Still struggling with Shib perms

[Michael Jinks <mj...@uchicago.edu>]

I can log in with Shib now, and I have admin privileges, but I don't
have rights to access any computer images.

If I move Shib configs out of the way and log in as a local admin,
everything looks fine, images are available and assigned to virtual
hosts and so forth.

I've thrashed around all over the Privileges section, turning on every
privilege I can find for my own account and for the
"shib-staff@UCHICAGO" group.  Under "Privileges" -> "Additional User
Permissions", every box is checked (copied from admin@Local).  But
when I go to the "New Reservation"  tab, I still get "Selection not
currently available" no matter which image I select from the dropdown.

I've adjusted the isAvailable function in utils.php to return
differentiating codes depending on which test fails.  The return code
I'm getting now points to the allocComputer function coming back empty,
but that doesn't tell me much about why that's the case, and it isn't
obvious to me how to get better debugging information from that test.

I know we ran into the same symptoms when we were trying to get local
accounts to work, but I don't remember what the fix ended up being.


-- 
Michael Jinks :: mjinks@uchicago.edu
University of Chicago IT Services

Solved, Re: bump, Re: Still struggling with Shib perms

[Michael Jinks <mj...@uchicago.edu>]

Aaron generously contacted me off-list and helped me troubleshoot the
problem, which turned out to be that our virtual machines were in the
"all VM computers" group, but not in the "allComputers" group.

I'm still not sure what that mattered for Shib-backed accounts and not
for local ones, but adding them to the allComputers group fixed the
problem.  Shib-backed users can see and deploy images to VM's now.

Re: [vcl-team] Re: bump, Re: Still struggling with Shib perms

[Michael Jinks <mj...@uchicago.edu>]

On Fri, Sep 07, 2012 at 01:40:58PM -0500, Michael Jinks wrote:
> 
> I just (re)discovered the "Add" box at the bottom fo the "Edit"
> interface under the User Groups interface.  Added myself to our
> shib-admin@UCHICAGO group, maybe that will help...

Nope.  When I go back to the "New Reservation" page after adding
mjinks@UCHICAGO to the shib-admin group, I still get an error showing
no images available for checkout.

Something else I've just noticed, which seems new... Logged in with the
admin@Local account, if I go to Privileges, then Additional User
Permissions, and select shib-staff@UCHICAGO from the dropdown and click
"Manage User Group Permissions", three items show up checked ("Manage VM
Profiles", "Search Tools", and "View Dashboard (global)".  But if I
select "shib-admin@UCHICAGO", no boxes come up checked.  If I check all
the boxes and click "Save Selected Permissions", I don't get any error,
but the permissions don't actually save.  Reloading that account draws a
list of empty boxes again.

Argh.

Re: [vcl-team] Re: bump, Re: Still struggling with Shib perms

[Michael Jinks <mj...@uchicago.edu>]

Just found something that had been right in front of my face:

On Fri, Sep 07, 2012 at 11:20:57AM -0500, Michael Jinks wrote:
> 
> Dos assignment to groups happen within VCL or would that need to happen
> at the IdP?  If in VCL, I can't find the interface.

I just (re)discovered the "Add" box at the bottom fo the "Edit"
interface under the User Groups interface.  Added myself to our
shib-admin@UCHICAGO group, maybe that will help...

But something else is still not quite right.  Under "Manage" ->
"Groups", the shib-admin group appears, but the shib-staff group does
not.  It does appear in the Privileges interface though.

When I try to add it, I get an error saying that a group by that name
already exists.

So, unless I can figure out how to make shib-user appear in Manage ->
Groups, I don't see a way to add users to that group, unless it happens
automatically upstreadm, e.g. at the IdP, e.g. seeded by Grouper or
whatever.

What am I still not seeing?

Thanks.  Sorry if I'm being dense.

Re: bump, Re: Still struggling with Shib perms

[Michael Jinks <mj...@uchicago.edu>]

On Fri, Sep 07, 2012 at 01:21:59AM +0000, Aaron Coburn wrote:
> Michael,
> when a user logs in through Shibboleth, is that user added to any groups? This might be something like "shib-student@MYAFFILIATION" or "shib-staff@MYAFFILIATION". 

Well... not sure.

If I go to "Privileges", under the "User Groups" section, we have three
groups: "adminUsers@Local", "shib-admin@UCHICAGO", and
"shib-staff@UCHICAGO".  If I mouse over adminUsers@Local, I get a popup
with "admin@Local".  If I mouse over "shib-admin@UCHICAGO" I get a popup
saying "(empty group)".  If I mouse over "shib-staff@UCHICAGO" I get a
popup saying "(not authorized to view membership)".  This while logged
in as admin@Local.

Are user-specific permissins irrelevant?  I have a Shib account that
appears under the "Users" privilege list, with all the permissins boxes
checked, but it doesn't seem to get me anything other than admin
privileges.

Dos assignment to groups happen within VCL or would that need to happen
at the IdP?  If in VCL, I can't find the interface.

> You should verify that you have a node in the privilege tree to which these groups will be added. 

How does that happen?

Our privilege tree is currently what comes out of the box: there's the
parent node, "VCL", and two children, "admin" and "newimages".  The
stuff I described above is all from the "VCL" node, and cascades to the
lower nodes.

> For instance, you might have two nodes: VCL/My Affiliation/Students and VCL/My Affiliation/Staff. Or, perhaps, just VCL/My Affiliation/All Users. Whatever you decide, you need to make sure that the appropriate user groups are added to that node (or nodes) and that each group has at least the imageCheckOut permission enabled.

Did my description of our priv tree above answer that or are we talking
about different things?

