RestServlet.doPut(D1RestServlet.java:102)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:649)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at edu.ucsb.nceas.metacat.restservice.D1URLFilter.doFilter(D1URLFilter.java:48)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
And the system metadata shows:
evos=> select authoritive_member_node from systemmetadata where guid='df35j.26.13';
authoritive_member_node ¶
urn:node:GOA
(1 row)
History
#1 Updated by Jing Tao about 8 years ago
- Subject changed from MN certificate can't modify the system metadata of an object with the authoritative member node being this mn to MN certificate can't modify the system metadata of an object which's authoritative member node is this mn
#2 Updated by Ben Leinfelder about 8 years ago
Wasn't this fixed already?
#3 Updated by Jing Tao about 8 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
It was fixed on Metacat 2.6.0. Since the Metacat version is 2.5.1, we can see the issue.
I added a test method to make sure all users (cn, mn, owner and another user ) have the correct behave.
Please see this ticket https://projects.ecoinformatics.org/ecoinfo/issues/7018
