You can subscribe to this list here.
2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
(1) |
Dec
(1) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2018 |
Jan
(7) |
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
(7) |
Jul
(1) |
Aug
(5) |
Sep
(3) |
Oct
(2) |
Nov
(8) |
Dec
(2) |
2019 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(3) |
Oct
|
Nov
(1) |
Dec
(1) |
2020 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(2) |
2021 |
Jan
|
Feb
(1) |
Mar
(3) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(5) |
2022 |
Jan
(6) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(3) |
Sep
|
Oct
|
Nov
|
Dec
|
2023 |
Jan
(10) |
Feb
|
Mar
(4) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(2) |
From: Bernd S. <b.s...@fz...> - 2023-12-06 08:38:16
|
Hi Andrii, the "unicore-host" is just a "place holder" for the actual name of your machine where the Gateway is running. Try BASE=https://localhost:8080/TEST/rest/core or BASE=https://andrii-pc:8080/TEST/rest/core Best regards, Bernd On 12/6/23 06:34, Andrii Simonkin wrote: > Hello, I'm writing to you about the installation of your application, > the thing is that I can't connect to the server, it gives an error message. > Please Help to solve this problem. > > > > _______________________________________________ > Unicore-support mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unicore-support -- Dr. Bernd Schuller Large Scale Data Science, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Andrii S. <and...@gm...> - 2023-12-06 05:34:39
|
Hello, I'm writing to you about the installation of your application, the thing is that I can't connect to the server, it gives an error message. Please Help to solve this problem. |
From: Fernandez R. D. <dan...@ep...> - 2023-03-14 10:22:11
|
Ahh great, I will take a look at the details endpoint :) Thank you very very much Bernd! Your help is much appreciated, Daniel. ________________________________ From: Bernd Schuller <b.s...@fz...> Sent: Tuesday, March 14, 2023 10:17:50 AM To: Fernandez Rodriguez Daniel; uni...@li... Subject: Re: [UNICORE-Support] Get the node my job is running on directly from Unicore API hi Daniel, ... btw, if you use PyUNICORE, the Job client has a bss_details() method which will conveniently give you the Slurm low-level info about your job https://github.com/HumanBrainProject/pyunicore/blob/dev/pyunicore/client.py#L476 Best regards, Bernd On 3/14/23 10:14, Bernd Schuller wrote: > hi Daniel, > > sorry, I did send a reply back in January, but now I see it was only to > the list... so here it is again. > > see below... > > > On 3/14/23 09:41, Fernandez Rodriguez Daniel via Unicore-support wrote: >> ... >> ------------------------------------------------------------------------ >> *From:* Fernandez Rodriguez Daniel >> *Sent:* Thursday, January 26, 2023 5:25:34 PM >> *To:* uni...@li... >> *Subject:* Get the node my job is running on directly from Unicore API >> >> Hello everyone, >> >> >> We are using Unicore to programmatically launch jobs on our cluster >> (via Slurm scheduler). >> >> >> I have this use case where the job should start a jupyter lab and once >> it is ready, return the URL to the user. >> >> The idea is that user can conveniently access the jupyter lab server >> running on the cluster from a web browser. > > > Nice use case. > > Just for your information, we run JupyterHub to do a very similar thing, > since we don't have internet access to the compute nodes > > (https://jupyter-jsc.fz-juelich.de) > > > >> To do it, I need to know the node where the job is running on. >> >> >> Looking at the docs, it does not seems I can get the node where the >> job is running from the Unicore API: ... >> Am I missing something? Do you know if there is a way to do it? >> > > There is no direct API way to do it (a big job might run on several > 1000s of nodes...), but there are a number of ways to do it. > > > 1) there is a "/details" endpoint in the /jobs API which will give you a > JSON containing the Slurm low-level job details - this also contains the > compute node(s) a job is running on. > > https://unicore-docs.readthedocs.io/en/latest/user-docs/rest-api/index.html#id10 > > Do a JSON GET on > "https://your-unicore-url/rest/core/jobs/job-uuid/details" and see what > you get > > 2) Simply writing the node hostname to a file in the working directory > as part of your job and then reading this file from the client would > also work. > > >> Note: My UnicoreX server and TSI are running on different nodes. I can >> only run slurm commands from the TSI server. >> > > Yes, that is as it is intended to be 😄 > > > Best regards, > Bernd > >> >> Thank you very much as always, >> >> Daniel. >> >> >> >> _______________________________________________ >> Unicore-support mailing list >> Uni...@li... >> https://lists.sourceforge.net/lists/listinfo/unicore-support > -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Bernd S. <b.s...@fz...> - 2023-03-14 09:33:54
|
hi Daniel, ... btw, if you use PyUNICORE, the Job client has a bss_details() method which will conveniently give you the Slurm low-level info about your job https://github.com/HumanBrainProject/pyunicore/blob/dev/pyunicore/client.py#L476 Best regards, Bernd On 3/14/23 10:14, Bernd Schuller wrote: > hi Daniel, > > sorry, I did send a reply back in January, but now I see it was only to > the list... so here it is again. > > see below... > > > On 3/14/23 09:41, Fernandez Rodriguez Daniel via Unicore-support wrote: >> ... >> ------------------------------------------------------------------------ >> *From:* Fernandez Rodriguez Daniel >> *Sent:* Thursday, January 26, 2023 5:25:34 PM >> *To:* uni...@li... >> *Subject:* Get the node my job is running on directly from Unicore API >> >> Hello everyone, >> >> >> We are using Unicore to programmatically launch jobs on our cluster >> (via Slurm scheduler). >> >> >> I have this use case where the job should start a jupyter lab and once >> it is ready, return the URL to the user. >> >> The idea is that user can conveniently access the jupyter lab server >> running on the cluster from a web browser. > > > Nice use case. > > Just for your information, we run JupyterHub to do a very similar thing, > since we don't have internet access to the compute nodes > > (https://jupyter-jsc.fz-juelich.de) > > > >> To do it, I need to know the node where the job is running on. >> >> >> Looking at the docs, it does not seems I can get the node where the >> job is running from the Unicore API: ... >> Am I missing something? Do you know if there is a way to do it? >> > > There is no direct API way to do it (a big job might run on several > 1000s of nodes...), but there are a number of ways to do it. > > > 1) there is a "/details" endpoint in the /jobs API which will give you a > JSON containing the Slurm low-level job details - this also contains the > compute node(s) a job is running on. > > https://unicore-docs.readthedocs.io/en/latest/user-docs/rest-api/index.html#id10 > > Do a JSON GET on > "https://your-unicore-url/rest/core/jobs/job-uuid/details" and see what > you get > > 2) Simply writing the node hostname to a file in the working directory > as part of your job and then reading this file from the client would > also work. > > >> Note: My UnicoreX server and TSI are running on different nodes. I can >> only run slurm commands from the TSI server. >> > > Yes, that is as it is intended to be 😄 > > > Best regards, > Bernd > >> >> Thank you very much as always, >> >> Daniel. >> >> >> >> _______________________________________________ >> Unicore-support mailing list >> Uni...@li... >> https://lists.sourceforge.net/lists/listinfo/unicore-support > -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Bernd S. <b.s...@fz...> - 2023-03-14 09:33:53
|
