Project

General

Profile

Bug #7915

MN certificate can't modify the system metadata of an object which's authoritative member node is this mn

Added by Jing Tao over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
2016-10-18
Due date:
% Done:

100%

Milestone:
None
Product Version:
*
Story Points:
Sprint:

Description

Chris report this issue the mn certificate can't modify the system metadata of an object and the authoritative member node it the mn:
metacat 20161018-11:10:19: [DEBUG]: D1NodeService.isCNAdmin. Is it a cn admin? false [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: The authoritative node for id df35j.26.13 is urn:node:GOA [edu.ucsb.nceas.metacat.dataone.MNodeService]
metacat 20161018-11:10:19: [DEBUG]: The node id in metacat.properties is urn:node:GOA [edu.ucsb.nceas.metacat.dataone.MNodeService]
metacat 20161018-11:10:19: [DEBUG]: They are matching [edu.ucsb.nceas.metacat.dataone.MNodeService]
metacat 20161018-11:10:19: [DEBUG]: Comparing uid=heller,o=unaffiliated,dc=ecoinformatics,dc=org against authenticatedUser [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Comparing uid=heller,o=unaffiliated,dc=ecoinformatics,dc=org against CN=urn:node:GOA,DC=dataone,DC=org [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Comparing uid=heller,o=unaffiliated,dc=ecoinformatics,dc=org against public [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: authenticatedUser [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: CN=urn:node:GOA,DC=dataone,DC=org [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: public [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: authenticatedUser [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: CN=urn:node:GOA,DC=dataone,DC=org [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: public [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: authenticatedUser [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: CN=urn:node:GOA,DC=dataone,DC=org [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: public [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: authenticatedUser [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: CN=urn:node:GOA,DC=dataone,DC=org [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [DEBUG]: Checking allow access rule for subject: public [edu.ucsb.nceas.metacat.dataone.D1NodeService]
metacat 20161018-11:10:19: [ERROR]: D1ResourceHandler: Serializing exception with code 401: The client -CN=urn:node:GOA,DC=dataone,DC=orgis not authorized for updating the system metadata of the object df35j.26.13 [edu.ucsb.nceas.metacat.restservice.D1ResourceHandler]
org.dataone.service.exceptions.NotAuthorized: The client -CN=urn:node:GOA,DC=dataone,DC=orgis not authorized for updating the system metadata of the object df35j.26.13
at edu.ucsb.nceas.metacat.dataone.MNodeService.updateSystemMetadata(MNodeService.java:2536)
at edu.ucsb.nceas.metacat.restservice.v2.MNResourceHandler.updateSystemMetadata(MNResourceHandler.java:1679)
at edu.ucsb.nceas.metacat.restservice.v2.MNResourceHandler.handle(MNResourceHandler.java:271)
at edu.ucsb.nceas.metacat.restservice.D1RestServlet.doPut(D1RestServlet.java:102)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:649)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at edu.ucsb.nceas.metacat.restservice.D1URLFilter.doFilter(D1URLFilter.java:48)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)

And the system metadata shows:
evos=> select authoritive_member_node from systemmetadata where guid='df35j.26.13';

authoritive_member_node

urn:node:GOA
(1 row)

History

#1 Updated by Jing Tao over 3 years ago

  • Subject changed from MN certificate can't modify the system metadata of an object with the authoritative member node being this mn to MN certificate can't modify the system metadata of an object which's authoritative member node is this mn

#2 Updated by Ben Leinfelder over 3 years ago

Wasn't this fixed already?

#3 Updated by Jing Tao over 3 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

It was fixed on Metacat 2.6.0. Since the Metacat version is 2.5.1, we can see the issue.
I added a test method to make sure all users (cn, mn, owner and another user ) have the correct behave.
Please see this ticket https://projects.ecoinformatics.org/ecoinfo/issues/7018

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)