Re: [CMS-PIPELINES] >SFS ERROR 1180
Thanks Alan, I solved it this way… made the web server id an admin of the sfs pool, DMSGETWU, use other CSL routines to check the user auth, pass the work unit number to >SFS and finally DMSRETWU when I’m done. If I don’t do my own auth checking I assume >SFS stage will get an error. But the error and reason code won’t be exposed, preventing me from responding with suitable detail. On Thu, Dec 14, 2023 at 21:49 Alan Altmark wrote: > When you CD to an SFS directory, the FTP server obtains a workunit > (DMSGETWU). Then, with each subsequent FTP operation you perform, it > pushes your workunit onto the stack via DMSPUSWU, does what you ask, then > pops it back off with DMSPOPWU. > > Some things it does via command and some things it does via CSL routine. > The CSL routines are always provided the workunit id. The FTP server does > not do any authorization checking. The SFS server does that based on the > ID associated with the workunit. > > In any case, if you're going to depend on the alternate userid, you have > to set it before you do ANY SFS functions. If QUERY IUCV shows you already > have a connection to the SFS server, you need to purge the workunits or > re-IPL CMS. If you use the admin workunit functions of SFS, you can avoid > worrying about when, exactly, and APPC connection is established. (APPC is > an IUCV-like connection, but it has different semantics.) > > Alan > > Alan Altmark > IBM Senior z/VM Engineer and Consultant > 1 607 321 7556 (Mobile) > alan_altm...@us.ibm.com > > > -Original Message- > > From: CMSTSO Pipelines Discussion List > > On Behalf Of Rob van der Heij > > Sent: Thursday, December 14, 2023 4:30 AM > > To: CMS-PIPELINES@VM.MARIST.EDU > > Subject: [EXTERNAL] Re: [CMS-PIPELINES] >SFS ERROR 1180 > > > > On Thu, 14 Dec 2023 at 08:45, Kris Buelens > wrote: > > > > > I have some relatively vague memories that someone with SFS admin > > > rights could connect to SFS using different authorities concurrently. > > > Thinking a bit deeper: the FTP server uses this during an FTP PUT or > > > GET with SFS. I don't think it uses Diag D4 to start talking to SFS. > > > > > > > Correct. You must enroll FTPSERVE as ADMIN to FTP to SFS directories. I > > believe it's just restraining itself and checking SFS grants to restrict > the user. > > > > Rob >
Re: [CMS-PIPELINES] >SFS ERROR 1180
When you CD to an SFS directory, the FTP server obtains a workunit (DMSGETWU). Then, with each subsequent FTP operation you perform, it pushes your workunit onto the stack via DMSPUSWU, does what you ask, then pops it back off with DMSPOPWU. Some things it does via command and some things it does via CSL routine. The CSL routines are always provided the workunit id. The FTP server does not do any authorization checking. The SFS server does that based on the ID associated with the workunit. In any case, if you're going to depend on the alternate userid, you have to set it before you do ANY SFS functions. If QUERY IUCV shows you already have a connection to the SFS server, you need to purge the workunits or re-IPL CMS. If you use the admin workunit functions of SFS, you can avoid worrying about when, exactly, and APPC connection is established. (APPC is an IUCV-like connection, but it has different semantics.) Alan Alan Altmark IBM Senior z/VM Engineer and Consultant 1 607 321 7556 (Mobile) alan_altm...@us.ibm.com > -Original Message- > From: CMSTSO Pipelines Discussion List > On Behalf Of Rob van der Heij > Sent: Thursday, December 14, 2023 4:30 AM > To: CMS-PIPELINES@VM.MARIST.EDU > Subject: [EXTERNAL] Re: [CMS-PIPELINES] >SFS ERROR 1180 > > On Thu, 14 Dec 2023 at 08:45, Kris Buelens wrote: > > > I have some relatively vague memories that someone with SFS admin > > rights could connect to SFS using different authorities concurrently. > > Thinking a bit deeper: the FTP server uses this during an FTP PUT or > > GET with SFS. I don't think it uses Diag D4 to start talking to SFS. > > > > Correct. You must enroll FTPSERVE as ADMIN to FTP to SFS directories. I > believe it's just restraining itself and checking SFS grants to restrict the > user. > > Rob
Re: [CMS-PIPELINES] >SFS ERROR 1180
