You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@vcl.apache.org by Michael Jinks <mj...@uchicago.edu> on 2012/09/04 21:34:11 UTC
Shib and user permissions, was Re: Shib docs?
Bumping this; I didn't hear anything back when I posted the message
below, about a week and a half ago. Also, I've since discovered that
my Shib-backed account doesn't appear to have any privileges at all;
in spite of having all the permissions boxes checked, I still don't
have access to any VM images or to any but the most basic elements of
the UI. What did I miss?
This is on VCL 2.2.1.
Thanks,
-m
On Fri, Aug 24, 2012 at 01:54:42PM -0500, Michael Jinks wrote:
> I just got back around to trying Josh's instructions for giving my Shib
> user account admin rights:
>
> On Wed, Aug 22, 2012 at 11:29:54AM -0400, Josh Thompson wrote:
> >
> > Michael,
> >
> > Probably the simplest thing to do is to add your shibboleth based user
> > to the adminUsers group directly in the database. Here's what to do:
> >
> > 1) get the id of your user:
> > SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here';
> > 2) note the returned id
> > 3) get the id of the adminUsers group:
> > SELECT id FROM usergroup WHERE name = 'adminUsers';
> > 4) note the returned id
> > 5) add a record to the usergroupmembers table:
> > INSERT INTO usergroupmembers
> > (userid, usergroupid) VALUES
> > (id_from_step_2, id_from_step_4);
> >
> > Then, your shibboleth account should have admin access (assuming you
> > left the adminUsers group having admin access).
>
> The good news is that (with some help from our IDM folks) I have Shib
> working for my devel VCL instance, and my account is logged in currently.
>
> The bad news is that I still don't have admin rights. The only
> navigation links on the VCL page are "HOME", "New Reservation", "Block
> Allocation", "User Preferences", "Statistics", and "Logout".
>
> Not sure if this is relevant or not, but when I did step 1 above, I got
> two records back instead of one:
>
> +----+---------+
> | id | unityid |
> +----+---------+
> | 6 | mjinks |
> | 10 | mjinks |
> +----+---------+
>
> When I tried to add them to the adminUsers group, I found that id 6 was
> already there, probably as a result of my previous efforts to get this
> working. I added id 10 as well, but that didn't make any difference.
>
> I'm able to use the "Logout" button and log back in as a local admin,
> thank goodness... When I go to the "Privileges" page, I find that
> "Cascade to Child Nodes" is set for the adminUsers@Local group, and
> permissions there are a Christmas tree, all boxes checked.
>
> Any idea what else I might have missed?
>
> Thanks as always.
>
> --Michael
--
Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
University of Chicago IT Services
Re: Shib and user permissions, was Re: Shib docs?
Posted by Michael Jinks <mj...@uchicago.edu>.
On Wed, Sep 05, 2012 at 06:48:46PM -0500, Michael Jinks wrote:
> On Wed, Sep 05, 2012 at 08:26:46PM +0000, Aaron Coburn wrote:
> >
> > First, create a file, such as test.php. Its contents can be as simple
> > as:
> > <?php phpinfo(); ?>
> > View that page in a browser -- you should be forced to authenticate
> > first; verify that the shibboleth attributes are present (e.g. do a
> > search for 'eppn').
>
> Argh. No 'eppn'; and, the test step from:
>
> http://people.apache.org/~acoburn/shibboleth.html
>
> ...no longer works either. 'test.php' shows every value as "Undefined".
> So it looks like our relationship with our IdP has fallen apart for some
> reason in the past couple of weeks. Great. Odd that authN still works
> at all.
Nope, I'm an idiot; my apache shib configs weren't checked into our
configuration management system, so they got reverted back to a
partially-configured SP.
Fixed that, revisited the Privileges section, now my shib-backed account
has admin privs, but the "New Reservation" section still says "Selection
not currently available" for all our system images. This problem rings
a bell, so I'll revisit the steps I took to get things working in the
first place and if I have trouble I'll post again under separate cover.
Thanks Aaron.
-m
--
Michael Jinks :: mjinks@uchicago.edu
University of Chicago IT Services
Re: Shib and user permissions, was Re: Shib docs?
