Re: [CMS-PIPELINES] >SFS ERROR 1180

2023-12-13 Thread Kris Buelens
I have some relatively vague memories that someone with SFS admin rights
could connect to SFS using different authorities concurrently.
Thinking a bit deeper: the FTP server uses this during an FTP PUT or GET
with SFS. I don't think it uses Diag D4 to start talking to SFS.

Kris Buelens,
 --- VM/VSE consultant, Belgium ---
---


Op do 14 dec 2023 om 08:26 schreef Rob van der Heij :

> On Thu, 14 Dec 2023 at 05:40, Donald Russell 
> wrote:
>
> >
> > Thanks Rob,
> > Since >SFS uses a private work unit by default, doesn’t that mean it
> gets a
> > new work unit before connecting to the sfs server? Diag d4 is done before
> > the pipe command, so I’m expecting the new connection to appear to
> initiate
> > from the altuser id.
> >
>
> And that means you specify the file such that the nose driver knows to use
> >sfs and not go through the mini disk simulation on accessed SFS
> directories...
>
> >
> > Am I misunderstanding what PIPE AHELP >SFS is telling me? What
> > does”PRIVATE” mean in this context?
> >
>
> It means >sfs allocates a work unit specifically for that file, so nothing
> else in the virtual machine observes the effect until the stage ends.
>
> I know CMS caches persistent IUCV connections to the SFS server. I don't
> recall playing with  D4 like this. I don't know whether CMS keeps track of
> the identity while the IUCV connection was established, and knows to expire
> that when things change.
> You normally do the D4 very early in the life of the virtual machine, so
> you can reason about the possible leakage of data between the  two
> identities. I know from experience that once you try to aggregate rights
> from different identities, things get very complicated. You could for
> example link to a disk as user A and then identify as B and link another
> disk. When you then run an application associated with A, you do that with
> the privilege of user B.
>
> Rob
>


Re: [CMS-PIPELINES] >SFS ERROR 1180

2023-12-13 Thread Donald Russell
Yes, I use >SFS explicitly and the directory is not currently accessed. I
rely on >SFS to write to the sfs file space without it being accessed.

The diag d4 is done just before the pipe command. It’s rather dynamic
because the userid is running a web server application that requires
authentication. The application uses diag d4 to set the altuser while that
bit is code runs then diag d4 again on exit to reset altuser.

I specify the file name, type and fully qualified sfs directory on the >SFS
stage.

It sounds like the driver is not getting a new work unit.  I could call the
CSL to  get a new one after diag D4, then specify default on the stage and
delete work unit after the pipe completes….



On Wed, Dec 13, 2023 at 23:26 Rob van der Heij  wrote:

> On Thu, 14 Dec 2023 at 05:40, Donald Russell 
> wrote:
>
> >
> > Thanks Rob,
> > Since >SFS uses a private work unit by default, doesn’t that mean it
> gets a
> > new work unit before connecting to the sfs server? Diag d4 is done before
> > the pipe command, so I’m expecting the new connection to appear to
> initiate
> > from the altuser id.
> >
>
> And that means you specify the file such that the nose driver knows to use
> >sfs and not go through the mini disk simulation on accessed SFS
> directories...
>
> >
> > Am I misunderstanding what PIPE AHELP >SFS is telling me? What
> > does”PRIVATE” mean in this context?
> >
>
> It means >sfs allocates a work unit specifically for that file, so nothing
> else in the virtual machine observes the effect until the stage ends.
>
> I know CMS caches persistent IUCV connections to the SFS server. I don't
> recall playing with  D4 like this. I don't know whether CMS keeps track of
> the identity while the IUCV connection was established, and knows to expire
> that when things change.
> You normally do the D4 very early in the life of the virtual machine, so
> you can reason about the possible leakage of data between the  two
> identities. I know from experience that once you try to aggregate rights
> from different identities, things get very complicated. You could for
> example link to a disk as user A and then identify as B and link another
> disk. When you then run an application associated with A, you do that with
> the privilege of user B.
>
> Rob
>


Re: [CMS-PIPELINES] >SFS ERROR 1180

2023-12-13 Thread Rob van der Heij
On Thu, 14 Dec 2023 at 05:40, Donald Russell  wrote:

>
> Thanks Rob,
> Since >SFS uses a private work unit by default, doesn’t that mean it gets a
> new work unit before connecting to the sfs server? Diag d4 is done before
> the pipe command, so I’m expecting the new connection to appear to initiate
> from the altuser id.
>

And that means you specify the file such that the nose driver knows to use
>sfs and not go through the mini disk simulation on accessed SFS
directories...

>
> Am I misunderstanding what PIPE AHELP >SFS is telling me? What
> does”PRIVATE” mean in this context?
>

It means >sfs allocates a work unit specifically for that file, so nothing
else in the virtual machine observes the effect until the stage ends.

I know CMS caches persistent IUCV connections to the SFS server. I don't
recall playing with  D4 like this. I don't know whether CMS keeps track of
the identity while the IUCV connection was established, and knows to expire
that when things change.
You normally do the D4 very early in the life of the virtual machine, so
you can reason about the possible leakage of data between the  two
identities. I know from experience that once you try to aggregate rights
from different identities, things get very complicated. You could for
example link to a disk as user A and then identify as B and link another
disk. When you then run an application associated with A, you do that with
the privilege of user B.