In our case the web server does depend on SFS. The entire document tree is sfs as well as the web server code itself. The >SFS stage accepts a work unit number…. So I looked at DMSGETWU. It clearly states the issuing id must be an SFS administrator to specify the userid to act as. S, I’m going to try that and see if >SFS using a private WU will solve my problem. If not, I’ll call DMSGTWU and do all the associated auth checking myself. That may provide a better web user experience anyway because I can call DMSEXDIR and so on and return more useful error messages beyond “error n writing to sfs”. On Thu, Dec 14, 2023 at 07:05 Kris Buelens wrote: > If the webserver does not depend on accessed SFS directories you could also > consider using DMSPURWU to break all connections with SFS before you issue > Diag D4, then >SFS will connect with the alternate userid, and after Diag > D4 reset, issue DMSPURWU again. > I'll send you my SFSDISC EXEC > > Kris Buelens, > --- VM/VSE consultant, Belgium --- > --- > > > Op do 14 dec 2023 om 15:40 schreef Donald Russell : > > > Is making the web servers sfs admins the correct solution? I can do that > > and “query auth” to limit access as needed. > > > > The application will still use diag d4 to influence cp link and the spool > > orig id when it sends files tother users. (This application links to > other > > mdisks and I need that to be based on the user who logged into the web > > server, and it sends files to other users. I want those to show they came > > from the user that logged in instead of the web server itself. > > > > That part all works fine, just the sfs part was causing me a bit of > grief. > > Now I have a solution. > > > > Thank you. > > > > On Thu, Dec 14, 2023 at 01:30 Rob van der Heij > wrote: > > > > > On Thu, 14 Dec 2023 at 08:45, Kris Buelens > > wrote: > > > > > > > I have some relatively vague memories that someone with SFS admin > > rights > > > > could connect to SFS using different authorities concurrently. > > > > Thinking a bit deeper: the FTP server uses this during an FTP PUT or > > GET > > > > with SFS. I don't think it uses Diag D4 to start talking to SFS. > > > > > > > > > > Correct. You must enroll FTPSERVE as ADMIN to FTP to SFS directories. I > > > believe it's just restraining itself and checking SFS grants to > restrict > > > the user. > > > > > > Rob > > > > > >
Re: [CMS-PIPELINES] >SFS ERROR 1180
If the webserver does not depend on accessed SFS directories you could also consider using DMSPURWU to break all connections with SFS before you issue Diag D4, then >SFS will connect with the alternate userid, and after Diag D4 reset, issue DMSPURWU again. I'll send you my SFSDISC EXEC Kris Buelens, --- VM/VSE consultant, Belgium --- --- Op do 14 dec 2023 om 15:40 schreef Donald Russell : > Is making the web servers sfs admins the correct solution? I can do that > and “query auth” to limit access as needed. > > The application will still use diag d4 to influence cp link and the spool > orig id when it sends files tother users. (This application links to other > mdisks and I need that to be based on the user who logged into the web > server, and it sends files to other users. I want those to show they came > from the user that logged in instead of the web server itself. > > That part all works fine, just the sfs part was causing me a bit of grief. > Now I have a solution. > > Thank you. > > On Thu, Dec 14, 2023 at 01:30 Rob van der Heij wrote: > > > On Thu, 14 Dec 2023 at 08:45, Kris Buelens > wrote: > > > > > I have some relatively vague memories that someone with SFS admin > rights > > > could connect to SFS using different authorities concurrently. > > > Thinking a bit deeper: the FTP server uses this during an FTP PUT or > GET > > > with SFS. I don't think it uses Diag D4 to start talking to SFS. > > > > > > > Correct. You must enroll FTPSERVE as ADMIN to FTP to SFS directories. I > > believe it's just restraining itself and checking SFS grants to restrict > > the user. > > > > Rob > > >
Re: [CMS-PIPELINES] >SFS ERROR 1180
