Menu
▾
▴
unity-idm-discuss
|
From: Fernandez R. D. <dan...@ep...> - 2022-07-15 14:26:09
|
Hello, my name is Daniel, I am an SRE working for the EPFL's BlueBrain project. I inherited a VERY old UNICORE+UNITY (7.13 and unity 2.6.2) server from a colleague who left months ago, and now I am trying to replace it with a new instance running a more up-to-date version of everything. There is NO documentation about what the changes my colleague did but I have access to the old running instance. In the new server I am running the latest version of all packages: unicore-servers-8.3.0-p2 and Unity 3.9.1. This is the authentication workflow we have: - Users get an OIDC token from Keycloak - Use that bearer token to send a request to our Unicore rest API - We configured Unity to use a custom translationProfile and get users information (username) But this is not working in the new server, all services are running (unicoreX, registry, gateway, unity, remote tsi server) but when I try to launch a job it fails. >From the UnicoreX logs I get: ******************** Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] VO-PULL attribute source: CAN'T CONNECT [ERROR: org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential or external authentication failed. ] Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ] TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]] Subsystems *********** User authentication: * Unity with OAuth Bearer token [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] * Unity with username+password [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] User mapping & user attributes: SAMLPullAuthoriser ** Note that both OAuth Bearer token and username+password point to same endpoint. (it was like this is current running system) And from Unity logs in DEBUG: 2022-07-15T15:05:13,108 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.AuthnResponseProcessor: Requested identity urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, mapped to x500Name, returning identities: [IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null]] 2022-07-15T15:05:13,110 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] 2022-07-15T15:05:13,111 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.BaseResponseProcessor: Processed attributes to be returned: [urn:unicore:attrType:role[/unicore]: [user], name[/]: [danielfr], urn:unicore:attrType:xlogin[/unicore]: [danielfr], memberOf[/]: [/, /unicore, /unicore/users]] 2022-07-15T15:05:13,497 [qtp1546629479-31-acceptor-0@3e3b616-SecuredServerConnector@7352cf80{SSL, (ssl, http/1.1)}{bbpcb144.bbp.epfl.ch:2443}] [] [] DEBUG unicore.connections.SecuredServerConnector: Connection attempt from 10.80.65.154 2022-07-15T15:05:13,683 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.core.ClientIPSettingHandler: Handling client 10.80.65.154 request to URL /unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.rest.AuthenticationInterceptor: Authentication set failed to authenticate the client using flow oauthWS, will try another: pl.edu.icm.unity.engine.api.authn.AuthenticationException: AuthenticationProcessorImpl.authnFailed 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.rest.AuthenticationInterceptor: Authentication failed for client ------------------------------- >From the logs we can assume: - the translation profile works and it is able to map my username (danielfr) from the OIDC token to the x509 identity - auth fails when "using flow oauthWS" This oauthWS flow is defined as: unityServer.core.authenticators.oauthWS.authenticatorName=oauthWS unityServer.core.authenticators.oauthWS.authenticatorType=oauth-rp unityServer.core.authenticators.oauthWS.configurationFile=${CONF}/modules/oauth/remoteOAuth-RP.properties <------ file containing verificationEndpoint, clientID, clientSecret, etc. And this flow is also referenced in unicoreWithOAuthRP.module as: unityServer.core.endpoints.unicoreSOAP.endpointAuthenticators=pwd;oauthWS --- Can you please help me with this? I can of course provide more detailed information or try to answer any question. I am no expert in UNICORE/UNITY but I will try my best. Thank you, Daniel. |
|
From: Krzysztof B. <kb...@un...> - 2022-07-18 15:55:52
|
Hi Daniel, W dniu 15.07.2022 o 16:25, Fernandez Rodriguez Daniel via Unity-idm-discuss pisze: > > Hello, > > > my name is Daniel, I am an SRE working for the EPFL's BlueBrain project. > > > I inherited a VERY old UNICORE+UNITY (7.13 and unity 2.6.2) server > from a colleague who left months ago, and now I am trying to replace > it with a new instance running a more up-to-date version of everything. > > > There is NO documentation about what the changes my colleague did but > I have access to the old running instance. > > > In the new server I am running the latest version of all packages: > unicore-servers-8.3.0-p2 and Unity 3.9.1. > > > This is the authentication workflow we have: > > - Users get an OIDC token from Keycloak > > - Use that bearer token to send a request to our Unicore rest API > > - We configured Unity to use a custom translationProfile and get users > information (username) > > > But this is not working in the new server, all services are running > (unicoreX, registry, gateway, unity, remote tsi server) but when I try > to launch a job it fails. > > > From the UnicoreX logs I get: > > > ******************** > Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] > VO-PULL attribute source: CAN'T CONNECT [ERROR: > org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential > or external authentication failed. ] > Registry: OK [connected to > https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry > ] > TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS > listens on port 7654]] > > Subsystems > *********** > User authentication: > * Unity with OAuth Bearer token > [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] > * Unity with username+password > [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] > User mapping & user attributes: SAMLPullAuthoriser > > *** Note* that both OAuth Bearer token and username+password point to > same endpoint. (it was like this is current running system) > > And from Unity logs in DEBUG: > > 2022-07-15T15:05:13,108 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] DEBUG > unity.server.saml.AuthnResponseProcessor: Requested identity > urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, mapped to > x500Name, returning identities: [IdentityParam [[x500Name] > CN=danielfr, O=Ecole polytechnique federale de Lausanne > (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, > remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo > [confirmed=false, confirmationDate=0, sentRequestAmount=0], > metadata=null]] > 2022-07-15T15:05:13,110 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] INFO > unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam > [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne > (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, > remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo > [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] > 2022-07-15T15:05:13,111 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] DEBUG > unity.server.saml.BaseResponseProcessor: Processed attributes to be > returned: [urn:unicore:attrType:role[/unicore]: [user], name[/]: > [danielfr], urn:unicore:attrType:xlogin[/unicore]: [danielfr], > memberOf[/]: [/, /unicore, /unicore/users]] > 2022-07-15T15:05:13,497 > [qtp1546629479-31-acceptor-0@3e3b616-SecuredServerConnector@7352cf80{SSL, > (ssl, http/1.1)}{bbpcb144.bbp.epfl.ch:2443}] [] [] DEBUG > unicore.connections.SecuredServerConnector: Connection attempt from > 10.80.65.154 > 2022-07-15T15:05:13,683 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] DEBUG > unity.server.core.ClientIPSettingHandler: Handling client 10.80.65.154 > request to URL /unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService > 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] DEBUG > unity.server.rest.AuthenticationInterceptor: Authentication set failed > to authenticate the client using flow oauthWS, will try another: > pl.edu.icm.unity.engine.api.authn.AuthenticationException: > AuthenticationProcessorImpl.authnFailed > 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] INFO > unity.server.rest.AuthenticationInterceptor: Authentication failed for > client > > ------------------------------- > > From the logs we can assume: > - the translation profile works and it is able to map my username > (danielfr) from the OIDC token to the x509 identity > - *auth fails when "using flow oauthWS" > * > > This oauthWS flow is defined as: > > > unityServer.core.authenticators.oauthWS.authenticatorName=oauthWS > unityServer.core.authenticators.oauthWS.authenticatorType=oauth-rp > unityServer.core.authenticators.oauthWS.configurationFile=${CONF}/modules/oauth/remoteOAuth-RP.properties > <------ file containing verificationEndpoint, clientID, clientSecret, etc. > > And this flow is also referenced in unicoreWithOAuthRP.module as: > > unityServer.core.endpoints.unicoreSOAP.endpointAuthenticators=pwd;oauthWS > > --- > > Can you please help me with this? I can of course provide more > detailed information or try to answer any question. > I am no expert in UNICORE/UNITY but I will try my best. > Yes, your findings seems correct. So we can have two cases: 1. Unity gets no token for the failing request in header. UNICORE client config should be checked (or UNICORE support contacted, although Bernd might be on this list as well) 2. Unity gets the token, but fails to verify it. I'd try first to enable TRACE logging for the oauth facility on Unity and also try to look into Keycloak logs. If we are right then something is failing there, hopefully logs will give some clue. Essentially Unity should contact Keycloak to check whether the access token issued from Keycloack is genuine. Best, Krzysztof |
|
From: Fernandez R. D. <dan...@ep...> - 2022-07-27 17:01:13
|