> Looking at the page you referenced, the only thing I would add is to make sure of two items:
> 
> For the computer group that you added to the node in the privilege tree, make sure that the actual computers defined in the VCL are mapped to that group (Go to Manage Computers -> Edit Computer Grouping)

All our computers are in the "All VM Computers" and "newvmimages"
groups, and no others.

> And second, if you go to Management Nodes -> Edit Management Node Mapping, make sure that your computer group is mapped to your management node group (e.g. "allManagementNodes"). And from Management Nodes -> Edit Management Node Grouping, make sure that your actual management node is mapped to the management node group (e.g. "allManagementNodes")

If I go to "Manage Management Nodes" -> "Edit Management Node Mapping",
I get a graph with a single row of checkboxes.  "allManagementNodes" has
ticks under "All VM Computers", "allComputers", "newimages", and
"newvmimages".

Under "Management Node Grouping", we have one node, and it's a member of
"allManagementNodes".

I think all of that was necessary to get working with local accounts.

Re: bump, Re: Still struggling with Shib perms

[Aaron Coburn <ac...@amherst.edu>]

Michael,
when a user logs in through Shibboleth, is that user added to any groups? This might be something like "shib-student@MYAFFILIATION" or "shib-staff@MYAFFILIATION". 

You should verify that you have a node in the privilege tree to which these groups will be added. 

For instance, you might have two nodes: VCL/My Affiliation/Students and VCL/My Affiliation/Staff. Or, perhaps, just VCL/My Affiliation/All Users. Whatever you decide, you need to make sure that the appropriate user groups are added to that node (or nodes) and that each group has at least the imageCheckOut permission enabled.

Looking at the page you referenced, the only thing I would add is to make sure of two items:

For the computer group that you added to the node in the privilege tree, make sure that the actual computers defined in the VCL are mapped to that group (Go to Manage Computers -> Edit Computer Grouping)

And second, if you go to Management Nodes -> Edit Management Node Mapping, make sure that your computer group is mapped to your management node group (e.g. "allManagementNodes"). And from Management Nodes -> Edit Management Node Grouping, make sure that your actual management node is mapped to the management node group (e.g. "allManagementNodes")

Hope that helps,
Aaron


On Sep 6, 2012, at 6:51 PM, Michael Jinks <mj...@uchicago.edu> wrote:

> Sorry to be a pest about this, but I'm out of ideas and getting
> inquiries about the status of this issue.
> 
> I've just re-stepped through:
> 
> https://cwiki.apache.org/VCL/granting-access-to-a-new-image.html
> 
> Still no joy.  Shib accounts have no rights to check out any images.
> 
> 
> 
> On Thu, Sep 06, 2012 at 12:18:09AM -0500, Michael Jinks wrote:
>> I can log in with Shib now, and I have admin privileges, but I don't
>> have rights to access any computer images.
>> 
>> If I move Shib configs out of the way and log in as a local admin,
>> everything looks fine, images are available and assigned to virtual
>> hosts and so forth.
>> 
>> I've thrashed around all over the Privileges section, turning on every
>> privilege I can find for my own account and for the
>> "shib-staff@UCHICAGO" group.  Under "Privileges" -> "Additional User
>> Permissions", every box is checked (copied from admin@Local).  But
>> when I go to the "New Reservation"  tab, I still get "Selection not
>> currently available" no matter which image I select from the dropdown.
>> 
>> I've adjusted the isAvailable function in utils.php to return
>> differentiating codes depending on which test fails.  The return code
>> I'm getting now points to the allocComputer function coming back empty,
>> but that doesn't tell me much about why that's the case, and it isn't
>> obvious to me how to get better debugging information from that test.
>> 
>> I know we ran into the same symptoms when we were trying to get local
>> accounts to work, but I don't remember what the fix ended up being.
>> 
>> 
>> -- 
>> Michael Jinks :: mjinks@uchicago.edu
>> University of Chicago IT Services
> 
> -- 
> Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
> University of Chicago IT Services

bump, Re: Still struggling with Shib perms

[Michael Jinks <mj...@uchicago.edu>]

Sorry to be a pest about this, but I'm out of ideas and getting
inquiries about the status of this issue.

I've just re-stepped through:

 https://cwiki.apache.org/VCL/granting-access-to-a-new-image.html

Still no joy.  Shib accounts have no rights to check out any images.



On Thu, Sep 06, 2012 at 12:18:09AM -0500, Michael Jinks wrote:
> I can log in with Shib now, and I have admin privileges, but I don't
> have rights to access any computer images.
> 
> If I move Shib configs out of the way and log in as a local admin,
> everything looks fine, images are available and assigned to virtual
> hosts and so forth.
> 
> I've thrashed around all over the Privileges section, turning on every
> privilege I can find for my own account and for the
> "shib-staff@UCHICAGO" group.  Under "Privileges" -> "Additional User
> Permissions", every box is checked (copied from admin@Local).  But
> when I go to the "New Reservation"  tab, I still get "Selection not
> currently available" no matter which image I select from the dropdown.
> 
> I've adjusted the isAvailable function in utils.php to return
> differentiating codes depending on which test fails.  The return code
> I'm getting now points to the allocComputer function coming back empty,
> but that doesn't tell me much about why that's the case, and it isn't
> obvious to me how to get better debugging information from that test.
> 
> I know we ran into the same symptoms when we were trying to get local
> accounts to work, but I don't remember what the fix ended up being.
> 
> 
> -- 
> Michael Jinks :: mjinks@uchicago.edu
> University of Chicago IT Services

-- 
Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
University of Chicago IT Services