Posted by Michael Jinks <mj...@uchicago.edu>.
On Wed, Sep 05, 2012 at 08:26:46PM +0000, Aaron Coburn wrote:
>
> First, create a file, such as test.php. Its contents can be as simple
> as:
> <?php phpinfo(); ?>
> View that page in a browser -- you should be forced to authenticate
> first; verify that the shibboleth attributes are present (e.g. do a
> search for 'eppn').
Argh. No 'eppn'; and, the test step from:
http://people.apache.org/~acoburn/shibboleth.html
...no longer works either. 'test.php' shows every value as "Undefined".
So it looks like our relationship with our IdP has fallen apart for some
reason in the past couple of weeks. Great. Odd that authN still works
at all.
Time to talk to our IdM folks. Thanks for the help.
-m
Re: Shib and user permissions, was Re: Shib docs?
Posted by Aaron Coburn <ac...@amherst.edu>.
Michael,
You can start by deleting userid 11 from the database.
It looks to me as though the Shib attributes are not being properly passed into the VCL. I would start by performing a test in your shibauth directory:
First, create a file, such as test.php. Its contents can be as simple as:
<?php phpinfo(); ?>
View that page in a browser -- you should be forced to authenticate first; verify that the shibboleth attributes are present (e.g. do a search for 'eppn').
If that proves to be OK, then login to the VCL through your IdP
At this point, check the database to see what values were just added to the users table. You should have a proper value in unityid, and affiliationid should not be 1. You should also have values in firstname and lastname.
If that is all OK, then login as admin@Local (restart your browser first), adding this new user to the adminUsers@Local group (from the Manage Groups menu)
Now logout and log back in through your IdP. At this point, you should have the appropriate privileges.
Let me know if any of those steps fail.
BTW, the privilege tree you described is perfectly fine -- I just have mine organized differently.
Aaron
--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
acoburn@amherst.edu<ma...@amherst.edu>
On Sep 5, 2012, at 3:26 PM, Michael Jinks <mj...@uchicago.edu>> wrote:
On Tue, Sep 04, 2012 at 09:18:46PM +0000, Aaron Coburn wrote:
There are a number possibilities here, but first you should investigate why there are two unityid values for mjinks. Presumably those are from different affiliations?
Yeah. The first was probably created while we were using direct LDAP
for authN, and the second appeared with the addition of Shib. I did add
both id's to the adminUsers group, no luck.
(You may want to consider removing one of those accounts from the database).
I've now done that; see below for an account of the results.
And are you certain that, when you login via Shibboleth, that the active userid (i.e. 6 or 10 in your case) is the same as the userid that you added to the adminUsers group?
Yep; added both to be sure.
Also, you need to make sure that the adminUsers group has been added to the privilege tree properly within the VCL. For that, login as the admin@Local user, then go to "Privileges" and select the "VCL" node in the privilege tree. The "adminUsers@Local" group should be listed under "Users". If it isn't, add it and make sure that the privileges cascade.
Well, this is fun...
If I select the "VCL" node itself, I don't see any adminUsers@Local
under "User Groups". If I select the "admin" node directly beneath VCL,
then adminUsers@Local does appear under "User Groups", with all
privileges checked including "Cascade to Child Nodes".
If that doesn't lead to anything, I would recommend verifying that the $authMechs configuration is correct.
I'll paste my complete authMechs section below.
But first: I deleted both 'mjinks' records from the user table (after
removing their foreign key dependencies). Then I re-visited my
management node's web UI with a live Shib cookie. Now, when I look
through the user table, there's no mjinks, but there is a new record
created when I came to the UI, and it's clearly wrong:
ql> select id, unityid, affiliationid, firstname, lastname from user where id='11';
+----+---------+---------------+-----------+----------+
| id | unityid | affiliationid | firstname | lastname |
+----+---------+---------------+-----------+----------+
| 11 | @ | 1 | | |
+----+---------+---------------+-----------+----------+
1 row in set (0.00 sec)
Any idea what might be causing this?
I'm starting to wonder if I just need to start over, yet again, with a
blank database.
