Difficulty Configuring Writeability in IMA

Started by tmcgill, December 30, 2019, 11:28:28 PM

Previous topic - Next topic

tmcgill

I'm very pleased to see the addition of write-back capabilities to IMatch Anywhere, and I've installed a trial version of IMA specifically to try this out (I already own an older version of IMA). I'm not getting it to work, however. Would love to see a setup guide that directly discussed FileLens in more depth. In any case, here's what I'm running into:

1. Installing IMA gets me a working web viewer in which I can browse the database. But attempting to save changes to any photo in the database (e.g., rating or category) gives me a "something went wrong" error. Depending on the situation, sometimes I get more detail (403, database is read-only, or a json fragment: {"code": 1504, "message": "Database is read-only."}).

-Log files (Windows and IMATCH_WEBSERVICE_LOG.TXT) seem to have no mention of the attempted save incident, although perhaps I'm not looking in the right place.

-imwsconfig.xml says: <read-only>false</read-only>

-config.json says: "enableFileLens" : true,

-The database is a copy of my IMatch database, and IMatch is not running at the time. If I do open the same database in IMatch, though, it can be written to.

-I even tried giving the LOCAL SERVICE Windows user full control of the folder containing the database, but to no avail.

I couldn't find anything else in the help file or other documentation that seemed to be necessary to enable saving changes to the database. I thought of two things that maybe could have an impact: user authentication, or perhaps some additional weirdness regarding the LOCAL SERVICE user. So:

2) I turned on user authentication, thinking that because the permissions allowed for that do specifically turn on options for saving metadata, categories, and other data, maybe user authentication needed to be on to use those features. But creating an IMA user and group, and giving it permission to write everything, changed nothing except now requiring a login to use the web viewer.

3) I thought maybe the local service account was limited and could not do logged-in-user-type things and that maybe filelens needed using a different service user. This created a whole different problem-- IMWS wouldn't run at all. Created a new Windows user for this purpose:
-User has full control over the IMatch Anywhere folder (including the document root folder, config, etc.)
-User has full control over the database folder
-User has "Act as part of the operating system" and "Log on as a service" rights, as documented in the help file.
-User has "Allow log on locally" rights, as documented in a post somewhere on this forum.

Nonetheless, I get a service would not start error. "The service did not respond to the start or control request in a timely fashion. [1053]" Oddly, I get this near-instantly, so there is not a timeout happening. The database is on the PC's internal SSD, also.

Also, BTW, once I fill in a service username and try to use it, I can't go back to the local service user by clearing out the user and password-- I have to clear them out and then uninstall and reinstall IMA. (Or change it using the Windows services app, but then the IMatch WebService Controller seems to lose the ability to change it.)

In any case, I'm not sure what else I should be looking at for either problem (writing to the database, or using a separate service account). Would love some help on this. Thanks.

Mario

That's a lot of info...

Did you make the database writable in the web service controller options? That's the typical culprit. User's don't disable the read-only mode, which overrides everything else. Details are in the IMA documentation.

tmcgill

I wish it were so simple a solution. The WebService Controller configuration has "read-only" unchecked, and on its main UI window shows "Read-only: No".

There are two weird things happening, and I don't know if they are related. The first, and more problematic, is that I can't make the database writable no matter what I seem to do.

The second is that I can't start the service at all if I change the user under which it runs.

I have no clues at all on either problem at this point. I've even tried turning on Windows security auditing to catch failed attempts to access things, and I see nothing. Given that the page I get upon failure winds up being "Something went wrong :-( Click or tap here to log in again." I think the web viewer application is actually crashing, but I'm not entirely sure.