Dear Krzysztof and all, Thanks a lot for your answer, I think I made some progress. Long story short, the reason why I could not connect from Unicore to Unity was because the UNICORE/X certificate I am using does not have a CN set (apparently certbot does not set CN https://github.com/certbot/certbot/issues/6463#issuecomment-435151087 so there is nothing I can do...) Because of this, the server’s DN extracted from the certificate was empty and therefore Unity was throwing an "Authentication failed" error. (more info: https://unicore-docs.readthedocs.io/en/latest/admin-docs/unicorex/manual.html#saml-pull-and-unicore-basic-case) So, to workaround this, I created a Unity local user "test-user" and assigned it the “Priviledged Inspector” role. I specify this user and its password in the unicorex/vo.config file, and now there is no error anymore from UnicoreX about connecting to Unity's attribute source. Yay! External connections ******************** Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ] VO-PULL attribute source: OK [VO-PULL connected to https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService] TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]] But still when I try to run a job via Unicore I get: "Access is denied. The operation getPreference requires 'read' capability" in the Unity logs. ==> /opt/unity/logs/unity-server.log <== 2022-07-27T18:44:14,247 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [] INFO unity.server.authn.SessionManagementImpl: Created a new session c1c531fe-d09b-4992-887d-ef0844968aa7 for logged entity danielfr (5) in realm defaultRealm 2022-07-27T18:44:14,324 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] 2022-07-27T18:44:15,722 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [test-user] WARN unity.server.web.IdPPreferences: It was impossible to establish preferences for [x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH for https://bbpcb133.bbp.epfl.ch:8080/BB5-CSCS@defaultRealm will use defaults pl.edu.icm.unity.exceptions.AuthorizationException: Access is denied. The operation getPreference requires 'read' capability ------------------------------- Any idea what else do I need to do? Thank you very much, Daniel. ________________________________ From: Krzysztof Benedyczak <kb...@un...> Sent: Monday, July 18, 2022 5:55:31 PM To: Fernandez Rodriguez Daniel; uni...@li... Subject: Re: [Unity-idm-discuss] VO-PULL attribute source: CAN'T CONNECT Invalid user name, credential or external authentication failed. Hi Daniel, W dniu 15.07.2022 o 16:25, Fernandez Rodriguez Daniel via Unity-idm-discuss pisze: Hello, my name is Daniel, I am an SRE working for the EPFL's BlueBrain project. I inherited a VERY old UNICORE+UNITY (7.13 and unity 2.6.2) server from a colleague who left months ago, and now I am trying to replace it with a new instance running a more up-to-date version of everything. There is NO documentation about what the changes my colleague did but I have access to the old running instance. In the new server I am running the latest version of all packages: unicore-servers-8.3.0-p2 and Unity 3.9.1. This is the authentication workflow we have: - Users get an OIDC token from Keycloak - Use that bearer token to send a request to our Unicore rest API - We configured Unity to use a custom translationProfile and get users information (username) But this is not working in the new server, all services are running (unicoreX, registry, gateway, unity, remote tsi server) but when I try to launch a job it fails. >From the UnicoreX logs I get: ******************** Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] VO-PULL attribute source: CAN'T CONNECT [ERROR: org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential or external authentication failed. ] Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ] TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]] Subsystems *********** User authentication: * Unity with OAuth Bearer token [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] * Unity with username+password [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] User mapping & user attributes: SAMLPullAuthoriser ** Note that both OAuth Bearer token and username+password point to same endpoint. (it was like this is current running system) And from Unity logs in DEBUG: 2022-07-15T15:05:13,108 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.AuthnResponseProcessor: Requested identity urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, mapped to x500Name, returning identities: [IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null]] 2022-07-15T15:05:13,110 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] 2022-07-15T15:05:13,111 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.BaseResponseProcessor: Processed attributes to be returned: [urn:unicore:attrType:role[/unicore]: [user], name[/]: [danielfr], urn:unicore:attrType:xlogin[/unicore]: [danielfr], memberOf[/]: [/, /unicore, /unicore/users]] 2022-07-15T15:05:13,497 [qtp1546629479-31-acceptor-0@3e3b616-SecuredServerConnector@7352cf80{SSL, (ssl, http/1.1)}{bbpcb144.bbp.epfl.ch:2443}] [] [] DEBUG unicore.connections.SecuredServerConnector: Connection attempt from 10.80.65.154 2022-07-15T15:05:13,683 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.core.ClientIPSettingHandler: Handling client 10.80.65.154 request to URL /unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.rest.AuthenticationInterceptor: Authentication set failed to authenticate the client using flow oauthWS, will try another: pl.edu.icm.unity.engine.api.authn.AuthenticationException: AuthenticationProcessorImpl.authnFailed 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.rest.AuthenticationInterceptor: Authentication failed for client ------------------------------- >From the logs we can assume: - the translation profile works and it is able to map my username (danielfr) from the OIDC token to the x509 identity - auth fails when "using flow oauthWS" This oauthWS flow is defined as: unityServer.core.authenticators.oauthWS.authenticatorName=oauthWS unityServer.core.authenticators.oauthWS.authenticatorType=oauth-rp unityServer.core.authenticators.oauthWS.configurationFile=${CONF}/modules/oauth/remoteOAuth-RP.properties <------ file containing verificationEndpoint, clientID, clientSecret, etc. And this flow is also referenced in unicoreWithOAuthRP.module as: unityServer.core.endpoints.unicoreSOAP.endpointAuthenticators=pwd;oauthWS --- Can you please help me with this? I can of course provide more detailed information or try to answer any question. I am no expert in UNICORE/UNITY but I will try my best. Yes, your findings seems correct. So we can have two cases: 1. Unity gets no token for the failing request in header. UNICORE client config should be checked (or UNICORE support contacted, although Bernd might be on this list as well) 2. Unity gets the token, but fails to verify it. I'd try first to enable TRACE logging for the oauth facility on Unity and also try to look into Keycloak logs. If we are right then something is failing there, hopefully logs will give some clue. Essentially Unity should contact Keycloak to check whether the access token issued from Keycloack is genuine. Best, Krzysztof |
|
From: Fernandez R. D. <dan...@ep...> - 2022-07-28 09:03:38
|
Dear all, Ok so my problem was that I assigned "Privileged Inspector" to sys:AuthorizationRole for my user "test-user" but I did it within the /unicore/users group and not in Root (/). After now the mapping works \o/ ----------------------------- Identities: - MappedIdentity [mode=CREATE_OR_MATCH, identity=IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null], credentialRequirement=Certificate requirement] Attributes: - MappedAttribute [mode=CREATE_OR_UPDATE, attribute=name[/]: [danielfr]] - MappedAttribute [mode=CREATE_OR_UPDATE, attribute=urn:unicore:attrType:xlogin[/unicore]: [danielfr]] Groups: - /unicore/users Thank you very much for your help, Daniel. ________________________________ From: Fernandez Rodriguez Daniel Sent: Wednesday, July 27, 2022 7:00:57 PM To: Krzysztof Benedyczak; uni...@li... Subject: Re: [Unity-idm-discuss] VO-PULL attribute source: CAN'T CONNECT Invalid user name, credential or external authentication failed. Dear Krzysztof and all, Thanks a lot for your answer, I think I made some progress. Long story short, the reason why I could not connect from Unicore to Unity was because the UNICORE/X certificate I am using does not have a CN set (apparently certbot does not set CN https://github.com/certbot/certbot/issues/6463#issuecomment-435151087 so there is nothing I can do...) Because of this, the server’s DN extracted from the certificate was empty and therefore Unity was throwing an "Authentication failed" error. (more info: https://unicore-docs.readthedocs.io/en/latest/admin-docs/unicorex/manual.html#saml-pull-and-unicore-basic-case) So, to workaround this, I created a Unity local user "test-user" and assigned it the “Priviledged Inspector” role. I specify this user and its password in the unicorex/vo.config file, and now there is no error anymore from UnicoreX about connecting to Unity's attribute source. Yay! External connections ******************** Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ] VO-PULL attribute source: OK [VO-PULL connected to https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService] TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]] But still when I try to run a job via Unicore I get: "Access is denied. The operation getPreference requires 'read' capability" in the Unity logs. ==> /opt/unity/logs/unity-server.log <== 2022-07-27T18:44:14,247 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [] INFO unity.server.authn.SessionManagementImpl: Created a new session c1c531fe-d09b-4992-887d-ef0844968aa7 for logged entity danielfr (5) in realm defaultRealm 2022-07-27T18:44:14,324 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] 2022-07-27T18:44:15,722 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [test-user] WARN unity.server.web.IdPPreferences: It was impossible to establish preferences for [x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH for https://bbpcb133.bbp.epfl.ch:8080/BB5-CSCS@defaultRealm will use defaults pl.edu.icm.unity.exceptions.AuthorizationException: Access is denied. The operation getPreference requires 'read' capability ------------------------------- Any idea what else do I need to do? Thank you very much, Daniel. ________________________________ From: Krzysztof Benedyczak <kb...@un...> Sent: Monday, July 18, 2022 5:55:31 PM To: Fernandez Rodriguez Daniel; uni...