Anyhow, here's our complete authMechs stanza, kruft and all:
$authMechs = array(
"UChicago Single Sign-On" => array(
"type" => "redirect",
"URL" => "/Shibboleth.sso/Login?target=/shibauth&entityID=urn:mace:incommon:uchicago.edu",
"affiliationid" => 0,
"help" => "Use \"UChicago Single Sign-On\" to log in with your UChicago ID."),
"Local Account" => array("type" => "local",
"affiliationid" => 1,
"help" => "You probably don't want \"Local Account\" unless you are are an administrator of the VCL system."),
"CNet-Example" => array("type" => "ldap",
"server" => "ldap.uchicago.edu<http://ldap.uchicago.edu>",
"binddn" => "ou=people,dc=uchicago,dc=edu",
"userid" => "uid=%s,ou=people,dc=uchicago,dc=edu",
"unityid" => "uid",
"firstname" => "givenName",
"lastname" => "sn",
"email" => "mail",
"defaultemail" => "@uchicago.edu<http://uchicago.edu>",
#"lookupuserbeforeauth" => 1,
#"lookupuserfield" => "uid",
#"masterlogin" => "",
#"masterpwd" => "",
"affiliationid" => 3,
"help" => "The \"CNet-Example\" option is for testing and will probably go away in the future."),
);
On Sep 4, 2012, at 3:34 PM, Michael Jinks <mj...@uchicago.edu>> wrote:
Bumping this; I didn't hear anything back when I posted the message
below, about a week and a half ago. Also, I've since discovered that
my Shib-backed account doesn't appear to have any privileges at all;
in spite of having all the permissions boxes checked, I still don't
have access to any VM images or to any but the most basic elements of
the UI. What did I miss?
This is on VCL 2.2.1.
Thanks,
-m
On Fri, Aug 24, 2012 at 01:54:42PM -0500, Michael Jinks wrote:
I just got back around to trying Josh's instructions for giving my Shib
user account admin rights:
On Wed, Aug 22, 2012 at 11:29:54AM -0400, Josh Thompson wrote:
Michael,
Probably the simplest thing to do is to add your shibboleth based user
to the adminUsers group directly in the database. Here's what to do:
1) get the id of your user:
SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here';
2) note the returned id
3) get the id of the adminUsers group:
SELECT id FROM usergroup WHERE name = 'adminUsers';
4) note the returned id
5) add a record to the usergroupmembers table:
INSERT INTO usergroupmembers
(userid, usergroupid) VALUES
(id_from_step_2, id_from_step_4);
Then, your shibboleth account should have admin access (assuming you
left the adminUsers group having admin access).
The good news is that (with some help from our IDM folks) I have Shib
working for my devel VCL instance, and my account is logged in currently.
The bad news is that I still don't have admin rights. The only
navigation links on the VCL page are "HOME", "New Reservation", "Block
Allocation", "User Preferences", "Statistics", and "Logout".
Not sure if this is relevant or not, but when I did step 1 above, I got
two records back instead of one:
+----+---------+
| id | unityid |
+----+---------+
| 6 | mjinks |
| 10 | mjinks |
+----+---------+
When I tried to add them to the adminUsers group, I found that id 6 was
already there, probably as a result of my previous efforts to get this
working. I added id 10 as well, but that didn't make any difference.
I'm able to use the "Logout" button and log back in as a local admin,
thank goodness... When I go to the "Privileges" page, I find that
"Cascade to Child Nodes" is set for the adminUsers@Local group, and
permissions there are a Christmas tree, all boxes checked.
Any idea what else I might have missed?
Thanks as always.
--Michael
--
Michael Jinks :: mjinks@uchicago.edu<ma...@uchicago.edu> :: 773-469-9688
University of Chicago IT Services
--
Michael Jinks :: mjinks@uchicago.edu<ma...@uchicago.edu> :: 773-469-9688
University of Chicago IT Services
Re: Shib and user permissions, was Re: Shib docs?
Posted by Michael Jinks <mj...@uchicago.edu>.
On Tue, Sep 04, 2012 at 09:18:46PM +0000, Aaron Coburn wrote:
>
> There are a number possibilities here, but first you should investigate why there are two unityid values for mjinks. Presumably those are from different affiliations?
