Uploading video directly to series fails

[mpmuc84]

This might not strictly be a Tobira issue, but since this happens only when uploading videos via Tobira, and not via Opencast, I would like to start here.

In our configuration we have lock_acl_to_series activated, i.e. videos should have the same rights as the associated series, users cannot edit permissions for videos associated with series.

When a non-admin user tries to upload a video and directly associate it with a series, the upload fails with an HTTP 500 error from Opencast. Tobira shows the following error message:

Corresponding Opencast log

2025-10-15T08:43:45,060 | INFO  | (IngestServiceImpl:663) - Created mediapackage 504db934-e1aa-4ed2-a65d-38cf851da84c
2025-10-15T08:43:45,408 | INFO  | (IngestServiceImpl:762) - Start adding track b38c387a-db2b-48b6-9749-af311ffbb128 from input stream on mediapackage 504db934-e1aa-4ed2-a65d-38cf851da84c
2025-10-15T08:43:45,763 | INFO  | (IngestServiceImpl:1784) - Adding element of type Track to mediapackage 504db934-e1aa-4ed2-a65d-38cf851da84c
2025-10-15T08:43:45,764 | DEBUG | (IngestServiceImpl:774) - Adding tag `` to element b38c387a-db2b-48b6-9749-af311ffbb128
2025-10-15T08:43:45,764 | INFO  | (IngestServiceImpl:780) - Successful added track b38c387a-db2b-48b6-9749-af311ffbb128 on mediapackage 504db934-e1aa-4ed2-a65d-38cf851da84c at URL https://admin.opencast.example.org/files/mediapackage/504db934-e1aa-4ed2-a65d-38cf851da84c/b38c387a-db2b-48b6-9749-af311ffbb128/myvideo.mp4
2025-10-15T08:44:00,268 | INFO  | (IngestServiceImpl:1052) - Start adding catalog d6d7bbe4-3f9c-4e35-807d-ccef7518a013 from input stream on mediapackage 504db934-e1aa-4ed2-a65d-38cf851da84c
2025-10-15T08:44:00,317 | INFO  | (IngestServiceImpl:1784) - Adding element of type Catalog to mediapackage 504db934-e1aa-4ed2-a65d-38cf851da84c
2025-10-15T08:44:00,317 | INFO  | (IngestServiceImpl:1087) - Successful added catalog d6d7bbe4-3f9c-4e35-807d-ccef7518a013 on mediapackage 504db934-e1aa-4ed2-a65d-38cf851da84c at URL https://admin.opencast.example.org/files/mediapackage/504db934-e1aa-4ed2-a65d-38cf851da84c/d6d7bbe4-3f9c-4e35-807d-ccef7518a013/dublincore.xml
2025-10-15T08:44:00,658 | INFO  | (IngestServiceImpl:1258) - Starting a new workflow with ingested mediapackage 504db934-e1aa-4ed2-a65d-38cf851da84c based on workflow definition 'tobira-upload'
2025-10-15T08:44:00,658 | INFO  | (IngestServiceImpl:1649) - Ingested mediapackage 504db934-e1aa-4ed2-a65d-38cf851da84c is processed using workflow template 'tobira-upload', specified during ingest
2025-10-15T08:44:00,659 | INFO  | (IngestServiceImpl:1439) - No capture event found for id 504db934-e1aa-4ed2-a65d-38cf851da84c
2025-10-15T08:44:00,659 | DEBUG | (IngestServiceImpl:1446) - Merge workflow properties with the one from the scheduler event 504db934-e1aa-4ed2-a65d-38cf851da84c
2025-10-15T08:44:00,661 | DEBUG | (IngestServiceImpl:1474) - No scheduler mediapackage found with id 504db934-e1aa-4ed2-a65d-38cf851da84c, skip merging
2025-10-15T08:44:00,661 | DEBUG | (IngestServiceImpl:2086) - No series name provided
2025-10-15T08:44:00,661 | INFO  | (IngestServiceImpl:1281) - Starting new workflow with ingested mediapackage '504db934-e1aa-4ed2-a65d-38cf851da84c' using the specified template 'tobira-upload'
2025-10-15T08:44:00,667 | INFO  | (AssetManagerImpl:1378) - Creating new version 0 of media package 504db934-e1aa-4ed2-a65d-38cf851da84c
2025-10-15T08:44:00,742 | INFO  | (AssetManagerImpl:459) - Trigger update handlers for snapshot 504db934-e1aa-4ed2-a65d-38cf851da84c, version 0
2025-10-15T08:44:00,746 | WARN  | (IngestRestService:1253) - Unable to ingest mediapackage
java.lang.IllegalStateException: org.opencastproject.security.api.UnauthorizedException: Not allowed to set property on episode 504db934-e1aa-4ed2-a65d-38cf851da84c
        at org.opencastproject.ingest.impl.IngestServiceImpl.ingest(IngestServiceImpl.java:1219) ~[?:?]
        at org.opencastproject.ingest.endpoint.IngestRestService$1.xapply(IngestRestService.java:1239) ~[?:?]
        at org.opencastproject.ingest.endpoint.IngestRestService$1.xapply(IngestRestService.java:1222) ~[?:?]
        at org.opencastproject.util.data.Function0$X.apply(Function0.java:53) ~[?:?]
        at org.opencastproject.ingest.endpoint.IngestRestService.ingest(IngestRestService.java:1245) ~[?:?]
        at org.opencastproject.ingest.endpoint.IngestRestService.ingest(IngestRestService.java:1165) ~[?:?]
        at jdk.internal.reflect.GeneratedMethodAccessor228.invoke(Unknown Source) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:569) ~[?:?]
        at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179) ~[?:?]
        at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) ~[?:?]
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201) ~[?:?]
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104) ~[?:?]
