Menu
▾
▴
[Unity-idm-discuss] VO-PULL attribute source: CAN'T CONNECT Invalid user name, credential or external authentication failed.
|
From: Fernandez R. D. <dan...@ep...> - 2022-07-15 14:26:09
|
Hello, my name is Daniel, I am an SRE working for the EPFL's BlueBrain project. I inherited a VERY old UNICORE+UNITY (7.13 and unity 2.6.2) server from a colleague who left months ago, and now I am trying to replace it with a new instance running a more up-to-date version of everything. There is NO documentation about what the changes my colleague did but I have access to the old running instance. In the new server I am running the latest version of all packages: unicore-servers-8.3.0-p2 and Unity 3.9.1. This is the authentication workflow we have: - Users get an OIDC token from Keycloak - Use that bearer token to send a request to our Unicore rest API - We configured Unity to use a custom translationProfile and get users information (username) But this is not working in the new server, all services are running (unicoreX, registry, gateway, unity, remote tsi server) but when I try to launch a job it fails. >From the UnicoreX logs I get: ******************** Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] VO-PULL attribute source: CAN'T CONNECT [ERROR: org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential or external authentication failed. ] Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ] TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]] Subsystems *********** User authentication: * Unity with OAuth Bearer token [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] * Unity with username+password [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] User mapping & user attributes: SAMLPullAuthoriser ** Note that both OAuth Bearer token and username+password point to same endpoint. (it was like this is current running system) And from Unity logs in DEBUG: 2022-07-15T15:05:13,108 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.AuthnResponseProcessor: Requested identity urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, mapped to x500Name, returning identities: [IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null]] 2022-07-15T15:05:13,110 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] 2022-07-15T15:05:13,111 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.BaseResponseProcessor: Processed attributes to be returned: [urn:unicore:attrType:role[/unicore]: [user], name[/]: [danielfr], urn:unicore:attrType:xlogin[/unicore]: [danielfr], memberOf[/]: [/, /unicore, /unicore/users]] 2022-07-15T15:05:13,497 [qtp1546629479-31-acceptor-0@3e3b616-SecuredServerConnector@7352cf80{SSL, (ssl, http/1.1)}{bbpcb144.bbp.epfl.ch:2443}] [] [] DEBUG unicore.connections.SecuredServerConnector: Connection attempt from 10.80.65.154 2022-07-15T15:05:13,683 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.core.ClientIPSettingHandler: Handling client 10.80.65.154 request to URL /unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.rest.AuthenticationInterceptor: Authentication set failed to authenticate the client using flow oauthWS, will try another: pl.edu.icm.unity.engine.api.authn.AuthenticationException: AuthenticationProcessorImpl.authnFailed 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.rest.AuthenticationInterceptor: Authentication failed for client ------------------------------- >From the logs we can assume: - the translation profile works and it is able to map my username (danielfr) from the OIDC token to the x509 identity - auth fails when "using flow oauthWS" This oauthWS flow is defined as: unityServer.core.authenticators.oauthWS.authenticatorName=oauthWS unityServer.core.authenticators.oauthWS.authenticatorType=oauth-rp unityServer.core.authenticators.oauthWS.configurationFile=${CONF}/modules/oauth/remoteOAuth-RP.properties <------ file containing verificationEndpoint, clientID, clientSecret, etc. And this flow is also referenced in unicoreWithOAuthRP.module as: unityServer.core.endpoints.unicoreSOAP.endpointAuthenticators=pwd;oauthWS --- Can you please help me with this? I can of course provide more detailed information or try to answer any question. I am no expert in UNICORE/UNITY but I will try my best. Thank you, Daniel. |