Is making the web servers sfs admins the correct solution? I can do that and “query auth” to limit access as needed. The application will still use diag d4 to influence cp link and the spool orig id when it sends files tother users. (This application links to other mdisks and I need that to be based on the user who logged into the web server, and it sends files to other users. I want those to show they came from the user that logged in instead of the web server itself. That part all works fine, just the sfs part was causing me a bit of grief. Now I have a solution. Thank you. On Thu, Dec 14, 2023 at 01:30 Rob van der Heij wrote: > On Thu, 14 Dec 2023 at 08:45, Kris Buelens wrote: > > > I have some relatively vague memories that someone with SFS admin rights > > could connect to SFS using different authorities concurrently. > > Thinking a bit deeper: the FTP server uses this during an FTP PUT or GET > > with SFS. I don't think it uses Diag D4 to start talking to SFS. > > > > Correct. You must enroll FTPSERVE as ADMIN to FTP to SFS directories. I > believe it's just restraining itself and checking SFS grants to restrict > the user. > > Rob >
Re: [CMS-PIPELINES] >SFS ERROR 1180
On Thu, 14 Dec 2023 at 08:45, Kris Buelens wrote: > I have some relatively vague memories that someone with SFS admin rights > could connect to SFS using different authorities concurrently. > Thinking a bit deeper: the FTP server uses this during an FTP PUT or GET > with SFS. I don't think it uses Diag D4 to start talking to SFS. > Correct. You must enroll FTPSERVE as ADMIN to FTP to SFS directories. I believe it's just restraining itself and checking SFS grants to restrict the user. Rob
Re: [CMS-PIPELINES] >SFS ERROR 1180
I have some relatively vague memories that someone with SFS admin rights could connect to SFS using different authorities concurrently. Thinking a bit deeper: the FTP server uses this during an FTP PUT or GET with SFS. I don't think it uses Diag D4 to start talking to SFS. Kris Buelens, --- VM/VSE consultant, Belgium --- --- Op do 14 dec 2023 om 08:26 schreef Rob van der Heij : > On Thu, 14 Dec 2023 at 05:40, Donald Russell > wrote: > > > > > Thanks Rob, > > Since >SFS uses a private work unit by default, doesn’t that mean it > gets a > > new work unit before connecting to the sfs server? Diag d4 is done before > > the pipe command, so I’m expecting the new connection to appear to > initiate > > from the altuser id. > > > > And that means you specify the file such that the nose driver knows to use > >sfs and not go through the mini disk simulation on accessed SFS > directories... > > > > > Am I misunderstanding what PIPE AHELP >SFS is telling me? What > > does”PRIVATE” mean in this context? > > > > It means >sfs allocates a work unit specifically for that file, so nothing > else in the virtual machine observes the effect until the stage ends. > > I know CMS caches persistent IUCV connections to the SFS server. I don't > recall playing with D4 like this. I don't know whether CMS keeps track of > the identity while the IUCV connection was established, and knows to expire > that when things change. > You normally do the D4 very early in the life of the virtual machine, so > you can reason about the possible leakage of data between the two > identities. I know from experience that once you try to aggregate rights > from different identities, things get very complicated. You could for > example link to a disk as user A and then identify as B and link another > disk. When you then run an application associated with A, you do that with > the privilege of user B. > > Rob >
Re: [CMS-PIPELINES] >SFS ERROR 1180
Yes, I use >SFS explicitly and the directory is not currently accessed. I rely on >SFS to write to the sfs file space without it being accessed. The diag d4 is done just before the pipe command. It’s rather dynamic because the userid is running a web server application that requires authentication. The application uses diag d4 to set the altuser while that bit is code runs then diag d4 again on exit to reset altuser. I specify the file name, type and fully qualified sfs directory on the >SFS stage. It sounds like the driver is not getting a new work unit. I could call the CSL to get a new one after diag D4, then specify default on the stage and delete work unit after the pipe completes…. On Wed, Dec 13, 2023 at 23:26 Rob van der Heij wrote: > On Thu, 14 Dec 2023 at 