hi Daniel, sorry, I did send a reply back in January, but now I see it was only to the list... so here it is again. see below... On 3/14/23 09:41, Fernandez Rodriguez Daniel via Unicore-support wrote: > ... > ------------------------------------------------------------------------ > *From:* Fernandez Rodriguez Daniel > *Sent:* Thursday, January 26, 2023 5:25:34 PM > *To:* uni...@li... > *Subject:* Get the node my job is running on directly from Unicore API > > Hello everyone, > > > We are using Unicore to programmatically launch jobs on our cluster (via > Slurm scheduler). > > > I have this use case where the job should start a jupyter lab and once > it is ready, return the URL to the user. > > The idea is that user can conveniently access the jupyter lab server > running on the cluster from a web browser. Nice use case. Just for your information, we run JupyterHub to do a very similar thing, since we don't have internet access to the compute nodes (https://jupyter-jsc.fz-juelich.de) > To do it, I need to know the node where the job is running on. > > > Looking at the docs, it does not seems I can get the node where the job > is running from the Unicore API: > ... > Am I missing something? Do you know if there is a way to do it? > There is no direct API way to do it (a big job might run on several 1000s of nodes...), but there are a number of ways to do it. 1) there is a "/details" endpoint in the /jobs API which will give you a JSON containing the Slurm low-level job details - this also contains the compute node(s) a job is running on. https://unicore-docs.readthedocs.io/en/latest/user-docs/rest-api/index.html#id10 Do a JSON GET on "https://your-unicore-url/rest/core/jobs/job-uuid/details" and see what you get 2) Simply writing the node hostname to a file in the working directory as part of your job and then reading this file from the client would also work. > Note: My UnicoreX server and TSI are running on different nodes. I can > only run slurm commands from the TSI server. > Yes, that is as it is intended to be 😄 Best regards, Bernd > > Thank you very much as always, > > Daniel. > > > > _______________________________________________ > Unicore-support mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unicore-support -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Fernandez R. D. <dan...@ep...> - 2023-03-14 09:08:14
|
Dear all, Apologies for bumping this topic up, but unfortunately I was not able to find a suitable answer for this. Any ideas? Thank you very much, Daniel. ________________________________ From: Fernandez Rodriguez Daniel Sent: Thursday, January 26, 2023 5:25:34 PM To: uni...@li... Subject: Get the node my job is running on directly from Unicore API Hello everyone, We are using Unicore to programmatically launch jobs on our cluster (via Slurm scheduler). I have this use case where the job should start a jupyter lab and once it is ready, return the URL to the user. The idea is that user can conveniently access the jupyter lab server running on the cluster from a web browser. To do it, I need to know the node where the job is running on. Looking at the docs, it does not seems I can get the node where the job is running from the Unicore API: https://unicore-docs.readthedocs.io/en/latest/user-docs/rest-api/index.html#job-properties <https://unicore-docs.readthedocs.io/en/latest/user-docs/rest-api/index.html#job-properties> Am I missing something? Do you know if there is a way to do it? Note: My UnicoreX server and TSI are running on different nodes. I can only run slurm commands from the TSI server. Thank you very much as always, Daniel. |
From: Bernd S. <b.s...@fz...> - 2023-01-26 16:40:05
|
hi Daniel, On 26.01.23 17:25, Fernandez Rodriguez Daniel via Unicore-support wrote: > Hello everyone, > > > We are using Unicore to programmatically launch jobs on our cluster (via > Slurm scheduler). > > > I have this use case where the job should start a jupyter lab and once > it is ready, return the URL to the user. > > The idea is that user can conveniently access the jupyter lab server > running on the cluster from a web browser. > > > To do it, I need to know the node where the job is running on. > Nice use case. Just for your information, we run JupyterHub to do a very similar thing, since we don't have internet access to the compute nodes (https://jupyter-jsc.fz-juelich.de) > > Looking at the docs, it does not seems I can get the node where the job > is running from the Unicore API: ... > Am I missing something? Do you know if there is a way to do it? There is no direct API way to do it (a job might run on 1000s of nodes...), but there are a number of ways to do it. 1) there is a "/details" endpoint in the /jobs API which will give you a JSON containing the Slurm low-level job details - this also contains the compute node(s) a job is running on. https://unicore-docs.readthedocs.io/en/latest/user-docs/rest-api/index.html#id10 Do a JSON GET on "https://your-unicore-url/rest/core/jobs/job-uuid/details" and see what you get :-) 2) Simply writing the node hostname to a file in the working directory as part of your job and then reading this file from the client would also work. > Note: My UnicoreX server and TSI are running on different nodes. I can > only run slurm commands from the TSI server. As it is intended to be :-) Best regards, Bernd > > > Thank you very much as always, > > Daniel. > > > > _______________________________________________ > Unicore-support mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unicore-support -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Fernandez R. D. <dan...@ep...> - 2023-01-26 16:25:47
|
Hello everyone, We are using Unicore to programmatically launch jobs on our cluster (via Slurm scheduler). I have this use case where the job should start a jupyter lab and once it is ready, return the URL to the user. The idea is that user can conveniently access the jupyter lab server running on the cluster from a web browser. To do it, I need to know the node where the job is running on. Looking at the docs, it does not seems I can get the node where the job is running from the Unicore API: https://unicore-docs.readthedocs.io/en/latest/user-docs/rest-api/index.html#job-properties <https://unicore-docs.readthedocs.io/en/latest/user-docs/rest-api/index.html#job-properties> Am I missing something? Do you know if there is a way to do it? Note: My UnicoreX server and TSI are running on different nodes. I can only run slurm commands from the TSI server. Thank you very much as always, Daniel. |
From: Fernandez R. D. <dan...@ep...> - 2023-01-26 14:23:33
|
Thanks for your answer Bernd! I will use root for now then, at some point in the future we will upgrade to RHEL8 or newer and then I might be able to use the ambient caps feature. Thank you very much, Daniel. ________________________________ From: Bernd Schuller <b.s...@fz...> Sent: Thursday, January 26, 2023 1:29:54 PM To: Fernandez Rodriguez Daniel; uni...@li... Subject: Re: [UNICORE-Support] Running TSI as unicore user: setgid Operation not permitted hi Daniel On 26.01.23 11:53, Fernandez Rodriguez Daniel via Unicore-support wrote: > Hi everyone, > > > This is more of a Linux questions than a TSI one, but maybe some of you > will know better and can give help identify what my root issue is. > > > I am trying to run the latest version of TSI (9.1.2) on a RHEL7 node > (setpriv from util-linux 2.23.2) as the unicore user. > > > But unfortunately setgid capability seems not to be working for me. ... > Jan 26 11:31:54 bbpv1.epfl.ch start.sh[30790]: Starting as unicore > (589:584) with capabilites: +setuid,+setgid > Jan 26 11:31:54 bbpv1.epfl.ch start.sh[30790]: /usr/bin/setpriv > --inh-caps=+setuid,+setgid --reuid 589 --regid 584 --clear-groups > python3 /usr/share/unicore/tsi/lib/TSI.py > /etc/unicore/tsi/tsi.properties > ... > > And this is the TSI log: > ... > File "/usr/share/unicore/tsi/lib/BecomeUser.py", line 212, in restore_id > os.setgroups([egid]) > PermissionError: [Errno 1] Operation not permitted .... > > > Do you know what I might be doing wrong? I don't think you are doing anything wrong. Note that the "Operation not permitted" is triggered when the TSI process goes BACK to high(er) privileges after doing something. So the setuid/setgid worked - just not reverting to the original ones. The setpriv tool in the version you use does not support the "ambient capabilities", and I think these are needed for going back to the elevated privileges. So you can try updating setpriv to a later version (if your kernel even supports the ambient caps feature), or --- just run as root. > Is someone else running TSI as > the unicore user? Or most of you are running it as root? > most sites I know run as root, I know one site (who specifically requested the non-root feature :-)), who did run as non-root for a while. Not sure if they still do it, but I suspect so. I run it on my dev machine (5.4.0-137-generic Ubuntu/Mint), with $ setpriv --version setpriv from util-linux 2.34 > > I must admit I don't know much about setpriv and all these linux > security featues. me neither, it is kind of tricky :-) Here is some good information though: https://man7.org/linux/man-pages/man1/setpriv.1.html https://man7.org/linux/man-pages/man7/capabilities.7.html Best regards, Bernd > > > Thank you very much, > > Daniel. > > > > > > > _______________________________________________ > Unicore-support mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unicore-support -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Bernd S. <b.s...@fz...> - 2023-01-26 12:30:09
|