Rob


Re: [CMS-PIPELINES] >SFS ERROR 1180

2023-12-13 Thread Donald Russell
On Wed, Dec 13, 2023 at 15:01 Rob van der Heij  wrote:

> On Wed, 13 Dec 2023 at 23:37, Alan Altmark 
> wrote:
>
> > If you're going to play with the userid, you need to use workunits.
>  Once
> > your APPC connection to the SFS server is established, changing your
> userid
> > doesn't affect operations over the existing connection.  Workunits create
> > new connections.  See DMSPUSWU and DMSPOPWU so that you can change the
> > default workunit.
> >
>
> With CMS Pipelines you don't tweak the default work unit because for
> anything beyond trivial pipes, you don't know when files are created or
> changed. The SFS device driver has options to specify what workunit to use.
> By default, >sfs uses a private work unit.
>
> Rob



Thanks Rob,
Since >SFS uses a private work unit by default, doesn’t that mean it gets a
new work unit before connecting to the sfs server? Diag d4 is done before
the pipe command, so I’m expecting the new connection to appear to initiate
from the altuser id.

Am I misunderstanding what PIPE AHELP >SFS is telling me? What
does”PRIVATE” mean in this context?

>
>


Re: [CMS-PIPELINES] >SFS ERROR 1180

2023-12-13 Thread Donald Russell
>From reading PIPE ABELP >SFS there are work unit options that can be
specified as parameters to the stage. The default says “private” which says
it gets a new work unit at the start of the stage and deleted the work unit
at the end. That sounded like what I want so I did not specify PRIVATE
explicitly.

I can call those CSL routines if needed. I’ll tinker with it tomorrow.

Thanks,
Don

On Wed, Dec 13, 2023 at 14:37 Alan Altmark  wrote:

> If you're going to play with the userid, you need to use workunits.   Once
> your APPC connection to the SFS server is established, changing your userid
> doesn't affect operations over the existing connection.  Workunits create
> new connections.  See DMSPUSWU and DMSPOPWU so that you can change the
> default workunit.
>
> Regards,
> Alan
>
> Alan Altmark
> IBM Senior z/VM Engineer and Consultant
> 1 607 321 7556  (Mobile)
> alan_altm...@us.ibm.com
>
> > -Original Message-
> > From: CMSTSO Pipelines Discussion List 
> > On Behalf Of Donald Russell
> > Sent: Wednesday, December 13, 2023 4:13 PM
> > To: CMS-PIPELINES@VM.MARIST.EDU
> > Subject: [EXTERNAL] [CMS-PIPELINES] >SFS ERROR 1180
> >
> > A userid has its ALTUSER set to a different id.  (Diag D4)Then a pipe … |
> > >SFS ….
> > tries to write to a space the alt user is authorized for, but the stage
> fails with
> > error 1180 Not authorized.
> >
> > Instead of >SFS, I also tried VMLINK .DIR … ( WRITE NONAME INVOKE
> > MODULE PIPE … | Name type .FM V
> >
> > oddly the link worked but the write failed with fswrite error 1 Not
> authorized.
> >
> > In each case the target file does not exist.
> >
> > I thought Diag D4 makes the id look like the specified id for accessing
> sfs
> > space etc.
> >
> > I verified the path exists etc.  what else should I be looking at?
>


Re: [CMS-PIPELINES] >SFS ERROR 1180

2023-12-13 Thread Rob van der Heij
On Wed, 13 Dec 2023 at 23:37, Alan Altmark  wrote:

> If you're going to play with the userid, you need to use workunits.   Once
> your APPC connection to the SFS server is established, changing your userid
> doesn't affect operations over the existing connection.  Workunits create
> new connections.  See DMSPUSWU and DMSPOPWU so that you can change the
> default workunit.
>

With CMS Pipelines you don't tweak the default work unit because for
anything beyond trivial pipes, you don't know when files are created or
changed. The SFS device driver has options to specify what workunit to use.
By default, >sfs uses a private work unit.

Rob


Re: [CMS-PIPELINES] >SFS ERROR 1180

2023-12-13 Thread Alan Altmark
If you're going to play with the userid, you need to use workunits.   Once your 
APPC connection to the SFS server is established, changing your userid doesn't 
affect operations over the existing connection.  Workunits create new 
connections.  See DMSPUSWU and DMSPOPWU so that you can change the default 
workunit.

Regards,
Alan

Alan Altmark
IBM Senior z/VM Engineer and Consultant
1 607 321 7556  (Mobile)
alan_altm...@us.ibm.com

> -Original Message-
> From: CMSTSO Pipelines Discussion List 
> On Behalf Of Donald Russell
> Sent: Wednesday, December 13, 2023 4:13 PM
> To: CMS-PIPELINES@VM.MARIST.EDU
> Subject: [EXTERNAL] [CMS-PIPELINES] >SFS ERROR 1180
> 
> A userid has its ALTUSER set to a different id.  (Diag D4)Then a pipe … |
> >SFS ….
> tries to write to a space the alt user is authorized for, but the stage fails 
> with
> error 1180 Not authorized.
> 
> Instead of >SFS, I also tried VMLINK .DIR … ( WRITE NONAME INVOKE
> MODULE PIPE … | Name type .FM V
> 
> oddly the link worked but the write failed with fswrite error 1 Not 
> authorized.
> 
> In each case the target file does not exist.
> 
> I thought Diag D4 makes the id look like the specified id for accessing sfs
> space etc.
> 
> I verified the path exists etc.  what else should I be looking at?


[CMS-PIPELINES] >SFS ERROR 1180

2023-12-13 Thread Donald Russell
A userid has its ALTUSER set to a different id.  (Diag D4)Then a pipe … |
>SFS ….
tries to write to a space the alt user is authorized for, but the stage
fails with error 1180 Not authorized.

Instead of >SFS, I also tried VMLINK .DIR … ( WRITE NONAME INVOKE MODULE
PIPE … | Name type .FM V

oddly the link worked but the write failed with fswrite error 1 Not
authorized.

In each case the target file does not exist.

I thought Diag D4 makes the id look like the specified id for accessing sfs
space etc.

I verified the path exists etc.  what else should I be looking at?