05:40, Donald Russell > wrote: > > > > > Thanks Rob, > > Since >SFS uses a private work unit by default, doesn’t that mean it > gets a > > new work unit before connecting to the sfs server? Diag d4 is done before > > the pipe command, so I’m expecting the new connection to appear to > initiate > > from the altuser id. > > > > And that means you specify the file such that the nose driver knows to use > >sfs and not go through the mini disk simulation on accessed SFS > directories... > > > > > Am I misunderstanding what PIPE AHELP >SFS is telling me? What > > does”PRIVATE” mean in this context? > > > > It means >sfs allocates a work unit specifically for that file, so nothing > else in the virtual machine observes the effect until the stage ends. > > I know CMS caches persistent IUCV connections to the SFS server. I don't > recall playing with D4 like this. I don't know whether CMS keeps track of > the identity while the IUCV connection was established, and knows to expire > that when things change. > You normally do the D4 very early in the life of the virtual machine, so > you can reason about the possible leakage of data between the two > identities. I know from experience that once you try to aggregate rights > from different identities, things get very complicated. You could for > example link to a disk as user A and then identify as B and link another > disk. When you then run an application associated with A, you do that with > the privilege of user B. > > Rob >
Re: [CMS-PIPELINES] >SFS ERROR 1180
On Thu, 14 Dec 2023 at 05:40, Donald Russell wrote: > > Thanks Rob, > Since >SFS uses a private work unit by default, doesn’t that mean it gets a > new work unit before connecting to the sfs server? Diag d4 is done before > the pipe command, so I’m expecting the new connection to appear to initiate > from the altuser id. > And that means you specify the file such that the nose driver knows to use >sfs and not go through the mini disk simulation on accessed SFS directories... > > Am I misunderstanding what PIPE AHELP >SFS is telling me? What > does”PRIVATE” mean in this context? > It means >sfs allocates a work unit specifically for that file, so nothing else in the virtual machine observes the effect until the stage ends. I know CMS caches persistent IUCV connections to the SFS server. I don't recall playing with D4 like this. I don't know whether CMS keeps track of the identity while the IUCV connection was established, and knows to expire that when things change. You normally do the D4 very early in the life of the virtual machine, so you can reason about the possible leakage of data between the two identities. I know from experience that once you try to aggregate rights from different identities, things get very complicated. You could for example link to a disk as user A and then identify as B and link another disk. When you then run an application associated with A, you do that with the privilege of user B. Rob
Re: [CMS-PIPELINES] >SFS ERROR 1180
On Wed, Dec 13, 2023 at 15:01 Rob van der Heij wrote: > On Wed, 13 Dec 2023 at 23:37, Alan Altmark > wrote: > > > If you're going to play with the userid, you need to use workunits. > Once > > your APPC connection to the SFS server is established, changing your > userid > > doesn't affect operations over the existing connection. Workunits create > > new connections. See DMSPUSWU and DMSPOPWU so that you can change the > > default workunit. > > > > With CMS Pipelines you don't tweak the default work unit because for > anything beyond trivial pipes, you don't know when files are created or > changed. The SFS device driver has options to specify what workunit to use. > By default, >sfs uses a private work unit. > > Rob Thanks Rob, Since >SFS uses a private work unit by default, doesn’t that mean it gets a new work unit before connecting to the sfs server? Diag d4 is done before the pipe command, so I’m expecting the new connection to appear to initiate from the altuser id. Am I misunderstanding what PIPE AHELP >SFS is telling me? What does”PRIVATE” mean in this context? > >
Re: [CMS-PIPELINES] >SFS ERROR 1180