hi Daniel On 26.01.23 11:53, Fernandez Rodriguez Daniel via Unicore-support wrote: > Hi everyone, > > > This is more of a Linux questions than a TSI one, but maybe some of you > will know better and can give help identify what my root issue is. > > > I am trying to run the latest version of TSI (9.1.2) on a RHEL7 node > (setpriv from util-linux 2.23.2) as the unicore user. > > > But unfortunately setgid capability seems not to be working for me. ... > Jan 26 11:31:54 bbpv1.epfl.ch start.sh[30790]: Starting as unicore > (589:584) with capabilites: +setuid,+setgid > Jan 26 11:31:54 bbpv1.epfl.ch start.sh[30790]: /usr/bin/setpriv > --inh-caps=+setuid,+setgid --reuid 589 --regid 584 --clear-groups > python3 /usr/share/unicore/tsi/lib/TSI.py > /etc/unicore/tsi/tsi.properties > ... > > And this is the TSI log: > ... > File "/usr/share/unicore/tsi/lib/BecomeUser.py", line 212, in restore_id > os.setgroups([egid]) > PermissionError: [Errno 1] Operation not permitted .... > > > Do you know what I might be doing wrong? I don't think you are doing anything wrong. Note that the "Operation not permitted" is triggered when the TSI process goes BACK to high(er) privileges after doing something. So the setuid/setgid worked - just not reverting to the original ones. The setpriv tool in the version you use does not support the "ambient capabilities", and I think these are needed for going back to the elevated privileges. So you can try updating setpriv to a later version (if your kernel even supports the ambient caps feature), or --- just run as root. > Is someone else running TSI as > the unicore user? Or most of you are running it as root? > most sites I know run as root, I know one site (who specifically requested the non-root feature :-)), who did run as non-root for a while. Not sure if they still do it, but I suspect so. I run it on my dev machine (5.4.0-137-generic Ubuntu/Mint), with $ setpriv --version setpriv from util-linux 2.34 > > I must admit I don't know much about setpriv and all these linux > security featues. me neither, it is kind of tricky :-) Here is some good information though: https://man7.org/linux/man-pages/man1/setpriv.1.html https://man7.org/linux/man-pages/man7/capabilities.7.html Best regards, Bernd > > > Thank you very much, > > Daniel. > > > > > > > _______________________________________________ > Unicore-support mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unicore-support -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Fernandez R. D. <dan...@ep...> - 2023-01-26 10:53:47
|
Hi everyone, This is more of a Linux questions than a TSI one, but maybe some of you will know better and can give help identify what my root issue is. I am trying to run the latest version of TSI (9.1.2) on a RHEL7 node (setpriv from util-linux 2.23.2) as the unicore user. But unfortunately setgid capability seems not to be working for me. This is the relevant part of the syslog output of the unicore-tsi unit: Jan 26 11:31:54 bbpv1.epfl.ch start.sh[30790]: Output redirected to /var/log/unicore/tsi/TSILog_2023_01_26_11_31 Jan 26 11:31:54 bbpv1.epfl.ch start.sh[30790]: Starting as unicore (589:584) with capabilites: +setuid,+setgid Jan 26 11:31:54 bbpv1.epfl.ch start.sh[30790]: /usr/bin/setpriv --inh-caps=+setuid,+setgid --reuid 589 --regid 584 --clear-groups python3 /usr/share/unicore/tsi/lib/TSI.py /etc/unicore/tsi/tsi.properties > /var/log/unicore/tsi/TSILog_2023_01_26_11_31 Jan 26 11:31:54 bbpv1.epfl.ch start.sh[30790]: UNICORE TSI starting Jan 26 11:31:54 bbpv1.epfl.ch systemd[1]: Started UNICORE TSI. And this is the TSI log: tail -f /var/log/unicore/tsi/TSILog_2023_01_26_11_31 exit_code = main() File "/usr/share/unicore/tsi/lib/TSI.py", line 383, in main process(connector, config, LOG) File "/usr/share/unicore/tsi/lib/TSI.py", line 346, in process handle_function(function, command, message, connector, config, LOG) File "/usr/share/unicore/tsi/lib/TSI.py", line 293, in handle_function BecomeUser.restore_id(config, LOG) File "/usr/share/unicore/tsi/lib/BecomeUser.py", line 212, in restore_id os.setgroups([egid]) PermissionError: [Errno 1] Operation not permitted And for completeness this is the "config" variable that python is using internally: {'tsi.default_job_name': 'UnicoreJob', 'tsi.nodes_filter': '', 'tsi.userCacheTtl': 600, 'tsi.enforce_os_gids': True, 'tsi.fail_on_invalid_gids': False, 'tsi.use_id_to_resolve_gids': True, 'tsi.open_user_sessions': False, 'tsi.debug': False, 'tsi.use_syslog': True, 'tsi.worker.id': 1, 'tsi.unicorex_machine': '10.80.65.95,10.80.65.99', 'tsi.safe_dir': '/tmp', 'tsi.keyfiles': ['.ssh/authorized_keys'], 'tsi.unicorex_port': '7654', 'tsi.my_addr': '0.0.0.0', 'tsi.my_port': '4433', 'tsi.pam_module': 'unicore-tsi', 'tsi.enforce_gids_consistency': 'true', 'tsi.usersCacheTtl': '600', 'tsi.setfacl': 'setfacl', 'tsi.getfacl': 'getfacl', 'tsi.acl': {'/': 'NONE'}, 'tsi.posixacl_enabled': False, 'tsi.nfsacl_enabled': False, 'tsi.allowed_ips': ['10.80.65.95', '10.80.65.99'], 'tsi.local_portrange': (0, -1, -1), 'tsi.effective_uid': 589, 'tsi.effective_gid': 584, 'tsi.switch_uid': True, 'tsi.user_cache': <UserCache.UserCache object at 0x7ffff03d01d0>, 'tsi.qstat_cmd': 'squeue -h -o "%i %T %P"', 'tsi.abort_cmd': 'scancel %s', 'tsi.get_processes_cmd': 'ps -e', 'tsi.submit_cmd': 'sbatch', 'tsi.alloc_cmd': 'salloc --no-shell', 'tsi.details_cmd': 'scontrol show jobid', 'tsi.hold_cmd': 'scontrol hold', 'tsi.resume_cmd': 'scontrol release', 'tsi.NOBATCH.children': [], 'tsi.bss': <BSS.BSS object at 0x7fffec9b4128>} Do you know what I might be doing wrong? Is someone else running TSI as the unicore user? Or most of you are running it as root? I must admit I don't know much about setpriv and all these linux security featues. Thank you very much, Daniel. |
From: Bernd S. <b.s...@fz...> - 2023-01-19 17:46:45
|
hi, the files are back, SF has resolved the issue. Bernd. On 19.01.23 16:27, Fernandez Rodriguez Daniel wrote: > Hi Bernd, > > > no worries. I am preparing this new TSI server in my organization, but > for now I can simply build the RPM myself and install that one. > > > I will keep an eye on SF from time to time. > > > Thanks for the answer, > > Daniel. > > ------------------------------------------------------------------------ > *From:* Bernd Schuller <b.s...@fz...> > *Sent:* Thursday, January 19, 2023 3:47:13 PM > *To:* Fernandez Rodriguez Daniel; uni...@li... > *Subject:* Re: [UNICORE-Support] Unicore Server files missing from > SourceForge > > ... by the way, if you need any particular package, let me know, we can > (temporarily) host it on one of the Juelich machines > > Bernd > > > On 19.01.23 15:07, Fernandez Rodriguez Daniel via Unicore-support wrote: >> Hello everyone, >> >> >> the files Unicore files hosted in SF seem to have been removed. >> >> >> https://sourceforge.net/projects/unicore/files/Servers/Core/ > <https://sourceforge.net/projects/unicore/files/Servers/Core/> >> <https://sourceforge.net/projects/unicore/files/Servers/Core/ > <https://sourceforge.net/projects/unicore/files/Servers/Core/>> >> >> >> They were there yesterday. Do you know what's going on? >> >> >> Thanks, >> >> Daniel. >> >> UNICORE - Browse /Servers/Core at SourceForge.net >> <https://sourceforge.net/projects/unicore/files/Servers/Core/ > <https://sourceforge.net/projects/unicore/files/Servers/Core/>> >> sourceforge.net >> UNiform Interface to COmputing and data REsources >> >> >> >> >> _______________________________________________ >> Unicore-support mailing list >> Uni...@li... >> https://lists.sourceforge.net/lists/listinfo/unicore-support > <https://lists.sourceforge.net/lists/listinfo/unicore-support> > > -- > Dr. Bernd Schuller > Federated Systems and Data, Juelich Supercomputing Centre > https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html > <https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html> > Phone: +49 246161-8736 (fax -8556) -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Fernandez R. D. <dan...@ep...> - 2023-01-19 15:27:28
|
Hi Bernd, no worries. I am preparing this new TSI server in my organization, but for now I can simply build the RPM myself and install that one. I will keep an eye on SF from time to time. Thanks for the answer, Daniel. ________________________________ From: Bernd Schuller <b.s...@fz...> Sent: Thursday, January 19, 2023 3:47:13 PM To: Fernandez Rodriguez Daniel; uni...@li... Subject: Re: [UNICORE-Support] Unicore Server files missing from SourceForge ... by the way, if you need any particular package, let me know, we can (temporarily) host it on one of the Juelich machines Bernd On 19.01.23 15:07, Fernandez Rodriguez Daniel via Unicore-support wrote: > Hello everyone, > > > the files Unicore files hosted in SF seem to have been removed. > > > https://sourceforge.net/projects/unicore/files/Servers/Core/ > <https://sourceforge.net/projects/unicore/files/Servers/Core/> > > > They were there yesterday. Do you know what's going on? > > > Thanks, > > Daniel. > > UNICORE - Browse /Servers/Core at SourceForge.net > <https://sourceforge.net/projects/unicore/files/Servers/Core/> > sourceforge.net > UNiform Interface to COmputing and data REsources > > > > > _______________________________________________ > Unicore-support mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unicore-support -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Bernd S. <b.s...@fz...> - 2023-01-19 14:56:26