Yeah. The first was probably created while we were using direct LDAP
for authN, and the second appeared with the addition of Shib. I did add
both id's to the adminUsers group, no luck.
> (You may want to consider removing one of those accounts from the database).
I've now done that; see below for an account of the results.
> And are you certain that, when you login via Shibboleth, that the active userid (i.e. 6 or 10 in your case) is the same as the userid that you added to the adminUsers group?
Yep; added both to be sure.
> Also, you need to make sure that the adminUsers group has been added to the privilege tree properly within the VCL. For that, login as the admin@Local user, then go to "Privileges" and select the "VCL" node in the privilege tree. The "adminUsers@Local" group should be listed under "Users". If it isn't, add it and make sure that the privileges cascade.
Well, this is fun...
If I select the "VCL" node itself, I don't see any adminUsers@Local
under "User Groups". If I select the "admin" node directly beneath VCL,
then adminUsers@Local does appear under "User Groups", with all
privileges checked including "Cascade to Child Nodes".
> If that doesn't lead to anything, I would recommend verifying that the $authMechs configuration is correct.
I'll paste my complete authMechs section below.
But first: I deleted both 'mjinks' records from the user table (after
removing their foreign key dependencies). Then I re-visited my
management node's web UI with a live Shib cookie. Now, when I look
through the user table, there's no mjinks, but there is a new record
created when I came to the UI, and it's clearly wrong:
ql> select id, unityid, affiliationid, firstname, lastname from user where id='11';
+----+---------+---------------+-----------+----------+
| id | unityid | affiliationid | firstname | lastname |
+----+---------+---------------+-----------+----------+
| 11 | @ | 1 | | |
+----+---------+---------------+-----------+----------+
1 row in set (0.00 sec)
Any idea what might be causing this?
I'm starting to wonder if I just need to start over, yet again, with a
blank database.
Anyhow, here's our complete authMechs stanza, kruft and all:
$authMechs = array(
"UChicago Single Sign-On" => array(
"type" => "redirect",
"URL" => "/Shibboleth.sso/Login?target=/shibauth&entityID=urn:mace:incommon:uchicago.edu",
"affiliationid" => 0,
"help" => "Use \"UChicago Single Sign-On\" to log in with your UChicago ID."),
"Local Account" => array("type" => "local",
"affiliationid" => 1,
"help" => "You probably don't want \"Local Account\" unless you are are an administrator of the VCL system."),
"CNet-Example" => array("type" => "ldap",
"server" => "ldap.uchicago.edu",
"binddn" => "ou=people,dc=uchicago,dc=edu",
"userid" => "uid=%s,ou=people,dc=uchicago,dc=edu",
"unityid" => "uid",
"firstname" => "givenName",
"lastname" => "sn",
"email" => "mail",
"defaultemail" => "@uchicago.edu",
#"lookupuserbeforeauth" => 1,
#"lookupuserfield" => "uid",
#"masterlogin" => "",
#"masterpwd" => "",
"affiliationid" => 3,
"help" => "The \"CNet-Example\" option is for testing and will probably go away in the future."),
);
> On Sep 4, 2012, at 3:34 PM, Michael Jinks <mj...@uchicago.edu> wrote:
>
> > Bumping this; I didn't hear anything back when I posted the message
> > below, about a week and a half ago. Also, I've since discovered that
> > my Shib-backed account doesn't appear to have any privileges at all;
> > in spite of having all the permissions boxes checked, I still don't
> > have access to any VM images or to any but the most basic elements of
> > the UI. What did I miss?
> >
> > This is on VCL 2.2.1.