>From reading PIPE ABELP >SFS there are work unit options that can be specified as parameters to the stage. The default says “private” which says it gets a new work unit at the start of the stage and deleted the work unit at the end. That sounded like what I want so I did not specify PRIVATE explicitly. I can call those CSL routines if needed. I’ll tinker with it tomorrow. Thanks, Don On Wed, Dec 13, 2023 at 14:37 Alan Altmark wrote: > If you're going to play with the userid, you need to use workunits. Once > your APPC connection to the SFS server is established, changing your userid > doesn't affect operations over the existing connection. Workunits create > new connections. See DMSPUSWU and DMSPOPWU so that you can change the > default workunit. > > Regards, > Alan > > Alan Altmark > IBM Senior z/VM Engineer and Consultant > 1 607 321 7556 (Mobile) > alan_altm...@us.ibm.com > > > -Original Message- > > From: CMSTSO Pipelines Discussion List > > On Behalf Of Donald Russell > > Sent: Wednesday, December 13, 2023 4:13 PM > > To: CMS-PIPELINES@VM.MARIST.EDU > > Subject: [EXTERNAL] [CMS-PIPELINES] >SFS ERROR 1180 > > > > A userid has its ALTUSER set to a different id. (Diag D4)Then a pipe … | > > >SFS …. > > tries to write to a space the alt user is authorized for, but the stage > fails with > > error 1180 Not authorized. > > > > Instead of >SFS, I also tried VMLINK .DIR … ( WRITE NONAME INVOKE > > MODULE PIPE … | Name type .FM V > > > > oddly the link worked but the write failed with fswrite error 1 Not > authorized. > > > > In each case the target file does not exist. > > > > I thought Diag D4 makes the id look like the specified id for accessing > sfs > > space etc. > > > > I verified the path exists etc. what else should I be looking at? >
Re: [CMS-PIPELINES] >SFS ERROR 1180
On Wed, 13 Dec 2023 at 23:37, Alan Altmark wrote: > If you're going to play with the userid, you need to use workunits. Once > your APPC connection to the SFS server is established, changing your userid > doesn't affect operations over the existing connection. Workunits create > new connections. See DMSPUSWU and DMSPOPWU so that you can change the > default workunit. > With CMS Pipelines you don't tweak the default work unit because for anything beyond trivial pipes, you don't know when files are created or changed. The SFS device driver has options to specify what workunit to use. By default, >sfs uses a private work unit. Rob
Re: [CMS-PIPELINES] >SFS ERROR 1180
If you're going to play with the userid, you need to use workunits. Once your APPC connection to the SFS server is established, changing your userid doesn't affect operations over the existing connection. Workunits create new connections. See DMSPUSWU and DMSPOPWU so that you can change the default workunit. Regards, Alan Alan Altmark IBM Senior z/VM Engineer and Consultant 1 607 321 7556 (Mobile) alan_altm...@us.ibm.com > -Original Message- > From: CMSTSO Pipelines Discussion List > On Behalf Of Donald Russell > Sent: Wednesday, December 13, 2023 4:13 PM > To: CMS-PIPELINES@VM.MARIST.EDU > Subject: [EXTERNAL] [CMS-PIPELINES] >SFS ERROR 1180 > > A userid has its ALTUSER set to a different id. (Diag D4)Then a pipe … | > >SFS …. > tries to write to a space the alt user is authorized for, but the stage fails > with > error 1180 Not authorized. > > Instead of >SFS, I also tried VMLINK .DIR … ( WRITE NONAME INVOKE > MODULE PIPE … | Name type .FM V > > oddly the link worked but the write failed with fswrite error 1 Not > authorized. > > In each case the target file does not exist. > > I thought Diag D4 makes the id look like the specified id for accessing sfs > space etc. > > I verified the path exists etc. what else should I be looking at?
[CMS-PIPELINES] >SFS ERROR 1180
A userid has its ALTUSER set to a different id. (Diag D4)Then a pipe … | >SFS …. tries to write to a space the alt user is authorized for, but the stage fails with error 1180 Not authorized. Instead of >SFS, I also tried VMLINK .DIR … ( WRITE NONAME INVOKE MODULE PIPE … | Name type .FM V oddly the link worked but the write failed with fswrite error 1 Not authorized. In each case the target file does not exist. I thought Diag D4 makes the id look like the specified id for accessing sfs space etc. I verified the path exists etc. what else should I be looking at?