Here's the only lead I have, but it isn't meaningful to me. Hopefully it is to you: in the service log file, I see two lines referencing the phrase "read-only". One is included in the below log file excerpt:

01.03 20:01:46+    0 [24F4] 02  I>    Waiting for metabase...
01.03 20:01:48+ 1531 [0BB4] 01  W>  Tag not found: Composite\ShutterSpeed\ShutterSpeed  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(3885)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag not found: Composite\Aperture\Aperture  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(3885)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag not found: Composite\GPSPosition\GPSPosition  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(3885)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag not found: Composite\City\City  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(3885)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag not found: Composite\State\State  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(3885)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag not found: Composite\Country\Country  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(3885)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag not found: Composite\Location\Location  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(3885)'
01.03 20:01:48+   16 [0BB4] 01  W>  Tag 'Composite\Copyright\Copyright' not found in metabase.  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(4045)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag 'Composite\Description\Description' not found in metabase.  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(4045)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag 'Composite\CreateDate\CreateDate' not found in metabase.  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(4045)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag 'Composite\DateTimeOriginal\DateTimeOriginal' not found in metabase.  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(4045)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag 'Composite\ModifyDate\ModifyDate' not found in metabase.  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(4045)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag 'Composite\GPSDateTime\GPSDateTime' not found in metabase.  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(4045)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag 'Composite\ShutterSpeed\ShutterSpeed' not found in metabase.  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(4045)'
01.03 20:01:48+    0 [0BB4] 01  W>  Tag 'Composite\Orientation\Orientation' not found in metabase.  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(4045)'
01.03 20:01:48+   31 [0BB4] 01  W>  Tag 'Composite\Keywords\Keywords' not found in metabase.  'v:\develop\imatch5\src\imengine\ptmetabase2.cpp(4045)'
01.03 20:01:48+   47 [0BB4] 02  I>      Metabase: 380 unsafe tags for write-back loaded.
01.03 20:01:53+ 5000 [0BB4] 00  S>  #STS#: "metabase.loadtime" 0 0 0.00 "6641ms"
01.03 20:01:53+    0 [24F4] 02  I>  WSA: 101 54
01.03 20:01:53+    0 [24F4] 00  M>   >  2 CIMEngine5::ProcessMachineConfig  'v:\develop\imatch5\src\imengine\imengine5.cpp(3996)'
01.03 20:01:53+    0 [24F4] 02  I>       DB-PORTA: Cannot process portability options. Database is read-only.
01.03 20:01:53+    0 [24F4] 01  W>   <<ENGINE PANIC>>: major:80 minor:201 d1:0 d2:0 s1:'' s2:''  'v:\develop\imatch5\src\imengine\imengine5.cpp(1158)'
01.03 20:01:53+    0 [24F4] 00  M>   <  2 CIMEngine5::ProcessMachineConfig
01.03 20:01:53+    0 [24F4] 02  I>    Checking ET version
01.03 20:01:53+    0 [24F4] 02  I>  WSA: 101 57


If that isn't enough to go on, let me know if there's some other piece of info I can dig out of logs or an experiment I can try. Thanks.

Mario

Please always attach the full ZIPped log file. Most of the important data is not shown in your except. And dumping a lot of text like this into a post is bad for the search engine and other users.

When IMWS tries to run the portability options, it fails because the database is read-only.
Since you did not attach the full log file, I don't know why.
Do you use a TRIAL version of IMatch Anywhere perhaps? Trial versions open all databases older than 30 days in read-only mode.
Is the database on a read-only medium or a network location to which IMWS has no write-access?
The database should be on a local hard disk!