|
hi Daniel, no, that is a surprise... looks like a very bad outage on SF. We'll see whether they will recover (they usually do). Best regards, Bernd On 19.01.23 15:07, Fernandez Rodriguez Daniel via Unicore-support wrote: > Hello everyone, > > > the files Unicore files hosted in SF seem to have been removed. > > > https://sourceforge.net/projects/unicore/files/Servers/Core/ > <https://sourceforge.net/projects/unicore/files/Servers/Core/> > > > They were there yesterday. Do you know what's going on? > > > Thanks, > > Daniel. > > UNICORE - Browse /Servers/Core at SourceForge.net > <https://sourceforge.net/projects/unicore/files/Servers/Core/> > sourceforge.net > UNiform Interface to COmputing and data REsources > > > > > _______________________________________________ > Unicore-support mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unicore-support -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Bernd S. <b.s...@fz...> - 2023-01-19 14:55:02
|
... by the way, if you need any particular package, let me know, we can (temporarily) host it on one of the Juelich machines Bernd On 19.01.23 15:07, Fernandez Rodriguez Daniel via Unicore-support wrote: > Hello everyone, > > > the files Unicore files hosted in SF seem to have been removed. > > > https://sourceforge.net/projects/unicore/files/Servers/Core/ > <https://sourceforge.net/projects/unicore/files/Servers/Core/> > > > They were there yesterday. Do you know what's going on? > > > Thanks, > > Daniel. > > UNICORE - Browse /Servers/Core at SourceForge.net > <https://sourceforge.net/projects/unicore/files/Servers/Core/> > sourceforge.net > UNiform Interface to COmputing and data REsources > > > > > _______________________________________________ > Unicore-support mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unicore-support -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Fernandez R. D. <dan...@ep...> - 2023-01-19 14:34:41
|
Hello everyone, the files Unicore files hosted in SF seem to have been removed. https://sourceforge.net/projects/unicore/files/Servers/Core/ They were there yesterday. Do you know what's going on? Thanks, Daniel. UNICORE - Browse /Servers/Core at SourceForge.net<https://sourceforge.net/projects/unicore/files/Servers/Core/> sourceforge.net UNiform Interface to COmputing and data REsources |
From: Fernandez R. D. <dan...@ep...> - 2022-08-03 12:44:41
|
Hi Bernd, thanks for you message. I successfully converted it. I had some custom resources defined in my old simpleidb file so I ended up checking the source code: https://github.com/UNICORE-EU/unicorex/blob/master/xnjs/src/main/java/de/fzj/unicore/xnjs/idb/OptionDescription.java to get the list of possible types. The examples I found in the official docs https://unicore-docs.readthedocs.io/en/latest/admin-docs/unicorex/manual.html#idb-syntax-description were good, but they don't describe all possible types and options. Other than that no problem. Thank you very much, Daniel. ________________________________ From: Bernd Schuller <b.s...@fz...> Sent: Tuesday, August 2, 2022 3:16:24 PM To: Fernandez Rodriguez Daniel; uni...@li... Subject: Re: [UNICORE-Support] Convert simpleidb to idb.json Hi Daniel, On 02.08.22 14:37, Fernandez Rodriguez Daniel via Unicore-support wrote: > Hi everyone, > > > I am upgrading an old Unicore server (running 7.X) to 8.3.0-p2. I read > in the docs that the future upcoming versions of UNICORE/X will only use > idb.json so I am trying to migrate my existing simpleidb to idb.json > yes, that is true UNICORE 9 will only have the JSON format. > > Is there a recommended way of doing? some script or something? Doing it > by hand seems very error prone. We don't have any scripts for that, sorry. The crucial parts are the script templates (ExecuteScriptTemplate and SubmitScriptTemplate) and the queue / partition definitions, so it's not as bad as it seems :-) (you can update / edit the IDB at runtime, btw) If you want a more real-life example for such an IDB, let me know. I'd also be happy to help with the conversion Best regards, Bernd > > > Thank you very much, > > Daniel. > > > > > _______________________________________________ > Unicore-support mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unicore-support -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Bernd S. <b.s...@fz...> - 2022-08-02 13:35:22
|
Hi Daniel, On 02.08.22 14:37, Fernandez Rodriguez Daniel via Unicore-support wrote: > Hi everyone, > > > I am upgrading an old Unicore server (running 7.X) to 8.3.0-p2. I read > in the docs that the future upcoming versions of UNICORE/X will only use > idb.json so I am trying to migrate my existing simpleidb to idb.json > yes, that is true UNICORE 9 will only have the JSON format. > > Is there a recommended way of doing? some script or something? Doing it > by hand seems very error prone. We don't have any scripts for that, sorry. The crucial parts are the script templates (ExecuteScriptTemplate and SubmitScriptTemplate) and the queue / partition definitions, so it's not as bad as it seems :-) (you can update / edit the IDB at runtime, btw) If you want a more real-life example for such an IDB, let me know. I'd also be happy to help with the conversion Best regards, Bernd > > > Thank you very much, > > Daniel. > > > > > _______________________________________________ > Unicore-support mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unicore-support -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Fernandez R. D. <dan...@ep...> - 2022-08-02 13:03:58
|
Hi everyone, I am upgrading an old Unicore server (running 7.X) to 8.3.0-p2. I read in the docs that the future upcoming versions of UNICORE/X will only use idb.json so I am trying to migrate my existing simpleidb to idb.json Is there a recommended way of doing? some script or something? Doing it by hand seems very error prone. Thank you very much, Daniel. |
From: Fernandez R. D. <dan...@ep...> - 2022-01-14 08:09:21
|
Just for completeness, I was able to create a new admin user following this instructions: https://sourceforge.net/p/unity-idm/unity-discuss/message/36333136/ With the new admin user in place I logged into the Unity administrator interface and added a new x500Name identity (CN=bbpunicoredev.epfl.ch,O=École polytechnique fédérale de Lausanne,L=Lausanne,C=CH) under unicore/servers. That did the trick. Thanks a lot ________________________________ From: Fernandez Rodriguez Daniel Sent: Thursday, January 13, 2022 3:32:21 PM To: Bernd Schuller Cc: uni...@li... Subject: Re: [UNICORE-Support] ERROR VOAttributeFetcher VO-PULL - SAML error occured during VO server query Thanks a lot for your help Bernd. I will ask in the unity mailing list. Have a great day!! Daniel. ________________________________ From: Bernd Schuller <b.s...@fz...> Sent: Thursday, January 13, 2022 2:56:18 PM To: Fernandez Rodriguez Daniel Cc: uni...@li... Subject: Re: [UNICORE-Support] ERROR VOAttributeFetcher VO-PULL - SAML error occured during VO server query hi Daniel, On 13.01.22 13:58, Fernandez Rodriguez Daniel wrote: > Hi Bernd, > > > following your suggestion I set the Unity log level to DEBUG and I was > able gather some useful info 😊 thanks for that! > > > We are using a translation profile "keycloak2UNICORE" that maps the info > coming from our Identity Provider (https://keycloak.org > <https://keycloak.org>) to Unity. According to the logs, that part seems > to work fine. > > > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.MapIdentityAction:[TrProfile > keycloak2UNICORE, r: 1, oauth-rp] Mapped identity: [x500Name] > CN=danielfr,O=Ecole polytechnique federale de Lausanne > (EPFL),L=Lausanne,ST=Vaud,C=CH > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.InputTranslationRule:[TrProfile > keycloak2UNICORE, r: 2] Condition OK > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.MapGroupAction:[TrProfile > keycloak2UNICORE, r: 2, oauth-rp] Mapped group: /unicore/users > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.InputTranslationRule:[TrProfile > keycloak2UNICORE, r: 3] Condition OK > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.MapAttributeAction:[TrProfile > keycloak2UNICORE, r: 3, oauth-rp] Mapped attribute: name: [danielfr] > 2022-01-12T17:50:45,616 [qtp426014054-38] DEBUG > unity.server.externaltranslation.InputTranslationRule:[TrProfile > keycloak2UNICORE, r: 4] Condition OK > ... > > The problem seems to be that I also need an identity mapped to the > certificate I am using. This is the part that is failing: > > > 2022-01-12T17:50:46,166 [qtp426014054-33] DEBUG > unity.server.CertificateVerificator: Checking certificate failed > pl.edu.icm.unity.exceptions.IllegalIdentityValueException: No identity > with value CN=bbpunicoredev.epfl.ch,O=École polytechnique fédérale de > Lausanne,L=Lausanne,C=CH > > Maybe this identity was manually created in the prod database and I need > to do something similar with the dev database. yes that would make sense, I'm not the 100% Unity expert, but that is what it looks like. > > The problem now is that I cannot access the UNITY admin portal because I > don't know the admin password....