Menu
▾
▴
Re: [Unity-idm-discuss] VO-PULL attribute source: CAN'T CONNECT Invalid user name, credential or external authentication failed.
|
From: Krzysztof B. <kb...@un...> - 2022-07-18 15:55:52
|
Hi Daniel, W dniu 15.07.2022 o 16:25, Fernandez Rodriguez Daniel via Unity-idm-discuss pisze: > > Hello, > > > my name is Daniel, I am an SRE working for the EPFL's BlueBrain project. > > > I inherited a VERY old UNICORE+UNITY (7.13 and unity 2.6.2) server > from a colleague who left months ago, and now I am trying to replace > it with a new instance running a more up-to-date version of everything. > > > There is NO documentation about what the changes my colleague did but > I have access to the old running instance. > > > In the new server I am running the latest version of all packages: > unicore-servers-8.3.0-p2 and Unity 3.9.1. > > > This is the authentication workflow we have: > > - Users get an OIDC token from Keycloak > > - Use that bearer token to send a request to our Unicore rest API > > - We configured Unity to use a custom translationProfile and get users > information (username) > > > But this is not working in the new server, all services are running > (unicoreX, registry, gateway, unity, remote tsi server) but when I try > to launch a job it fails. > > > From the UnicoreX logs I get: > > > ******************** > Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] > VO-PULL attribute source: CAN'T CONNECT [ERROR: > org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential > or external authentication failed. ] > Registry: OK [connected to > https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry > ] > TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS > listens on port 7654]] > > Subsystems > *********** > User authentication: > * Unity with OAuth Bearer token > [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] > * Unity with username+password > [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] > User mapping & user attributes: SAMLPullAuthoriser > > *** Note* that both OAuth Bearer token and username+password point to > same endpoint. (it was like this is current running system) > > And from Unity logs in DEBUG: > > 2022-07-15T15:05:13,108 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] DEBUG > unity.server.saml.AuthnResponseProcessor: Requested identity > urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, mapped to > x500Name, returning identities: [IdentityParam [[x500Name] > CN=danielfr, O=Ecole polytechnique federale de Lausanne > (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, > remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo > [confirmed=false, confirmationDate=0, sentRequestAmount=0], > metadata=null]] > 2022-07-15T15:05:13,110 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] INFO > unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam > [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne > (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, > remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo > [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] > 2022-07-15T15:05:13,111 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] DEBUG > unity.server.saml.BaseResponseProcessor: Processed attributes to be > returned: [urn:unicore:attrType:role[/unicore]: [user], name[/]: > [danielfr], urn:unicore:attrType:xlogin[/unicore]: [danielfr], > memberOf[/]: [/, /unicore, /unicore/users]] > 2022-07-15T15:05:13,497 > [qtp1546629479-31-acceptor-0@3e3b616-SecuredServerConnector@7352cf80{SSL, > (ssl, http/1.1)}{bbpcb144.bbp.epfl.ch:2443}] [] [] DEBUG > unicore.connections.SecuredServerConnector: Connection attempt from > 10.80.65.154 > 2022-07-15T15:05:13,683 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] DEBUG > unity.server.core.ClientIPSettingHandler: Handling client 10.80.65.154 > request to URL /unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService > 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] DEBUG > unity.server.rest.AuthenticationInterceptor: Authentication set failed > to authenticate the client using flow oauthWS, will try another: > pl.edu.icm.unity.engine.api.authn.AuthenticationException: > AuthenticationProcessorImpl.authnFailed > 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] INFO > unity.server.rest.AuthenticationInterceptor: Authentication failed for > client > > ------------------------------- > > From the logs we can assume: > - the translation profile works and it is able to map my username > (danielfr) from the OIDC token to the x509 identity > - *auth fails when "using flow oauthWS" > * > > This oauthWS flow is defined as: > > > unityServer.core.authenticators.oauthWS.authenticatorName=oauthWS > unityServer.core.authenticators.oauthWS.authenticatorType=oauth-rp > unityServer.core.authenticators.oauthWS.configurationFile=${CONF}/modules/oauth/remoteOAuth-RP.properties > <------ file containing verificationEndpoint, clientID, clientSecret, etc. > > And this flow is also referenced in unicoreWithOAuthRP.module as: > > unityServer.core.endpoints.unicoreSOAP.endpointAuthenticators=pwd;oauthWS > > --- > > Can you please help me with this? I can of course provide more > detailed information or try to answer any question. > I am no expert in UNICORE/UNITY but I will try my best. > Yes, your findings seems correct. So we can have two cases: 1. Unity gets no token for the failing request in header. UNICORE client config should be checked (or UNICORE support contacted, although Bernd might be on this list as well) 2. Unity gets the token, but fails to verify it. I'd try first to enable TRACE logging for the oauth facility on Unity and also try to look into Keycloak logs. If we are right then something is failing there, hopefully logs will give some clue. Essentially Unity should contact Keycloak to check whether the access token issued from Keycloack is genuine. Best, Krzysztof |