You cannot just use any arbitrary user to run a Windows service like IMWS. Windows requires that the user has the "log on as a service" privilege, for example. This also depends on whether you use a local user account or if your computer is part of a domain (e.g. in a company network).
Why do you want to change the user account IMWS uses by default?
Do you have files from a NAS or server in your database and IMWS cannot access them otherwise?


tmcgill

On problem 1 (can't write to database): Oh, man. I knew there was a 30-day limitation on use of the software itself, but did not see the database age restriction. Of course, the first thing I did is probably the first thing anyone would do- made a copy of a real working database for me to test out in IMA, which promptly failed to work because, well, obviously that would be over 30 days old. I'm sure this is for the purpose of discouraging trial use to really be trial use, but in this case the trial almost convinced me that I wasn't going to be able to do what I needed. I wonder if there is a way (assuming you're really sure this restriction on database age truly needs to be there) on the WebService Controller to indicate that this has happened. It happily tells me on its status screen "Read-only: No", even though it has launched the database read-only. Maybe it should be able to recognize when opening in read/write mode has failed and tell the user so (and give a reason). At least now thankfully I've gotten a fresh test database to work and I know it's usable and worth getting the license.

On problem 2 (can't run as other user): The original reason I was trying to change the user account was because of problem 1 above. I thought perhaps there was something wrong in the permissions the default service user had in accessing files to write back to them, and thought I'd explore setting up another user with known permissions and eliminate that theory. But that ran me into this other problem. As I discussed in the original post:

  • User has full control over the IMatch Anywhere folder (including the document root folder, config, etc.)
  • User has full control over the database folder
  • User has "Act as part of the operating system" and "Log on as a service" rights, as documented in the help file.
  • User has "Allow log on locally" rights, as documented in a post somewhere on this forum.
Yet I get an (instantaneous) error trying to start the server, saying the service did not respond to the start or control request in a timely fashion. This is a far lower priority issue for me now, since my main use case right now for IMA does not require me to customize the service user, just to get read/write access working. I'll probably ultimately need a second license for a separate server installation, though, and there may be some reason at that point to do so, depending on how my file access is set up when I rebuild the server in question.

Thanks for your help. I do have another, less drastic difficulty I've run across, but I'll start a separate bug report thread for that.

Mario

I understand that your problem is solved?

All IMatch test versions open databases older than 30 days in read-only mode.
This is clearly indicated and documented. This has not changed since IMatch 3.

tmcgill

Correct, the main difficulty I was inquiring about here is no longer a problem. Thanks for pointing me at the answer.

The secondary problem (inability to run service under another user) is not presently a problem for me, but at least you may want to treat it as a heads-up that the rights needed by a service user may not in fact be sufficiently documented.

And I'd say it would be wise for the controller application, when opening a database read-only, to tell the user that it is doing so. It presently shows "Read-only: no" even if something like this forces a read-only mode.

But my only pressing issue at the moment is no longer one of the things discussed here, but rather the bug or apparent bug I reported in another thread, where I can't modify labels on a mobile device.

Mario

As far as I recall, the controller displays a message box about the database being read-only.
And the Admin panel in IMWV also shows that.

But this is all not really designed to be used in a trial version in combination with a database created with a licensed version. That's just not a typical usage scenario.

Regarding Windows user privileges: Contact your IT department about details how you need to configure a user to run services in your environment. There are many factors to consider, from local access policies to corporate-wide group policies.

The Windows Event log holds details about the exact nature of the problem (e.g more info about why Windows does not permit the user to start the service).

tmcgill

Hah, I am my IT department. But I am also a developer and have gotten plenty of other services up and running with specialized accounts in the past. So I'm surprised that this one is a struggle. I wasn't able to find event log info with any more detail than the same info that the service gives me upon failure, so I just hoped maybe there was some kind of knowledge on exactly what an alternate service user needs, since the documented needs don't seem to quite cover it. Assuming there isn't just something strange and quirky about my own setup.

Anyway, this isn't a priority for me given that it now is working without changing the user (acquiring a paid license took care of the problem I actually cared about). But you may want to file this away as a data point in case anyone else reports the same sort of service user issue, and be aware that the controller does not in fact update its display to indicate that the database it was trying to open as read/write actually got opened read-only.

And I'm a little surprised the "longtime licensed user of IMatch (who therefore has a database over 30 days old) evaluating IMatch Anywhere for purchase" situation is not considered a typical usage scenario for the trial version. I would have guessed most IMatch Anywhere trial versions were downloaded by existing IMatch users.