[sigh] > > Is there I way I can reset the unity admin password? I have full access > to the server and the H2 database files. I don't know --- it's certainly possible to get a DB client console for a H2 database (https://www.h2database.com/html/tutorial.html#tutorial_starting_h2_console) But you'd need to ask on the Unity list if and how it's possible to hack the DB content for the 2.6.2 version. the Unity support list is <uni...@li...> Best regards, Bernd > > Thank you very very much, > Daniel. > > > ------------------------------------------------------------------------ > *From:* Bernd Schuller <b.s...@fz...> > *Sent:* Wednesday, January 12, 2022 5:06:43 PM > *To:* Fernandez Rodriguez Daniel > *Cc:* uni...@li... > *Subject:* Re: [UNICORE-Support] ERROR VOAttributeFetcher VO-PULL - SAML > error occured during VO server query > hi Daniel, > > On 12.01.22 15:30, Fernandez Rodriguez Daniel via Unicore-support wrote: >> Dear Unicore admins, >> >> >> I inherited a working Unicore deployment. Unfortunately its >> configuration is not documented AT ALL and the person who configured it >> left the company some time ago... > > ah, always a bad situation, but we are here to help :-) > >> >> >> In order to learn about it I created a new server and copied over all >> the files from the production server to the new one. The only thing I >> changed was the certificate since the new service runs on a different >> hostname. >> >> >> But when I try to launch a job via this new unicore server I get the >> following error: >> >> >> ==> /opt/unicore/unicorex/logs/uas.log <== >> 2022-01-12 14:47:00,853 [qtp1079190991-23] ERROR VOAttributeFetcher >> VO-PULL - SAML error occured during VO server query: >> eu.unicore.samly2.exceptions.SAMLResponderException: SAML service >> invocation failed: Invalid user name, credential or external >> authentication failed. >> ... >> 2022-01-12 14:47:01,973 [qtp1079190991-23] ERROR Jobs - The root error >> was: eu.unicore.security.AuthorisationException: There are no accessible >> targetsystem factories for: Name: CN=danielfr,O=Ecole polytechnique >> federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH >> Xlogin: uid: [], gids: [addingOSgroups: true] >> Role: anonymous: default role >> >> And from the unity logs: >> >> Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: >> Invalid user name, credential or external authentication failed. >> at >> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:112) >> ~[unity-server-rest-2.6.2.jar:?] >> ... 45 more >> 2022-01-12T14:47:01,932 [qtp426014054-33] INFO >> unity.server.rest.AuthenticationInterceptor: Authentication failed for >> client >> 2022-01-12T14:47:01,933 [qtp426014054-33] WARN >> org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for >> {http://ws.idp.saml.unity.icm.edu.pl/}SAMLAssertionQueryImplService#{urn:oasis:names:tc:SAML:2.0:protocol}AttributeQuery >> has thrown exception, unwinding now >> org.apache.cxf.interceptor.Fault: Invalid user name, credential or >> external authentication failed. >> >> >> Any idea what might be happening? > > >> As I said the config is THE SAME we have in current prod and things are >> working fine there. >> > > > UNICORE/X tries to pull user attributes (such as the "role" and Unix ID > from Unity, which fails, probably due to the new UNICORE/X certificate. > > Did you also use a different CA? > > This setup with Unity as the attribute source is one of the more complex > ones, but the place to check is the Unity config. > Search for"unicore-soapidp" in the Unity conf directory to find the > relevant file(s). > > I guess you could get more info by setting the Unity log level to debug. > > >> We are running: >> >> * UNICORE Gateway Version 1.5.16 >> * REGISTRY version 3.8.2 >> * UNICORE/X version 1.9.12 >> * Unity 2.6.2 (I think) > > > these are rather old... sorry to say. (the corresponding releases are > UNICORE 7.13 and Unity 2.6.2) > > > With only a single UNICORE/X server, you probably don't need the > Registry, and maybe you don't even need Unity, not sure why your > predecessor went with this setup. > > Updating to the latest (UNICORE 8.3 and Unity 3.7) is a lot of work --- > maybe a complete fresh install of Gateway, UNICORE/X and (if really > needed) Unity would be good? > > > Hope this helps! > > Best regards, > Bernd > > >> >> >> Happy to answer more questions or provide more info. >> >> Thank you very much, >> Daniel. >> >> >> >> >> >> _______________________________________________ >> Unicore-support mailing list >> Uni...@li... >> https://lists.sourceforge.net/lists/listinfo/unicore-support > <https://lists.sourceforge.net/lists/listinfo/unicore-support> >> > > -- > Dr. Bernd Schuller > Federated Systems and Data, Juelich Supercomputing Centre > https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html > <https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html> > Phone: +49 246161-8736 (fax -8556) > > > ------------------------------------------------------------------------------------------------ > ------------------------------------------------------------------------------------------------ > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, > Prof. Dr. Frauke Melchior > ------------------------------------------------------------------------------------------------ > ------------------------------------------------------------------------------------------------ > -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Fernandez R. D. <dan...@ep...> - 2022-01-13 14:32:35
|
Thanks a lot for your help Bernd. I will ask in the unity mailing list. Have a great day!! Daniel. ________________________________ From: Bernd Schuller <b.s...@fz...> Sent: Thursday, January 13, 2022 2:56:18 PM To: Fernandez Rodriguez Daniel Cc: uni...@li... Subject: Re: [UNICORE-Support] ERROR VOAttributeFetcher VO-PULL - SAML error occured during VO server query hi Daniel, On 13.01.22 13:58, Fernandez Rodriguez Daniel wrote: > Hi Bernd, > > > following your suggestion I set the Unity log level to DEBUG and I was > able gather some useful info 😊 thanks for that! > > > We are using a translation profile "keycloak2UNICORE" that maps the info > coming from our Identity Provider (https://keycloak.org > <https://keycloak.org>) to Unity. According to the logs, that part seems > to work fine. > > > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.MapIdentityAction:[TrProfile > keycloak2UNICORE, r: 1, oauth-rp] Mapped identity: [x500Name] > CN=danielfr,O=Ecole polytechnique federale de Lausanne > (EPFL),L=Lausanne,ST=Vaud,C=CH > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.InputTranslationRule:[TrProfile > keycloak2UNICORE, r: 2] Condition OK > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.MapGroupAction:[TrProfile > keycloak2UNICORE, r: 2, oauth-rp] Mapped group: /unicore/users > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.InputTranslationRule:[TrProfile > keycloak2UNICORE, r: 3] Condition OK > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.MapAttributeAction:[TrProfile > keycloak2UNICORE, r: 3, oauth-rp] Mapped attribute: name: [danielfr] > 2022-01-12T17:50:45,616 [qtp426014054-38] DEBUG > unity.server.externaltranslation.InputTranslationRule:[TrProfile > keycloak2UNICORE, r: 4] Condition OK > ... > > The problem seems to be that I also need an identity mapped to the > certificate I am using. This is the part that is failing: > > > 2022-01-12T17:50:46,166 [qtp426014054-33] DEBUG > unity.server.CertificateVerificator: Checking certificate failed > pl.edu.icm.unity.exceptions.IllegalIdentityValueException: No identity > with value CN=bbpunicoredev.epfl.ch,O=École polytechnique fédérale de > Lausanne,L=Lausanne,C=CH > > Maybe this identity was manually created in the prod database and I need > to do something similar with the dev database. yes that would make sense, I'm not the 100% Unity expert, but that is what it looks like. > > The problem now is that I cannot access the UNITY admin portal because I > don't know the admin password....