Ladon Response: DefaultDeny:true

Just installed pydio cells (docker image pydio/cells:2.1.1), uploaded a lot of data, and now I cannot access the application:

2020-09-23T20:36:11.305Z ERROR pydio.rest.frontend Ladon blocked POST request at /frontend/session. Ladon Response: DefaultDeny:true

The following is my docker-compose file services section:

services:
cells:
container_name: pydio
image: pydio/cells:2.1.1
restart: on-failure:5
volumes:
- ./data:/var/cells/data
- ./cellsdir:/var/cells
- /etc/timezone:/etc/timezone:ro
- ./ssl/server.pem:/root/ssl/ssl.cert
- ./ssl/server.key:/root/ssl/ssl.key
networks:
- back
environment:
- CELLS_BIND=
- CELLS_EXTERNAL=https://
- CELLS_NO_SSL=0
- CELLS_SSL_CERT_FILE=/root/ssl/ssl.cert
- CELLS_SSL_KEY_FILE=/root/ssl/ssl.key
ports:
- “8087:8087”
db:
container_name: pydio_db
image: mariadb:10.3
restart: on-failure:5
security_opt:
- no-new-privileges
cap_drop:
- NET_RAW
- MKNOD
environment:
- MYSQL_ROOT_PASSWORD={MYSQL_ROOT_PASSWORD} - MYSQL_DATABASE={MYSQL_DATABASE}
- MYSQL_USER={MYSQL_USER} - MYSQL_PASSWORD={MYSQL_PASSWORD}
command: [mysqld, --character-set-server=utf8mb4, --collation-server=utf8mb4_unicode_ci]
volumes:
- ./db-vol:/var/lib/mysql
- /etc/timezone:/etc/timezone:ro
networks:
- back

I’ve noticed that others have posted this same issue numerous times but many responses seem to end with no follow up response from pydio.

How do I fix this issue and log back in without reinstalling?

Hello,
This response is basically an authentication problem, so it’s hard to tell. Can you give more about the context? Do you reload the GUI? Do you see the Login form ? When is this error exactly happening?

Yes, GUI is reloaded and the login form is visible.

It occurs after after entering username/password and selecting ‘Enter.’ It occurs for admin and non-admin accounts.

Any update on this issue?

Yes, we have heard of this problem before but were not able to reproduce it in our docker test setups until now. We yet suspect an issue with the communication with the DB.

Could you please give more details about the “when” it happens, I mean:

  • did it start as you were adding a lot of new files or rather randomly afterwards ?
  • does restarting both containers solve the issue ?

And

  • also how powerful is your server ?
  • did you get other errors prior to the one you mentioned (that is rather consequence than the root cause) ?

did it start as you were adding a lot of new files or rather randomly afterwards?
The issue occurred after the server was restarted

does restarting both containers solve the issue?
No

also how powerful is your server?
8 core, 32 GB

did you get other errors prior to the one you mentioned (that is rather consequence than the root cause)?  
Not that I'm aware of

Again, here is the error: ‘2020-10-13T03:31:03.508Z ERROR pydio.rest.frontend Ladon blocked POST request at /frontend/session. Ladon Response: DefaultDeny:true’

Why is this occurring, i.e., what is Ladon, why is DefaultDeny set to ‘true’, and why is Ladon denying valid users, and how do I temporarily get past this issue, e.g., setting DefaultDeny to ‘false’?

Hello @alpha23

We have mounted a similar environment and had it run for a while without encountering your case. I have discussed this to my fellow devs and we are convinced you must have some other error when launching the cells service.

Could you please double check or if you prefer, DM me you server logs. Thanks for your patience.

Thank you for your reply; however can you please answer some of my questions that should be known now? I.e.:

  1. What is Ladon?
  2. Why is DefaultDeny set to ‘true’?
  3. How do I temporarily get past this issue, e.g., setting DefaultDeny to ‘false’?

Also, in the initial post I provided the compose file. If there is not an issue with the compose file, there should not be an issue with the configuration. Please advise on if there is an issue with the compose file.

  • Ladon is the library that we use under the hood to manage security policy in the server (who can see what) , more details on this there: https://pydio.com/en/docs/cells/v2/ed-security-policies (it is the same system in Home and ED, only that enterprise user can define and expand their own set of policies)
  • By default, nobody can see nothing in the server.
  • Your error means that the system cannot retrieve any of the “instance” ACL:
    • you cannot simply workaround this issue (basic security concern)
    • it usually means you have a problem with your DB connection, but root cause might be something else

You told me you could, at least at the beginning, use seamlessly the system => I thus assume your config was OK.
Only way to solve your problem is to diagnose and fix the issue so that you can start again retrieving the ACL and thus have permission to access the files.

I’ve reinstalled the instance and re-added data. Still testing.

It may have been due to the fact that the database was on an NFS share. However, not having a way for users to re-cover from this is concerning.