Mario

"Log on as a service" is usually all that's needed. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/log-on-as-a-service

Quote from: tmcgill on January 06, 2020, 05:42:49 PM
And I'm a little surprised the "longtime licensed user of IMatch (who therefore has a database over 30 days old) evaluating IMatch Anywhere for purchase" situation is not considered a typical usage scenario for the trial version. I would have guessed most IMatch Anywhere trial versions were downloaded by existing IMatch users.

I don't know. Zip support cases. I guess if a user who already has IMatch tries out IMA he testes the connection and browsing but not necessarily advanced features like the FileLens. From what I can tell, the FileLens is not used very often. IMWV is mostly used for browsing, searching, viewing and slide show, not for actually changing metadata. And only for the later, the database must be writable and less than 30 days old (for the trial version).

David_H

Quote from: tmcgill on January 06, 2020, 05:42:49 PM
Hah, I am my IT department. But I am also a developer and have gotten plenty of other services up and running with specialized accounts in the past. So I'm surprised that this one is a struggle. I wasn't able to find event log info with any more detail than the same info that the service gives me upon failure, so I just hoped maybe there was some kind of knowledge on exactly what an alternate service user needs, since the documented needs don't seem to quite cover it. Assuming there isn't just something strange and quirky about my own setup.

If you are using a custom user to run IMA as, change the user in the 'Services.msc' first against the IMatch service; this will grant the appropriate permissions.
Check that wherever the DATABASE folder is read/writable by this user (the database file needs to at least be readable, and IMA will create two other files in there (-shm and -wal)).
Check that the service files are at least readable by this user (they usually should be) - you'll have a problem starting it if the account isn't allowed to run the file....
Check that wherever the photos (or other indexed stuff) is accessible by this user. Ensure you are using absolute paths rather than drive letters (consider setting an alias up for the service user to relocate the files; note that this will probably mean initial startup is a bit slower the first time, if you've copied the db from your usual user/pc). IF this is on a NAS or other non-local machine, ensure the accounts will correctly let you access the files (eg username/password combination, managed group service account, etc).
Check the firewall rules - both the windows firewall and any external one you might be using. Note that the rule configured by the IMatch installer defaults to the PRIVATE scope (rather than DOMAIN or PUBLIC) and will change it if you upgrade.

Don't worry about the service not starting first time (you might need a restart though); it will eventually....

David

Mario

Thanks for helping.

There are indeed many things which can go wrong, especially when Windows file system permissions and access privileges are involved.
Usually the built-in "local service" user works well, unless there are files on remote systems indexed by the database.
IMA and the WebViewer have checks for that and inform the user that a dedicated user account with access to the remote server/NAS is needed.

Although IMA and IMWV can be used by individuals, the main market (and the majority of users) comes from the small business and institutional world.
Hence me comment about "ask your IT department" above. In corporate networks they may be many things which need to be considered when setting up a user to run a specific service. For normal Windows 10 HOME/PRO installs, the "log on a service" is usually sufficient. Provided that this user has write privileges as you outlined.

This was a case of using a trial version with a database older than 30 days, which cannot work. I might add some special tests, message boxes and documentation for this particular case it it shows up in support often in the future.

Jingo

Quote from: Mario on January 06, 2020, 06:33:09 PM
Although IMA and IMWV can be used by individuals, the main market (and the majority of users) comes from the small business and institutional world.

I believe this is most likely true... but I think there is great potential for IMA if the product were a bit more "accessible" to the average user.  I love IMA and use it with my family and friends all the time on my living room TV to show off recent trips in the comfort of a 55" TV and couches/chairs...  beats crowding around my PC!   

Mario

Quotewere a bit more "accessible" to the average user.

In which aspect?

Installation / Configuration?
The installation works out-of-the box in 90% of all use cases - except when files from a server/NAS are indexed by the database.

WebViewer?
...?