[sigh] > > Is there I way I can reset the unity admin password? I have full access > to the server and the H2 database files. I don't know --- it's certainly possible to get a DB client console for a H2 database (https://www.h2database.com/html/tutorial.html#tutorial_starting_h2_console) But you'd need to ask on the Unity list if and how it's possible to hack the DB content for the 2.6.2 version. the Unity support list is <uni...@li...> Best regards, Bernd > > Thank you very very much, > Daniel. > > > ------------------------------------------------------------------------ > *From:* Bernd Schuller <b.s...@fz...> > *Sent:* Wednesday, January 12, 2022 5:06:43 PM > *To:* Fernandez Rodriguez Daniel > *Cc:* uni...@li... > *Subject:* Re: [UNICORE-Support] ERROR VOAttributeFetcher VO-PULL - SAML > error occured during VO server query > hi Daniel, > > On 12.01.22 15:30, Fernandez Rodriguez Daniel via Unicore-support wrote: >> Dear Unicore admins, >> >> >> I inherited a working Unicore deployment. Unfortunately its >> configuration is not documented AT ALL and the person who configured it >> left the company some time ago... > > ah, always a bad situation, but we are here to help :-) > >> >> >> In order to learn about it I created a new server and copied over all >> the files from the production server to the new one. The only thing I >> changed was the certificate since the new service runs on a different >> hostname. >> >> >> But when I try to launch a job via this new unicore server I get the >> following error: >> >> >> ==> /opt/unicore/unicorex/logs/uas.log <== >> 2022-01-12 14:47:00,853 [qtp1079190991-23] ERROR VOAttributeFetcher >> VO-PULL - SAML error occured during VO server query: >> eu.unicore.samly2.exceptions.SAMLResponderException: SAML service >> invocation failed: Invalid user name, credential or external >> authentication failed. >> ... >> 2022-01-12 14:47:01,973 [qtp1079190991-23] ERROR Jobs - The root error >> was: eu.unicore.security.AuthorisationException: There are no accessible >> targetsystem factories for: Name: CN=danielfr,O=Ecole polytechnique >> federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH >> Xlogin: uid: [], gids: [addingOSgroups: true] >> Role: anonymous: default role >> >> And from the unity logs: >> >> Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: >> Invalid user name, credential or external authentication failed. >> at >> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:112) >> ~[unity-server-rest-2.6.2.jar:?] >> ... 45 more >> 2022-01-12T14:47:01,932 [qtp426014054-33] INFO >> unity.server.rest.AuthenticationInterceptor: Authentication failed for >> client >> 2022-01-12T14:47:01,933 [qtp426014054-33] WARN >> org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for >> {http://ws.idp.saml.unity.icm.edu.pl/}SAMLAssertionQueryImplService#{urn:oasis:names:tc:SAML:2.0:protocol}AttributeQuery >> has thrown exception, unwinding now >> org.apache.cxf.interceptor.Fault: Invalid user name, credential or >> external authentication failed. >> >> >> Any idea what might be happening? > > >> As I said the config is THE SAME we have in current prod and things are >> working fine there. >> > > > UNICORE/X tries to pull user attributes (such as the "role" and Unix ID > from Unity, which fails, probably due to the new UNICORE/X certificate. > > Did you also use a different CA? > > This setup with Unity as the attribute source is one of the more complex > ones, but the place to check is the Unity config. > Search for"unicore-soapidp" in the Unity conf directory to find the > relevant file(s). > > I guess you could get more info by setting the Unity log level to debug. > > >> We are running: >> >> * UNICORE Gateway Version 1.5.16 >> * REGISTRY version 3.8.2 >> * UNICORE/X version 1.9.12 >> * Unity 2.6.2 (I think) > > > these are rather old... sorry to say. (the corresponding releases are > UNICORE 7.13 and Unity 2.6.2) > > > With only a single UNICORE/X server, you probably don't need the > Registry, and maybe you don't even need Unity, not sure why your > predecessor went with this setup. > > Updating to the latest (UNICORE 8.3 and Unity 3.7) is a lot of work --- > maybe a complete fresh install of Gateway, UNICORE/X and (if really > needed) Unity would be good? > > > Hope this helps! > > Best regards, > Bernd > > >> >> >> Happy to answer more questions or provide more info. >> >> Thank you very much, >> Daniel. >> >> >> >> >> >> _______________________________________________ >> Unicore-support mailing list >> Uni...@li... >> https://lists.sourceforge.net/lists/listinfo/unicore-support > <https://lists.sourceforge.net/lists/listinfo/unicore-support> >> > > -- > Dr. Bernd Schuller > Federated Systems and Data, Juelich Supercomputing Centre > https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html > <https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html> > Phone: +49 246161-8736 (fax -8556) > > > ------------------------------------------------------------------------------------------------ > ------------------------------------------------------------------------------------------------ > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, > Prof. Dr. Frauke Melchior > ------------------------------------------------------------------------------------------------ > ------------------------------------------------------------------------------------------------ > -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Bernd S. <b.s...@fz...> - 2022-01-13 13:56:37
|
hi Daniel, On 13.01.22 13:58, Fernandez Rodriguez Daniel wrote: > Hi Bernd, > > > following your suggestion I set the Unity log level to DEBUG and I was > able gather some useful info 😊 thanks for that! > > > We are using a translation profile "keycloak2UNICORE" that maps the info > coming from our Identity Provider (https://keycloak.org > <https://keycloak.org>) to Unity. According to the logs, that part seems > to work fine. > > > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.MapIdentityAction:[TrProfile > keycloak2UNICORE, r: 1, oauth-rp] Mapped identity: [x500Name] > CN=danielfr,O=Ecole polytechnique federale de Lausanne > (EPFL),L=Lausanne,ST=Vaud,C=CH > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.InputTranslationRule:[TrProfile > keycloak2UNICORE, r: 2] Condition OK > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.MapGroupAction:[TrProfile > keycloak2UNICORE, r: 2, oauth-rp] Mapped group: /unicore/users > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.InputTranslationRule:[TrProfile > keycloak2UNICORE, r: 3] Condition OK > 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG > unity.server.externaltranslation.MapAttributeAction:[TrProfile > keycloak2UNICORE, r: 3, oauth-rp] Mapped attribute: name: [danielfr] > 2022-01-12T17:50:45,616 [qtp426014054-38] DEBUG > unity.server.externaltranslation.InputTranslationRule:[TrProfile > keycloak2UNICORE, r: 4] Condition OK > ... > > The problem seems to be that I also need an identity mapped to the > certificate I am using. This is the part that is failing: > > > 2022-01-12T17:50:46,166 [qtp426014054-33] DEBUG > unity.server.CertificateVerificator: Checking certificate failed > pl.edu.icm.unity.exceptions.IllegalIdentityValueException: No identity > with value CN=bbpunicoredev.epfl.ch,O=École polytechnique fédérale de > Lausanne,L=Lausanne,C=CH > > Maybe this identity was manually created in the prod database and I need > to do something similar with the dev database. yes that would make sense, I'm not the 100% Unity expert, but that is what it looks like. > > The problem now is that I cannot access the UNITY admin portal because I > don't know the admin password....[sigh] > > Is there I way I can reset the unity admin password? I have full access > to the server and the H2 database files. I don't know --- it's certainly possible to get a DB client console for a H2 database (https://www.h2database.com/html/tutorial.html#tutorial_starting_h2_console) But you'd need to ask on the Unity list if and how it's possible to hack the DB content for the 2.6.2 version. the Unity support list is <uni...@li...> Best regards, Bernd > > Thank you very very much, > Daniel. > > > ------------------------------------------------------------------------ > *From:* Bernd Schuller <b.s...@fz...> > *Sent:* Wednesday, January 12, 2022 5:06:43 PM > *To:* Fernandez Rodriguez Daniel > *Cc:* uni...