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59) ~[?:?]
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96) ~[?:?]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) ~[?:?]
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[?:?]
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265) ~[?:?]
        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[?:?]
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[?:?]
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[?:?]
        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:225) ~[?:?]
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:304) ~[?:?]
        at org.opencastproject.kernel.rest.RestPublisher$RestServlet.handleRequest(RestPublisher.java:528) ~[?:?]
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217) ~[?:?]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:517) ~[!/:4.0.4]
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:279) ~[?:?]
        at org.ops4j.pax.web.service.spi.servlet.OsgiInitializedServlet.service(OsgiInitializedServlet.java:102) ~[!/:?]
        at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1459) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1656) ~[!/:9.4.57.v20241219]
        at org.opencastproject.kernel.rest.JsonpFilter.doFilter(JsonpFilter.java:130) ~[?:?]
        at org.ops4j.pax.web.service.spi.servlet.OsgiInitializedFilter.doFilter(OsgiInitializedFilter.java:176) ~[!/:?]
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[!/:9.4.57.v20241219]
        at org.ops4j.pax.web.service.jetty.internal.PaxWebFilterHolder.doFilter(PaxWebFilterHolder.java:208) ~[!/:?]
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) ~[!/:9.4.57.v20241219]
        at org.opencastproject.kernel.filter.proxy.TransparentProxyFilter.doFilter(TransparentProxyFilter.java:80) ~[?:?]
        at org.ops4j.pax.web.service.spi.servlet.OsgiInitializedFilter.doFilter(OsgiInitializedFilter.java:176) ~[!/:?]
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[!/:9.4.57.v20241219]
        at org.ops4j.pax.web.service.jetty.internal.PaxWebFilterHolder.doFilter(PaxWebFilterHolder.java:208) ~[!/:?]
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) ~[!/:9.4.57.v20241219]
        at org.opencastproject.security.urlsigning.filter.UrlSigningFilter.doFilter(UrlSigningFilter.java:101) ~[?:?]
        at org.ops4j.pax.web.service.spi.servlet.OsgiInitializedFilter.doFilter(OsgiInitializedFilter.java:176) ~[!/:?]
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[!/:9.4.57.v20241219]
        at org.ops4j.pax.web.service.jetty.internal.PaxWebFilterHolder.doFilter(PaxWebFilterHolder.java:208) ~[!/:?]
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) ~[!/:9.4.57.v20241219]
        at org.opencastproject.kernel.security.RemoteUserAndOrganizationFilter.doFilter(RemoteUserAndOrganizationFilter.java:265) ~[?:?]
        at org.ops4j.pax.web.service.spi.servlet.OsgiInitializedFilter.doFilter(OsgiInitializedFilter.java:176) ~[!/:?]
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[!/:9.4.57.v20241219]
        at org.ops4j.pax.web.service.jetty.internal.PaxWebFilterHolder.doFilter(PaxWebFilterHolder.java:208) ~[!/:?]
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) ~[!/:9.4.57.v20241219]
        at org.opencastproject.kernel.rest.CurrentJobFilter.doFilter(CurrentJobFilter.java:107) ~[?:?]
        at org.ops4j.pax.web.service.spi.servlet.OsgiInitializedFilter.doFilter(OsgiInitializedFilter.java:176) ~[!/:?]
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[!/:9.4.57.v20241219]
        at org.ops4j.pax.web.service.jetty.internal.PaxWebFilterHolder.doFilter(PaxWebFilterHolder.java:208) ~[!/:?]
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) ~[!/:9.4.57.v20241219]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) ~[?:?]
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) ~[?:?]
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.opencastproject.kernel.security.AsyncTimeoutRedirectFilter.doFilter(AsyncTimeoutRedirectFilter.java:60) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:146) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:98) ~[?:?]
        at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) ~[?:?]
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:102) ~[?:?]
        at org.springframework.security.web.authentication.www.DigestAuthenticationFilter.doFilter(DigestAuthenticationFilter.java:115) ~[?:?]
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:102) ~[?:?]
        at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:82) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:91) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:98) ~[?:?]
        at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:94) ~[?:?]
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:102) ~[?:?]
        at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:94) ~[?:?]