Jingo

Quote from: Mario on January 07, 2020, 08:54:09 AM
Quotewere a bit more "accessible" to the average user.

In which aspect?

Installation / Configuration?
The installation works out-of-the box in 90% of all use cases - except when files from a server/NAS are indexed by the database.

WebViewer?
...?

I think IMA as a product WITHIN the network works great once you have things setup and configured... so long as you toggle the service on/off manually after use, things run smoothly on a shared database and I can update keywords, etc from the comfort of my couch!  However, things get complex when trying to use IMA OUTSIDE your network... I misunderstood this initially because it seemed like you could access your database "Anywhere" (ie: IMatch Anywhere).   I now realize that lots of other setup (like a VPN tunnel) is needed to make this happen - but if I'm already requiring someone to VPN to the network, I could instead just use remote software like SplashTop/TeamViewer to access my PC directly.  I thought the website access might work a bit like Calibre... you setup a server via the software (automated) which allows database access through any web browser (via port forwarding)... perhaps not totally secure - but what is these days?  IMA would be much simpler for the average person to setup remote access if this were an option in the software.  Big Corps don't need to worry about this because they will provide access via Cisco VPN...

Just my thoughts.... as mentioned, I use IMA all the time from within the network and think it is totally great and only limited by my network speeds.


Mario

Quoteso long as you toggle the service on/off manually after use,...

Don't use the same database for both 'live' IMatch and IMWS. Use one of the standard publishing scenarios explained in the docs. This way you can use IMWS and IMatch at the same time.

QuoteI misunderstood this initially because it seemed like you could access your database "Any...

If you run IMWS on a PC in your network and you make this PC accessible from the Internet (so the computer running IMWS can be reached) it works exactly like that.
Fire up your device anywhere on the world, connect to your PC at home in your browser and use IMWS. Very easy. Very dangerous.

This is not a technical issue with IMWS, its a security issue.

If you open your network to the Internet, bad people will try to break into your network, take over your PCs and other devices and use them for whatever purpose.
Your router and PC run firewalls for good reasons. To allow you to access things on the Internet, but to prevent things on the Internet to access your PC. Real bad things can happen.

Hence the use of a tunnel to allow you to access your PC securely.  Or a secured server running somewhere in the cloud and which you can wipe and re-setup. Or running IMWS behind a firewall and reverse proxy.

QuoteCalibre...

The Calibre docs say:

Check that your firewall/anti-virus is allowing connections to your computer on the port 8080 and to the calibre program.


Which is hazardous. Opening a port and also disabling your anti-virus so it does not block access attempts from the Internet to your PC is just dangerous and stupid.
Yes. It will work. But it also opens your PC and your entire home network to attacks from the Internet.
If you don't care you can do the same to make IMWS accessible from all over the world.

tmcgill

Quote from: Mario on January 07, 2020, 06:37:38 PM
Quoteso long as you toggle the service on/off manually after use,...

Don't use the same database for both 'live' IMatch and IMWS. Use one of the standard publishing scenarios explained in the docs. This way you can use IMWS and IMatch at the same time.
The usage Jingo describe included updating keywords and other things in the database. One-way publishing by copying the IMatch database won't work in that case; you have to use the same actual database, or your changes will never make it back into IMatch.

Mario

Right. If you use the WebViewer to actually change the database, a publishing workflow will only work when you use the live database.

Jingo

Quote from: Mario on January 07, 2020, 07:10:11 PM
Right. If you use the WebViewer to actually change the database, a publishing workflow will only work when you use the live database.

Exactly - so using the Filelens option to update metadata from IMA means using a single database which is what I do.. not an issue since I am the only one that uses IMatch on my system.. but it still means starting and stopping the service..  not an issue but something to remember.


Mario

IMatch will tell you when the database is locked. And when it detects IMWS it will tell you too.
Both applications of course need exclusive and full control over the database so you can open the database only in one application at a time. Else bad things will happen.