@li... Subject: Re: [Unity-idm-discuss] VO-PULL attribute source: CAN'T CONNECT Invalid user name, credential or external authentication failed. Hi Daniel, W dniu 15.07.2022 o 16:25, Fernandez Rodriguez Daniel via Unity-idm-discuss pisze: Hello, my name is Daniel, I am an SRE working for the EPFL's BlueBrain project. I inherited a VERY old UNICORE+UNITY (7.13 and unity 2.6.2) server from a colleague who left months ago, and now I am trying to replace it with a new instance running a more up-to-date version of everything. There is NO documentation about what the changes my colleague did but I have access to the old running instance. In the new server I am running the latest version of all packages: unicore-servers-8.3.0-p2 and Unity 3.9.1. This is the authentication workflow we have: - Users get an OIDC token from Keycloak - Use that bearer token to send a request to our Unicore rest API - We configured Unity to use a custom translationProfile and get users information (username) But this is not working in the new server, all services are running (unicoreX, registry, gateway, unity, remote tsi server) but when I try to launch a job it fails. >From the UnicoreX logs I get: ******************** Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] VO-PULL attribute source: CAN'T CONNECT [ERROR: org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential or external authentication failed. ] Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ] TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]] Subsystems *********** User authentication: * Unity with OAuth Bearer token [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] * Unity with username+password [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] User mapping & user attributes: SAMLPullAuthoriser ** Note that both OAuth Bearer token and username+password point to same endpoint. (it was like this is current running system) And from Unity logs in DEBUG: 2022-07-15T15:05:13,108 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.AuthnResponseProcessor: Requested identity urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, mapped to x500Name, returning identities: [IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null]] 2022-07-15T15:05:13,110 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] 2022-07-15T15:05:13,111 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.BaseResponseProcessor: Processed attributes to be returned: [urn:unicore:attrType:role[/unicore]: [user], name[/]: [danielfr], urn:unicore:attrType:xlogin[/unicore]: [danielfr], memberOf[/]: [/, /unicore, /unicore/users]] 2022-07-15T15:05:13,497 [qtp1546629479-31-acceptor-0@3e3b616-SecuredServerConnector@7352cf80{SSL, (ssl, http/1.1)}{bbpcb144.bbp.epfl.ch:2443}] [] [] DEBUG unicore.connections.SecuredServerConnector: Connection attempt from 10.80.65.154 2022-07-15T15:05:13,683 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.core.ClientIPSettingHandler: Handling client 10.80.65.154 request to URL /unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.rest.AuthenticationInterceptor: Authentication set failed to authenticate the client using flow oauthWS, will try another: pl.edu.icm.unity.engine.api.authn.AuthenticationException: AuthenticationProcessorImpl.authnFailed 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.rest.AuthenticationInterceptor: Authentication failed for client ------------------------------- >From the logs we can assume: - the translation profile works and it is able to map my username (danielfr) from the OIDC token to the x509 identity - auth fails when "using flow oauthWS" This oauthWS flow is defined as: unityServer.core.authenticators.oauthWS.authenticatorName=oauthWS unityServer.core.authenticators.oauthWS.authenticatorType=oauth-rp unityServer.core.authenticators.oauthWS.configurationFile=${CONF}/modules/oauth/remoteOAuth-RP.properties <------ file containing verificationEndpoint, clientID, clientSecret, etc. And this flow is also referenced in unicoreWithOAuthRP.module as: unityServer.core.endpoints.unicoreSOAP.endpointAuthenticators=pwd;oauthWS --- Can you please help me with this? I can of course provide more detailed information or try to answer any question. I am no expert in UNICORE/UNITY but I will try my best. Yes, your findings seems correct. So we can have two cases: 1. Unity gets no token for the failing request in header. UNICORE client config should be checked (or UNICORE support contacted, although Bernd might be on this list as well) 2. Unity gets the token, but fails to verify it. I'd try first to enable TRACE logging for the oauth facility on Unity and also try to look into Keycloak logs. If we are right then something is failing there, hopefully logs will give some clue. Essentially Unity should contact Keycloak to check whether the access token issued from Keycloack is genuine. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2022-08-01 11:12:15
|
Hi Daniel, W dniu 28.07.2022 o 11:03, Fernandez Rodriguez Daniel pisze: > Dear all, > > Ok so my problem was that I assigned "Privileged Inspector" to > sys:AuthorizationRole for my user "*test-user**"* but I did it within > the /unicore/users group and not in Root (/). > After now the mapping works \o/ > > ----------------------------- > > Identities: > - MappedIdentity [mode=CREATE_OR_MATCH, identity=IdentityParam > [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne > (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, > remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo > [confirmed=false, confirmationDate=0, sentRequestAmount=0], > metadata=null], credentialRequirement=Certificate requirement] > Attributes: > - MappedAttribute [mode=CREATE_OR_UPDATE, attribute=name[/]: [danielfr]] > - MappedAttribute [mode=CREATE_OR_UPDATE, > attribute=urn:unicore:attrType:xlogin[/unicore]: [danielfr]] > Groups: > - /unicore/users > > > Thank you very much for your help, > Daniel. Cool, that big upgrade surely was pretty involving. Should be way smoother from now on. Best, Krzysztof |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X