Re: [Unity-idm-discuss] VO-PULL attribute source: CAN'T CONNECT Invalid user name, credential or external authentication failed.

[Fernandez R. D. <dan...@ep...>]

Dear Krzysztof and all,

Thanks a lot for your answer, I think I made some progress.

Long story short, the reason why I could not connect from Unicore to Unity was because the UNICORE/X certificate I am using does not have a CN set (apparently certbot does not set CN https://github.com/certbot/certbot/issues/6463#issuecomment-435151087 so there is nothing I can do...)

Because of this, the server’s DN extracted from the certificate was empty and therefore Unity was throwing an "Authentication failed" error. (more info: https://unicore-docs.readthedocs.io/en/latest/admin-docs/unicorex/manual.html#saml-pull-and-unicore-basic-case)

So, to workaround this, I created a Unity local user "test-user" and assigned it the “Priviledged Inspector” role.
I specify this user and its password in the unicorex/vo.config file, and now there is no error anymore from UnicoreX about connecting to Unity's attribute source. Yay!

External connections
********************
Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS]
Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ]
VO-PULL attribute source: OK [VO-PULL connected to https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService]
TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]]



But still when I try to run a job via Unicore I get: "Access is denied. The operation getPreference requires 'read' capability" in the Unity logs.

==> /opt/unity/logs/unity-server.log <==
2022-07-27T18:44:14,247 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [] INFO  unity.server.authn.SessionManagementImpl: Created a new session c1c531fe-d09b-4992-887d-ef0844968aa7 for logged entity danielfr (5) in realm defaultRealm
2022-07-27T18:44:14,324 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO  unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null]
2022-07-27T18:44:15,722 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [test-user] WARN  unity.server.web.IdPPreferences: It was impossible to establish preferences for [x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH for https://bbpcb133.bbp.epfl.ch:8080/BB5-CSCS@defaultRealm will use defaults
pl.edu.icm.unity.exceptions.AuthorizationException: Access is denied. The operation getPreference requires 'read' capability

-------------------------------

Any idea what else do I need to do?

Thank you very much,
Daniel.


________________________________
From: Krzysztof Benedyczak <kb...@un...>
Sent: Monday, July 18, 2022 5:55:31 PM
To: Fernandez Rodriguez Daniel; uni...@li...
Subject: Re: [Unity-idm-discuss] VO-PULL attribute source: CAN'T CONNECT Invalid user name, credential or external authentication failed.

Hi Daniel,

W dniu 15.07.2022 o 16:25, Fernandez Rodriguez Daniel via Unity-idm-discuss pisze:

Hello,


my name is Daniel, I am an SRE working for the EPFL's BlueBrain project.


I inherited a VERY old UNICORE+UNITY (7.13 and unity 2.6.2) server from a colleague who left months ago, and now I am trying to replace it with a new instance running a more up-to-date version of everything.


There is NO documentation about what the changes my colleague did but I have access to the old running instance.


In the new server I am running the latest version of all packages: unicore-servers-8.3.0-p2 and Unity 3.9.1.


This is the authentication workflow we have:

- Users get an OIDC token from Keycloak

- Use that bearer token to send a request to our Unicore rest API

- We configured Unity to use a custom translationProfile and get users information (username)


But this is not working in the new server, all services are running (unicoreX, registry, gateway, unity, remote tsi server) but when I try to launch a job it fails.


>From the UnicoreX logs I get:

********************
Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS]
VO-PULL attribute source: CAN'T CONNECT [ERROR: org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential or external authentication failed. ]
Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ]
TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]]

Subsystems
***********
User authentication:
 * Unity with OAuth Bearer token [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService]
 * Unity with username+password [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService]
User mapping & user attributes: SAMLPullAuthoriser

** Note that both OAuth Bearer token and username+password point to same endpoint. (it was like this is current running system)

And from Unity logs in DEBUG:

2022-07-15T15:05:13,108 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.AuthnResponseProcessor: Requested identity urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, mapped to x500Name, returning identities: [IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null]]
2022-07-15T15:05:13,110 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO  unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null]
2022-07-15T15:05:13,111 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.BaseResponseProcessor: Processed attributes to be returned: [urn:unicore:attrType:role[/unicore]: [user], name[/]: [danielfr], urn:unicore:attrType:xlogin[/unicore]: [danielfr], memberOf[/]: [/, /unicore, /unicore/users]]
2022-07-15T15:05:13,497 [qtp1546629479-31-acceptor-0@3e3b616-SecuredServerConnector@7352cf80{SSL, (ssl, http/1.1)}{bbpcb144.bbp.epfl.ch:2443}] [] [] DEBUG unicore.connections.SecuredServerConnector: Connection attempt from 10.80.65.154
2022-07-15T15:05:13,683 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.core.ClientIPSettingHandler: Handling client 10.80.65.154 request to URL /unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService
2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.rest.AuthenticationInterceptor: Authentication set failed to authenticate the client using flow oauthWS, will try another: pl.edu.icm.unity.engine.api.authn.AuthenticationException: AuthenticationProcessorImpl.authnFailed
2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO  unity.server.rest.AuthenticationInterceptor: Authentication failed for client

-------------------------------

>From the logs we can assume:
- the translation profile works and it is able to map my username (danielfr) from the OIDC token to the x509 identity
- auth fails when "using flow oauthWS"


This oauthWS flow is defined as:


unityServer.core.authenticators.oauthWS.authenticatorName=oauthWS
unityServer.core.authenticators.oauthWS.authenticatorType=oauth-rp
unityServer.core.authenticators.oauthWS.configurationFile=${CONF}/modules/oauth/remoteOAuth-RP.properties <------ file containing verificationEndpoint, clientID, clientSecret, etc.

And this flow is also referenced in unicoreWithOAuthRP.module as:

unityServer.core.endpoints.unicoreSOAP.endpointAuthenticators=pwd;oauthWS

---

Can you please help me with this? I can of course provide more detailed information or try to answer any question.
I am no expert in UNICORE/UNITY but I will try my best.



Yes, your findings seems correct. So we can have two cases:
1. Unity gets no token for the failing request in header. UNICORE client config should be checked (or UNICORE support contacted, although Bernd might be on this list as well)
2. Unity gets the token, but fails to verify it. I'd try first to enable TRACE logging for the oauth facility on Unity and also try to look into Keycloak logs. If we are right then something is failing there, hopefully logs will give some clue. Essentially Unity should contact Keycloak to check whether the access token issued from Keycloack is genuine.


Best,
Krzysztof