@li... > *Subject:* Re: [UNICORE-Support] ERROR VOAttributeFetcher VO-PULL - SAML > error occured during VO server query > hi Daniel, > > On 12.01.22 15:30, Fernandez Rodriguez Daniel via Unicore-support wrote: >> Dear Unicore admins, >> >> >> I inherited a working Unicore deployment. Unfortunately its >> configuration is not documented AT ALL and the person who configured it >> left the company some time ago... > > ah, always a bad situation, but we are here to help :-) > >> >> >> In order to learn about it I created a new server and copied over all >> the files from the production server to the new one. The only thing I >> changed was the certificate since the new service runs on a different >> hostname. >> >> >> But when I try to launch a job via this new unicore server I get the >> following error: >> >> >> ==> /opt/unicore/unicorex/logs/uas.log <== >> 2022-01-12 14:47:00,853 [qtp1079190991-23] ERROR VOAttributeFetcher >> VO-PULL - SAML error occured during VO server query: >> eu.unicore.samly2.exceptions.SAMLResponderException: SAML service >> invocation failed: Invalid user name, credential or external >> authentication failed. >> ... >> 2022-01-12 14:47:01,973 [qtp1079190991-23] ERROR Jobs - The root error >> was: eu.unicore.security.AuthorisationException: There are no accessible >> targetsystem factories for: Name: CN=danielfr,O=Ecole polytechnique >> federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH >> Xlogin: uid: [], gids: [addingOSgroups: true] >> Role: anonymous: default role >> >> And from the unity logs: >> >> Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: >> Invalid user name, credential or external authentication failed. >> at >> pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:112) >> ~[unity-server-rest-2.6.2.jar:?] >> ... 45 more >> 2022-01-12T14:47:01,932 [qtp426014054-33] INFO >> unity.server.rest.AuthenticationInterceptor: Authentication failed for >> client >> 2022-01-12T14:47:01,933 [qtp426014054-33] WARN >> org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for >> {http://ws.idp.saml.unity.icm.edu.pl/}SAMLAssertionQueryImplService#{urn:oasis:names:tc:SAML:2.0:protocol}AttributeQuery >> has thrown exception, unwinding now >> org.apache.cxf.interceptor.Fault: Invalid user name, credential or >> external authentication failed. >> >> >> Any idea what might be happening? > > >> As I said the config is THE SAME we have in current prod and things are >> working fine there. >> > > > UNICORE/X tries to pull user attributes (such as the "role" and Unix ID > from Unity, which fails, probably due to the new UNICORE/X certificate. > > Did you also use a different CA? > > This setup with Unity as the attribute source is one of the more complex > ones, but the place to check is the Unity config. > Search for"unicore-soapidp" in the Unity conf directory to find the > relevant file(s). > > I guess you could get more info by setting the Unity log level to debug. > > >> We are running: >> >> * UNICORE Gateway Version 1.5.16 >> * REGISTRY version 3.8.2 >> * UNICORE/X version 1.9.12 >> * Unity 2.6.2 (I think) > > > these are rather old... sorry to say. (the corresponding releases are > UNICORE 7.13 and Unity 2.6.2) > > > With only a single UNICORE/X server, you probably don't need the > Registry, and maybe you don't even need Unity, not sure why your > predecessor went with this setup. > > Updating to the latest (UNICORE 8.3 and Unity 3.7) is a lot of work --- > maybe a complete fresh install of Gateway, UNICORE/X and (if really > needed) Unity would be good? > > > Hope this helps! > > Best regards, > Bernd > > >> >> >> Happy to answer more questions or provide more info. >> >> Thank you very much, >> Daniel. >> >> >> >> >> >> _______________________________________________ >> Unicore-support mailing list >> Uni...@li... >> https://lists.sourceforge.net/lists/listinfo/unicore-support > <https://lists.sourceforge.net/lists/listinfo/unicore-support> >> > > -- > Dr. Bernd Schuller > Federated Systems and Data, Juelich Supercomputing Centre > https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html > <https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html> > Phone: +49 246161-8736 (fax -8556) > > > ------------------------------------------------------------------------------------------------ > ------------------------------------------------------------------------------------------------ > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, > Prof. Dr. Frauke Melchior > ------------------------------------------------------------------------------------------------ > ------------------------------------------------------------------------------------------------ > -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) |
From: Fernandez R. D. <dan...@ep...> - 2022-01-13 13:25:48
|
Hi Bernd, following your suggestion I set the Unity log level to DEBUG and I was able gather some useful info 😊 thanks for that! We are using a translation profile "keycloak2UNICORE" that maps the info coming from our Identity Provider (https://keycloak.org) to Unity. According to the logs, that part seems to work fine. 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG unity.server.externaltranslation.MapIdentityAction:[TrProfile keycloak2UNICORE, r: 1, oauth-rp] Mapped identity: [x500Name] CN=danielfr,O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG unity.server.externaltranslation.InputTranslationRule:[TrProfile keycloak2UNICORE, r: 2] Condition OK 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG unity.server.externaltranslation.MapGroupAction:[TrProfile keycloak2UNICORE, r: 2, oauth-rp] Mapped group: /unicore/users 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG unity.server.externaltranslation.InputTranslationRule:[TrProfile keycloak2UNICORE, r: 3] Condition OK 2022-01-12T17:50:45,615 [qtp426014054-38] DEBUG unity.server.externaltranslation.MapAttributeAction:[TrProfile keycloak2UNICORE, r: 3, oauth-rp] Mapped attribute: name: [danielfr] 2022-01-12T17:50:45,616 [qtp426014054-38] DEBUG unity.server.externaltranslation.InputTranslationRule:[TrProfile keycloak2UNICORE, r: 4] Condition OK ... The problem seems to be that I also need an identity mapped to the certificate I am using. This is the part that is failing: 2022-01-12T17:50:46,166 [qtp426014054-33] DEBUG unity.server.CertificateVerificator: Checking certificate failed pl.edu.icm.unity.exceptions.IllegalIdentityValueException: No identity with value CN=bbpunicoredev.epfl.ch,O=École polytechnique fédérale de Lausanne,L=Lausanne,C=CH Maybe this identity was manually created in the prod database and I need to do something similar with the dev database. The problem now is that I cannot access the UNITY admin portal because I don't know the admin password....[sigh] Is there I way I can reset the unity admin password? I have full access to the server and the H2 database files. Thank you very very much, Daniel. ________________________________ From: Bernd Schuller <b.s...@fz...> Sent: Wednesday, January 12, 2022 5:06:43 PM To: Fernandez Rodriguez Daniel Cc: uni...@li... Subject: Re: [UNICORE-Support] ERROR VOAttributeFetcher VO-PULL - SAML error occured during VO server query hi Daniel, On 12.01.22 15:30, Fernandez Rodriguez Daniel via Unicore-support wrote: > Dear Unicore admins, > > > I inherited a working Unicore deployment. Unfortunately its > configuration is not documented AT ALL and the person who configured it > left the company some time ago... ah, always a bad situation, but we are here to help :-) > > > In order to learn about it I created a new server and copied over all > the files from the production server to the new one. The only thing I > changed was the certificate since the new service runs on a different > hostname. > > > But when I try to launch a job via this new unicore server I get the > following error: > > > ==> /opt/unicore/unicorex/logs/uas.log <== > 2022-01-12 14:47:00,853 [qtp1079190991-23] ERROR VOAttributeFetcher > VO-PULL - SAML error occured during VO server query: > eu.unicore.samly2.exceptions.SAMLResponderException: SAML service > invocation failed: Invalid user name, credential or external > authentication failed. > ... > 2022-01-12 14:47:01,973 [qtp1079190991-23] ERROR Jobs - The root error > was: eu.unicore.security.AuthorisationException: There are no accessible > targetsystem factories for: Name: CN=danielfr,O=Ecole polytechnique > federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH > Xlogin: uid: [], gids: [addingOSgroups: true] > Role: anonymous: default role > > And from the unity logs: > > Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: > Invalid user name, credential or external authentication failed. > at > pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:112) > ~[unity-server-rest-2.6.2.jar:?] > ... 