While working on converting UWGAC workflows from CWL into WDL as part of BioData Catalyst, I came across one that caused a permissions issue. For weeks I thought this was due to the fact I was using symlinks, but I now believe the issue is that the workflow calls an Rscript that attempts to modify the input file directly.
According to my tests, Cromwell, even in "local mode," localizes input files with rw-r--r-- permissions. This is the case whether they come from a gs:// URI or from another task. So, when Cromwell is run as root, the files can be edited directly. But on Terra, you (quite understandably!) do not have root permissions, meaning that you cannot edit input files directly. At least, that's my theory.
I created a simple Python script in a WDL that demonstrates this a little more simply than the UWGAC workflow I'm converting. The Python WDL passes when run locally, presumably because I am running as root, but it gives a permissions error and fails on Terra. https://github.com/aofarrel/upon-thine-inputs
1. Is my hypothesis correct? I have searched the Cromwell and openWDL spec repos, but thus far have not been able to find documentation on this.
2. For the UWGAC workflow I am converting, I cannot modify the Rscripts; we want to use the exact same Docker image that the CWLs use and the Rscript is in that image. It seems that the only possible workaround is to cp the input file into the execution directory, and point the Rscript to that new copy (which presumably has wider permissions). Terra (again, quite understandably) does not grant me mv or chmod permissions, so it seems this is the only possible workaround. But is there another way that doesn't involve duplication?