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:102) ~[?:?]
        at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:94) ~[?:?]
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:102) ~[?:?]
        at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:82) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) ~[?:?]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) ~[?:?]
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) ~[?:?]
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) ~[?:?]
        at org.opencastproject.kernel.security.SecurityFilter.doFilter(SecurityFilter.java:141) ~[?:?]
        at org.ops4j.pax.web.service.spi.servlet.OsgiInitializedFilter.doFilter(OsgiInitializedFilter.java:176) ~[!/:?]
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[!/:9.4.57.v20241219]
        at org.ops4j.pax.web.service.jetty.internal.PaxWebFilterHolder.doFilter(PaxWebFilterHolder.java:208) ~[!/:?]
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) ~[!/:9.4.57.v20241219]
        at org.opencastproject.kernel.security.OrganizationFilter.doFilter(OrganizationFilter.java:154) ~[?:?]
        at org.ops4j.pax.web.service.spi.servlet.OsgiInitializedFilter.doFilter(OsgiInitializedFilter.java:176) ~[!/:?]
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[!/:9.4.57.v20241219]
        at org.ops4j.pax.web.service.jetty.internal.PaxWebFilterHolder.doFilter(PaxWebFilterHolder.java:208) ~[!/:?]
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) ~[!/:9.4.57.v20241219]
        at org.opencastproject.kernel.filter.https.HttpsFilter.doFilter(HttpsFilter.java:90) ~[?:?]
        at org.ops4j.pax.web.service.spi.servlet.OsgiInitializedFilter.doFilter(OsgiInitializedFilter.java:176) ~[!/:?]
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[!/:9.4.57.v20241219]
        at org.ops4j.pax.web.service.jetty.internal.PaxWebFilterHolder.doFilter(PaxWebFilterHolder.java:208) ~[!/:?]
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) ~[!/:9.4.57.v20241219]
        at org.opencastproject.kernel.rest.CleanSessionsFilter.doFilter(CleanSessionsFilter.java:104) ~[?:?]
        at org.ops4j.pax.web.service.spi.servlet.OsgiInitializedFilter.doFilter(OsgiInitializedFilter.java:176) ~[!/:?]
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201) ~[!/:9.4.57.v20241219]
        at org.ops4j.pax.web.service.jetty.internal.PaxWebFilterHolder.doFilter(PaxWebFilterHolder.java:208) ~[!/:?]
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626) ~[!/:9.4.57.v20241219]
        at org.ops4j.pax.web.service.spi.servlet.OsgiFilterChain.doFilter(OsgiFilterChain.java:113) ~[!/:?]
        at org.ops4j.pax.web.service.jetty.internal.PaxWebServletHandler.doHandle(PaxWebServletHandler.java:334) ~[!/:?]
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191) ~[!/:9.4.57.v20241219]
        at org.ops4j.pax.web.service.jetty.internal.PrioritizedHandlerCollection.handle(PrioritizedHandlerCollection.java:96) ~[!/:?]
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.Server.handle(Server.java:516) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487) ~[!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732) [!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479) [!/:9.4.57.v20241219]
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) [!/:9.4.57.v20241219]
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [!/:9.4.57.v20241219]
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) [!/:9.4.57.v20241219]
        at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) [!/:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) [!/:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) [!/:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) [!/:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) [!/:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409) [!/:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) [!/:9.4.57.v20241219]
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) [!/:9.4.57.v20241219]
        at java.lang.Thread.run(Thread.java:840) [?:?]
Caused by: org.opencastproject.security.api.UnauthorizedException: Not allowed to set property on episode 504db934-e1aa-4ed2-a65d-38cf851da84c
        at org.opencastproject.assetmanager.impl.AssetManagerImpl.setProperty(AssetManagerImpl.java:872) ~[?:?]
        at org.opencastproject.assetmanager.util.WorkflowPropertiesUtil.storeProperties(WorkflowPropertiesUtil.java:133) ~[?:?]
        at org.opencastproject.workflow.impl.WorkflowServiceImpl.start(WorkflowServiceImpl.java:502) ~[?:?]
        at org.opencastproject.workflow.impl.WorkflowServiceImpl.start(WorkflowServiceImpl.java:477) ~[?:?]
        at org.opencastproject.ingest.impl.IngestServiceImpl.ingest(IngestServiceImpl.java:1287) ~[?:?]
        at org.opencastproject.ingest.impl.IngestServiceImpl.ingest(IngestServiceImpl.java:1217) ~[?:?]
        ... 153 more

