Bug 739205

Summary: Aviary getJobData method requires different permissions than FetchJobData in QMF
Product: Red Hat Enterprise MRG Reporter: Trevor McKay <tmckay>
Component: condor-aviaryAssignee: Pete MacKinnon <pmackinn>
Status: CLOSED ERRATA QA Contact: Lubos Trilety <ltrilety>
Severity: medium Docs Contact:
Priority: medium    
Version: DevelopmentCC: jneedle, ltrilety, matt, tstclair
Target Milestone: 2.1   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: condor-7.6.4-0.6 Doc Type: Bug Fix
Doc Text:
When attempting to retrieve the contents of a file using the Aviary getJobData() function, a permission error occurred and the user was unable to finish the operation through the Aviary API even though it was possible to do via QMF (Qpid Management Framework). With this update, the getJobData() code has been modified to adjust file permissions earlier, and users can now retrieve files both through QMF and Aviary interfaces.
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-23 17:29:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 743350    

Description Trevor McKay 2011-09-16 19:18:47 UTC
Description of problem:

The Aviary getJobData method seems to require group execute permission on directories in order for it to return data.  Otherwise, it returns permission denied errors.

In contrast, the corresponding QMF method will work with permissions restricted to the owner.

Version-Release number of selected component (if applicable):


How reproducible:

100%

Steps to Reproduce:
1. Submit a job with output, error, and log paths (I set output, error, and log paths with full paths)
2. Restrict directory permissions to owner 
3. Try get file data through Aviary getJobData calls (I used cumin), it should fail
4. Set group execute permission on the directory
5.  Get data again, it should succeed this time.

Repeat using QMF, operation should succeed with restricted permissions.

Actual results:

as above  

Expected results:

Aviary should show the same behavior as QMF.

Additional info:

From operations on a job "sheep" on a VM with output, error, and log set accordingly.

# ls -ltrd /home/tmckay/
drwx------ 24 tmckay tmckay 4096 Sep 16 14:29 /home/tmckay/
# ls -ltrd /home/tmckay/sheep.*
-rw------- 1 tmckay tmckay   0 Sep 16 14:29 /home/tmckay/sheep.output
-rw------- 1 tmckay tmckay   0 Sep 16 14:29 /home/tmckay/sheep.error
-rw------- 1 tmckay tmckay 153 Sep 16 14:34 /home/tmckay/sheep.log

Operations throgh Cumin with QMF succeed.

Stop Cumin, restart using Aviary, same ops fail with errno 13.

# chmod g+x /home/tmckay

Now Operations succeed.

Comment 2 Pete MacKinnon 2011-10-04 20:52:42 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Permission error when attempting to retrieve the contents of a file using Aviary getJobData operation. 
Consequence: User is unable to retrieve file through Aviary API whereby similar QMF version works.
Fix: Code modified to adjust file permissions earlier in getJobData implementation.
Result: User can retrieve file through QMF and Aviary interface.

Comment 3 Jeff Needle 2011-10-31 21:21:41 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1 @@
-Cause: Permission error when attempting to retrieve the contents of a file using Aviary getJobData operation. 
+Cause: Permission error when attempting to retrieve the contents of a file using Aviary getJobData operation. 
Consequence: User is unable to retrieve file through Aviary API whereby similar QMF version works.
Fix: Code modified to adjust file permissions earlier in getJobData implementation.
Result: User can retrieve file through QMF and Aviary interface.-Consequence: User is unable to retrieve file through Aviary API whereby similar QMF version works.
-Fix: Code modified to adjust file permissions earlier in getJobData implementation.
-Result: User can retrieve file through QMF and Aviary interface.

Comment 5 Lubos Trilety 2011-11-01 09:50:38 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1,4 @@
-Cause: Permission error when attempting to retrieve the contents of a file using Aviary getJobData operation. 
Consequence: User is unable to retrieve file through Aviary API whereby similar QMF version works.
Fix: Code modified to adjust file permissions earlier in getJobData implementation.
Result: User can retrieve file through QMF and Aviary interface.+Cause: Permission error when attempting to retrieve the contents of a file using Aviary getJobData operation. 
+Consequence: User is unable to retrieve file through Aviary API whereby similar QMF version works.
+Fix: Code modified to adjust file permissions earlier in getJobData implementation.
+Result: User can retrieve file through QMF and Aviary interface.

Comment 6 Lubos Trilety 2011-11-01 16:32:48 UTC
Successfully reproduced with:
$CondorVersion: 7.6.3 Jul 27 2011 BuildID: RH-7.6.3-0.3.el5 $
$CondorPlatform: X86_64-RedHat_5.6 $

Not accessible using aviary if there is no group execute permission.

Comment 7 Lubos Trilety 2011-11-02 10:37:30 UTC
Tested on:
$CondorVersion: 7.6.5 Oct 31 2011 BuildID: RH-7.6.5-0.5.el5 $
$CondorPlatform: I686-RedHat_5.7 $

$CondorVersion: 7.6.5 Oct 31 2011 BuildID: RH-7.6.5-0.5.el5 $
$CondorPlatform: X86_64-RedHat_5.7 $

$CondorVersion: 7.6.5 Oct 31 2011 BuildID: RH-7.6.5-0.5.el6 $
$CondorPlatform: I686-RedHat_6.1 $

$CondorVersion: 7.6.5 Oct 31 2011 BuildID: RH-7.6.5-0.5.el6 $
$CondorPlatform: X86_64-RedHat_6.1 $

Files are accessible using aviary without group execute permission on directory.

>>> VERIFIED

Comment 9 Tomas Capek 2011-11-16 14:20:28 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1 @@
-Cause: Permission error when attempting to retrieve the contents of a file using Aviary getJobData operation. 
+When attempting to retrieve the contents of a file using the Aviary getJobData() function, a permission error occurred and the user was unable to finish the operation through the Aviary API even though it was possible to do via QMF (Qpid Management Framework). With this update, the getJobData() code has been modified to adjust file permissions earlier, and users can now retrieve files both through QMF and Aviary interfaces.-Consequence: User is unable to retrieve file through Aviary API whereby similar QMF version works.
-Fix: Code modified to adjust file permissions earlier in getJobData implementation.
-Result: User can retrieve file through QMF and Aviary interface.

Comment 10 errata-xmlrpc 2012-01-23 17:29:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0045.html