Problem with Globus guest collections after upgrade from v4 to v5.4

This is mostly copy/pasted from the Globus support ticket:

We are having problems with guest collections after migrating our Globus endpoints from v4 to v5.4.

We have two Globus endpoints in our org. One for on-campus transfers (9c8c88c2-ea4a-11e6-b9ba-22000b9a448b) and another for off-campus (7167cb38-9f78-11e6-b0dd-22000b92c261).

A user reported that their collection is inaccessible (7d45c509-c6c4-486c-a391-68c4b3d782e3) See screenshot1.jpg

Here are the details of the error:

Command Failed: Error (login)
Endpoint: mpd (d6053f26-f9e6-11eb-ab67-d195c983855c)
Server: g-1ab2ed.9ad93.a567.data.globus.org:443
Message: Login Failed
---
Details: 530-Login incorrect. : Mapping collection to specified ID failed.
530-GlobusError: v=1 c=LOGIN_DENIED
530-GridFTP-Message: The collection 7d45c509-c6c4-486c-a391-68c4b3d782e3 does not exist.
530-GridFTP-JSON-Result: {
"DATA_TYPE": "result#1.0.0",
"code": "not_found",
"detail": "[]",
"has_next_page": false,
"http_response_code": 404,
"message": "The collection 7d45c509-c6c4-486c-a391-68c4b3d782e3 does not exist."
}
530 End.

Also from the user:

I think this is the associated config file for my collection. Its confusing though since this uuid matches the mpd endpoint id but not the collection id. I don't have a file that matches the collect uuid.
[jpr@login004 ~]$ cat .globus/sharing/share-d6053f27-f9e6-11eb-ab67-d195c983855c
#
# This file is required in order to enable GridFTP file sharing.
# If you remove this file, file sharing will no longer work.
#

share_path "/home/jpr/projects/recsys-challenge-2018/mpd"

Also also from the user:

This is what i see in the gcs.log on dtn1-sd when I try to edit my collection attributes.
2022-08-05T16:03:30-0500 request_id=Wwe3HDma7 method=OPTIONS path=/api/collections/d6053f26-f9e6-11eb-ab67-d195c983855c status_code=200 client_address=71.45.57.6 authorization=unauthenticated
2022-08-05T16:03:30-0500 request_id=1j6GcZl8Q method=GET path=/api/collections/d6053f26-f9e6-11eb-ab67-d195c983855c status_code=200 client_address=71.45.57.6 authorization=id:051ee563-cff2-4c7c-ad34-432f8066660c,username:jprorama@xsede.org,id:af00db5a-d274-11e5-bb25-ab9fac5699bc,username:jpr@globusid.org,id:af012862-d274-11e5-bb26-b74365427831,username:jpr@uab.edu code=success
2022-08-05T16:03:30-0500 request_id=hgB1sbI6k method=OPTIONS path=/api/collections/7167cb38-9f78-11e6-b0dd-22000b92c261 status_code=200 client_address=71.45.57.6 authorization=unauthenticated
2022-08-05T16:03:31-0500 request_id=NC5DvfQCi method=GET path=/api/collections/7167cb38-9f78-11e6-b0dd-22000b92c261 status_code=200 client_address=71.45.57.6 authorization=id:051ee563-cff2-4c7c-ad34-432f8066660c,username:jprorama@xsede.org,id:af00db5a-d274-11e5-bb25-ab9fac5699bc,username:jpr@globusid.org,id:af012862-d274-11e5-bb26-b74365427831,username:jpr@uab.edu code=success
2022-08-05T16:03:31-0500 request_id=TBQdmkPqT method=OPTIONS path=/api/storage_gateways/aa449466-79c3-497c-b21b-174d1e1cacd3 status_code=200 client_address=71.45.57.6 authorization=unauthenticated
2022-08-05T16:03:32-0500 Authorization results: endpoint_public:<IdentitySet ['051ee563-cff2-4c7c-ad34-432f8066660c', 'af00db5a-d274-11e5-bb25-ab9fac5699bc', 'af012862-d274-11e5-bb26-b74365427831'] []> endpoint_admin:False endpoint_role:<IdentitySet [] [<globus.manager.api.errors.authorization_errors.MissingRequiredRole object at 0x7f20be976e10>, <globus.manager.api.errors.authorization_errors.MissingRequiredRole object at 0x7f20bd7f6f98>, <globus.manager.api.errors.authorization_errors.MissingRequiredRole object at 0x7f20c47c7320>]> collection_role:<IdentitySet ['af00db5a-d274-11e5-bb25-ab9fac5699bc', 'af012862-d274-11e5-bb26-b74365427831'] []> acl:False
2022-08-05T16:03:32-0500 request_id=8mk9vPGUl method=GET path=/api/storage_gateways/aa449466-79c3-497c-b21b-174d1e1cacd3 status_code=200 client_address=71.45.57.6 authorization=id:051ee563-cff2-4c7c-ad34-432f8066660c,username:jprorama@xsede.org,id:af00db5a-d274-11e5-bb25-ab9fac5699bc,username:jpr@globusid.org,id:af012862-d274-11e5-bb26-b74365427831,username:jpr@uab.edu code=success
2022-08-05T16:03:33-0500 request_id=4dCjD022K method=POST path=/api/private/gridftp_login/7d45c509-c6c4-486c-a391-68c4b3d782e3 status_code=404 authorization=unauthenticated code=not_found

On the off-campus endpoint (where this collection was created), I see this in the output of the migrate4 command. I don't see an entry for this in the migration's guest_collections directory. Doing some spot checking, I do see an entry for the collections that seem to be working.

.Syncing roles on v5 guest collection 7d45c509-c6c4-486c-a391-68c4b3d782e3
..Creating v5 role for v4 role d6053f28-f9e6-11eb-ab67-d195c983855c
.Syncing ACLs on v5 guest collection 7d45c509-c6c4-486c-a391-68c4b3d782e3
..Creating v5 ACL for v4 ACL 969a28d8-f9eb-11eb-832c-f56dd2959cb8
Syncing v4 share d8e0400c-8928-11ec-8fde-dfc5b31adbac to v5 guest collection
.Syncing the user credential
..Creating the new user credential
.Creating the new v5 collection

I also see the same for other collections on the on-campus endpoint.

changed milestone to %Globus upgrade to v5.4

added Debugging label

assigned to @cmcclung

marked this issue as related to #8 (closed)

Globus support was able to resolve the issue on 08/09/22

Daniel Powers, Aug 9, 2022, 16:12 CDT: Hi Clyde,

I spoke to our devs, and this looks like it may have been due to a bug on our end which we believe has been corrected. Please have your user attempt to access the collection again and let us know if the issue had been corrected or if it persists. -Regards

Dan Powers

closed