The event is created in Opencast, it contains the DC catalog with the metadata (title, series association), but nothing else (no ACL attachment, no media track).

Admin users have no problems uploading directly to series.

To reproduce (all in Tobira):

• Log in as non-admin user with rights to create series and upload videos
• Create a series (wait for sync with Opencast)
• Use the uploader:
  • select a video file
  • enter title
  • select the series that was just created
  • confirm with "Save and Finish"
• See the error message

There is a workaround: Upload the video without series association, wait for processing to finish, add the video to series afterwards.

My guess would be that the problem is with how events are created when lock_acl_to_series is active: If I am not mistaken, Tobira will not add an ACL to the event in these cases, which leads to the authorization error in Opencast when the Tobira uploader tries to attach a video file to the media package. Since admins have full permissions on everything regardless of ACL restrictions, they are not stopped here, but unprivileged users are denied access if no ACL is present.

However, I cannot exclude a problem with our configuration (either in Tobira or in Opencast), so if someone has suggestions as to where to look for possible causes or solutions, I am very open to check these out.

Installation context:

• OS: Debian 12 (on all machines)
• Tobira 3.9 (binary download from GH)
• Opencast 17.8 (distributed admin, presentation, workers; DEB packages from OC repository)

(Updated to add system information)

[mtneug]

You may need to add the series ACL to the mediapackage before creating the first snapshot:

- id: series
  exception-handler-workflow: partial-error
  description: Applying access control entries
  configurations:
    - attach: '*'
    - apply-acl: true

See example: https://github.com/opencast/opencast/blob/103b4b381c7d956669fd733f874dd05a5435493c/etc/workflows/partial-ingest.yaml#L30-L37

[mpmuc84]

Thanks, but we are already using the default workflow (our tobira-upload directly includes the unmodified schedule-and-upload workflow, which in turn includes the partial-ingest workflow, as per your link; there is no snapshot step before the one in there), and the error occurs during creation of snapshot 0, which should be part of the initial creation of the media package (before an actual workflow is executed), if I remember correctly.

The log says a workflow is being started, but Opencast does not even get to actually start it, as the initial snapshot for the media package is not completed.

[oas777]

Just for you to know, we have a very similar problem at ETH (different notification) and Waldemar is looking into this.

[owi92]

I have not been able to reproduce this with the lock_acl_to_series option enabled and a stock Opencast 19 (though I don't think the issue is related to the OC version).

It is correct that with that option enabled, the video ACL that Tobira sends to OC will be empty when uploading into a series. This is what allows the series ACL to take precedence in Opencast, regardless of the configured merge mode (https://docs.opencast.org/develop/admin/configuration/acl/#series-and-episode-rules).
Usually this happens before other workflows run, but that doesn't seem to be the case for you @mpmuc84. Is there any option or configuration in Opencast that could prevent that?

I'll give an update here when Waldemar has figured out the ETH issue, and if that is indeed connected to the error you are seeing.

[mpmuc84]

Thanks @owi92!

I have not yet had a chance to try reproducing in our test cluster, will attempt to do this in the coming days.

Is there any option or configuration in Opencast that could prevent that?

I cannot think of anything that would prevent merging the ACLs before saving the media package. We left the merge mode unchanged in configuration, i.e. the default merge mode override should be used.

In theory, creating an event with an empty/non-existent event ACL attached to a series should lead to a media package with only the series ACL attached to it. Using an admin-level account this works, but using a non-admin account this does not. One guess I had was maybe the non-admin account is missing some crucial role. However, if the same account logs into the OC admin UI and creates an event attached to a series there, the process is successful -- with two main differences compared with Tobira:

• The event is created using the API for the admin interface (as opposed to the ingest API used by Tobira), and
• the event gets an event ACL attached to it.

I will update as well, as soon as I have had a chance to test this with another installation.

[LukasKalbertodt]

Sorry for my late reply, I was on vacation. But this issue is known and already fixed. From the Tobira v3.2 release:

• Fix upload issue with lock_acl_to_series = true in Fix upload issue with locked ACL #1429
  • Due to an Opencast bug, uploading into a series as a non-ROLE_ADMIN user failed with that setting in previous versions.
  • With this fix, uploading works again as expected, as long as your Opencast interprets the roles or oc claim in JWTs according to this. This is true for Opencast >=18, but can be backported.

The last point is important and also explains why Ole cannot reproduce it with OC 19 (where the correct JWT behavior is enabled by default). We fixed this issue by including an explicit "user can write event " in our JWT when uploading.

[owi92]

I forgot about that! So this issue is related to the Opencast version after all. What Lukas said should be the solution.
The ETH thing that Olaf referred to turned out to be something else.

I think upgrading to OC 18+ is probably the "easiest" fix for you @mpmuc84.