45 more > 2022-01-12T14:47:01,932 [qtp426014054-33] INFO > unity.server.rest.AuthenticationInterceptor: Authentication failed for > client > 2022-01-12T14:47:01,933 [qtp426014054-33] WARN > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for > {http://ws.idp.saml.unity.icm.edu.pl/}SAMLAssertionQueryImplService#{urn:oasis:names:tc:SAML:2.0:protocol}AttributeQuery > has thrown exception, unwinding now > org.apache.cxf.interceptor.Fault: Invalid user name, credential or > external authentication failed. > > > Any idea what might be happening? > > As I said the config is THE SAME we have in current prod and things are > working fine there. > UNICORE/X tries to pull user attributes (such as the "role" and Unix ID from Unity, which fails, probably due to the new UNICORE/X certificate. Did you also use a different CA? This setup with Unity as the attribute source is one of the more complex ones, but the place to check is the Unity config. Search for"unicore-soapidp" in the Unity conf directory to find the relevant file(s). I guess you could get more info by setting the Unity log level to debug. > We are running: > > * UNICORE Gateway Version 1.5.16 > * REGISTRY version 3.8.2 > * UNICORE/X version 1.9.12 > * Unity 2.6.2 (I think) these are rather old... sorry to say. (the corresponding releases are UNICORE 7.13 and Unity 2.6.2) With only a single UNICORE/X server, you probably don't need the Registry, and maybe you don't even need Unity, not sure why your predecessor went with this setup. Updating to the latest (UNICORE 8.3 and Unity 3.7) is a lot of work --- maybe a complete fresh install of Gateway, UNICORE/X and (if really needed) Unity would be good? Hope this helps! Best regards, Bernd > > > Happy to answer more questions or provide more info. > > Thank you very much, > Daniel. > > > > > > _______________________________________________ > Unicore-support mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unicore-support > -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
From: Bernd S. <b.s...@fz...> - 2022-01-12 16:06:56
|
hi Daniel, On 12.01.22 15:30, Fernandez Rodriguez Daniel via Unicore-support wrote: > Dear Unicore admins, > > > I inherited a working Unicore deployment. Unfortunately its > configuration is not documented AT ALL and the person who configured it > left the company some time ago... ah, always a bad situation, but we are here to help :-) > > > In order to learn about it I created a new server and copied over all > the files from the production server to the new one. The only thing I > changed was the certificate since the new service runs on a different > hostname. > > > But when I try to launch a job via this new unicore server I get the > following error: > > > ==> /opt/unicore/unicorex/logs/uas.log <== > 2022-01-12 14:47:00,853 [qtp1079190991-23] ERROR VOAttributeFetcher > VO-PULL - SAML error occured during VO server query: > eu.unicore.samly2.exceptions.SAMLResponderException: SAML service > invocation failed: Invalid user name, credential or external > authentication failed. > ... > 2022-01-12 14:47:01,973 [qtp1079190991-23] ERROR Jobs - The root error > was: eu.unicore.security.AuthorisationException: There are no accessible > targetsystem factories for: Name: CN=danielfr,O=Ecole polytechnique > federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH > Xlogin: uid: [], gids: [addingOSgroups: true] > Role: anonymous: default role > > And from the unity logs: > > Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: > Invalid user name, credential or external authentication failed. > at > pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:112) > ~[unity-server-rest-2.6.2.jar:?] > ... 45 more > 2022-01-12T14:47:01,932 [qtp426014054-33] INFO > unity.server.rest.AuthenticationInterceptor: Authentication failed for > client > 2022-01-12T14:47:01,933 [qtp426014054-33] WARN > org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for > {http://ws.idp.saml.unity.icm.edu.pl/}SAMLAssertionQueryImplService#{urn:oasis:names:tc:SAML:2.0:protocol}AttributeQuery > has thrown exception, unwinding now > org.apache.cxf.interceptor.Fault: Invalid user name, credential or > external authentication failed. > > > Any idea what might be happening? > > As I said the config is THE SAME we have in current prod and things are > working fine there. > UNICORE/X tries to pull user attributes (such as the "role" and Unix ID from Unity, which fails, probably due to the new UNICORE/X certificate. Did you also use a different CA? This setup with Unity as the attribute source is one of the more complex ones, but the place to check is the Unity config. Search for"unicore-soapidp" in the Unity conf directory to find the relevant file(s). I guess you could get more info by setting the Unity log level to debug. > We are running: > > * UNICORE Gateway Version 1.5.16 > * REGISTRY version 3.8.2 > * UNICORE/X version 1.9.12 > * Unity 2.6.2 (I think) these are rather old... sorry to say. (the corresponding releases are UNICORE 7.13 and Unity 2.6.2) With only a single UNICORE/X server, you probably don't need the Registry, and maybe you don't even need Unity, not sure why your predecessor went with this setup. Updating to the latest (UNICORE 8.3 and Unity 3.7) is a lot of work --- maybe a complete fresh install of Gateway, UNICORE/X and (if really needed) Unity would be good? Hope this helps! Best regards, Bernd > > > Happy to answer more questions or provide more info. > > Thank you very much, > Daniel. > > > > > > _______________________________________________ > Unicore-support mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unicore-support > -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
From: Fernandez R. D. <dan...@ep...> - 2022-01-12 14:31:14
|
Dear Unicore admins, I inherited a working Unicore deployment. Unfortunately its configuration is not documented AT ALL and the person who configured it left the company some time ago... In order to learn about it I created a new server and copied over all the files from the production server to the new one. The only thing I changed was the certificate since the new service runs on a different hostname. But when I try to launch a job via this new unicore server I get the following error: ==> /opt/unicore/unicorex/logs/uas.log <== 2022-01-12 14:47:00,853 [qtp1079190991-23] ERROR VOAttributeFetcher VO-PULL - SAML error occured during VO server query: eu.unicore.samly2.exceptions.SAMLResponderException: SAML service invocation failed: Invalid user name, credential or external authentication failed. 2022-01-12 14:47:00,854 [qtp1079190991-23] ERROR AttributeSourcesChain VO-PULL - Attribute source <class eu.unicore.uas.security.vo.SAMLPullAuthoriser> not available. 2022-01-12 14:47:00,854 [qtp1079190991-23] ERROR AttributeSourcesChain VO-PULL - The root error was: org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential or external authentication failed. 2022-01-12 14:47:00,855 [qtp1079190991-23] DEBUG AttributeSourcesChain VO-PULL - Stack trace java.io.IOException: Unable to retrieve attributes from remote SAML service: eu.unicore.samly2.exceptions.SAMLResponderException: SAML service invocation failed: Invalid user name, credential or external authentication failed. ==> /opt/unicore/unicorex/logs/uas.log <== 2022-01-12 14:47:01,947 [qtp1079190991-23] ERROR VOAttributeFetcher VO-PULL - SAML error occured during VO server query: eu.unicore.samly2.exceptions.SAMLResponderException: SAML service invocation failed: Invalid user name, credential or external authentication failed. 2022-01-12 14:47:01,973 [qtp1079190991-23] ERROR Jobs - Could not submit job 2022-01-12 14:47:01,973 [qtp1079190991-23] ERROR Jobs - The root error was: eu.unicore.security.AuthorisationException: There are no accessible targetsystem factories for: Name: CN=danielfr,O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH Xlogin: uid: [], gids: [addingOSgroups: true] Role: anonymous: default role And from the unity logs: Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException: Invalid user name, credential or external authentication failed. at pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:112) ~[unity-server-rest-2.6.2.jar:?] ... 45 more 2022-01-12T14:47:01,932 [qtp426014054-33] INFO unity.server.rest.AuthenticationInterceptor: Authentication failed for client 2022-01-12T14:47:01,933 [qtp426014054-33] WARN org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for {http://ws.idp.saml.unity.icm.edu.pl/}SAMLAssertionQueryImplService#{urn:oasis:names:tc:SAML:2.0:protocol}AttributeQuery has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Invalid user name, credential or external authentication failed. Any idea what might be happening? As I said the config is THE SAME we have in current prod and things are working fine there. We are running: * UNICORE Gateway Version 1.5.16 * REGISTRY version 3.8.2 * UNICORE/X version 1.9.12 * Unity 2.6.2 (I think) Happy to answer more questions or provide more info. Thank you very much, Daniel. |