> >
> > Thanks,
> > -m
> >
> >
> > On Fri, Aug 24, 2012 at 01:54:42PM -0500, Michael Jinks wrote:
> >> I just got back around to trying Josh's instructions for giving my Shib
> >> user account admin rights:
> >>
> >> On Wed, Aug 22, 2012 at 11:29:54AM -0400, Josh Thompson wrote:
> >>>
> >>> Michael,
> >>>
> >>> Probably the simplest thing to do is to add your shibboleth based user
> >>> to the adminUsers group directly in the database. Here's what to do:
> >>>
> >>> 1) get the id of your user:
> >>> SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here';
> >>> 2) note the returned id
> >>> 3) get the id of the adminUsers group:
> >>> SELECT id FROM usergroup WHERE name = 'adminUsers';
> >>> 4) note the returned id
> >>> 5) add a record to the usergroupmembers table:
> >>> INSERT INTO usergroupmembers
> >>> (userid, usergroupid) VALUES
> >>> (id_from_step_2, id_from_step_4);
> >>>
> >>> Then, your shibboleth account should have admin access (assuming you
> >>> left the adminUsers group having admin access).
> >>
> >> The good news is that (with some help from our IDM folks) I have Shib
> >> working for my devel VCL instance, and my account is logged in currently.
> >>
> >> The bad news is that I still don't have admin rights. The only
> >> navigation links on the VCL page are "HOME", "New Reservation", "Block
> >> Allocation", "User Preferences", "Statistics", and "Logout".
> >>
> >> Not sure if this is relevant or not, but when I did step 1 above, I got
> >> two records back instead of one:
> >>
> >> +----+---------+
> >> | id | unityid |
> >> +----+---------+
> >> | 6 | mjinks |
> >> | 10 | mjinks |
> >> +----+---------+
> >>
> >> When I tried to add them to the adminUsers group, I found that id 6 was
> >> already there, probably as a result of my previous efforts to get this
> >> working. I added id 10 as well, but that didn't make any difference.
> >>
> >> I'm able to use the "Logout" button and log back in as a local admin,
> >> thank goodness... When I go to the "Privileges" page, I find that
> >> "Cascade to Child Nodes" is set for the adminUsers@Local group, and
> >> permissions there are a Christmas tree, all boxes checked.
> >>
> >> Any idea what else I might have missed?
> >>
> >> Thanks as always.
> >>
> >> --Michael
> >
> > --
> > Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
> > University of Chicago IT Services
>
--
Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
University of Chicago IT Services
Re: Shib and user permissions, was Re: Shib docs?
Posted by Aaron Coburn <ac...@amherst.edu>.
Michael,
There are a number possibilities here, but first you should investigate why there are two unityid values for mjinks. Presumably those are from different affiliations? (You may want to consider removing one of those accounts from the database). And are you certain that, when you login via Shibboleth, that the active userid (i.e. 6 or 10 in your case) is the same as the userid that you added to the adminUsers group? Also, you need to make sure that the adminUsers group has been added to the privilege tree properly within the VCL. For that, login as the admin@Local user, then go to "Privileges" and select the "VCL" node in the privilege tree. The "adminUsers@Local" group should be listed under "Users". If it isn't, add it and make sure that the privileges cascade.
If that doesn't lead to anything, I would recommend verifying that the $authMechs configuration is correct.
Aaron
--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
acoburn@amherst.edu
On Sep 4, 2012, at 3:34 PM, Michael Jinks <mj...@uchicago.edu> wrote:
> Bumping this; I didn't hear anything back when I posted the message
> below, about a week and a half ago. Also, I've since discovered that
> my Shib-backed account doesn't appear to have any privileges at all;
> in spite of having all the permissions boxes checked, I still don't
> have access to any VM images or to any but the most basic elements of
> the UI. What did I miss?
>
> This is on VCL 2.2.1.
>
> Thanks,
> -m
>
>
> On Fri, Aug 24, 2012 at 01:54:42PM -0500, Michael Jinks wrote:
>> I just got back around to trying Josh's instructions for giving my Shib
>> user account admin rights:
>>
>> On Wed, Aug 22, 2012 at 11:29:54AM -0400, Josh Thompson wrote:
>>>
>>> Michael,
>>>
>>> Probably the simplest thing to do is to add your shibboleth based user
>>> to the adminUsers group directly in the database. Here's what to do:
>>>
>>> 1) get the id of your user:
>>> SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here';
>>> 2) note the returned id
>>> 3) get the id of the adminUsers group:
>>> SELECT id FROM usergroup WHERE name = 'adminUsers';
>>> 4) note the returned id
>>> 5) add a record to the usergroupmembers table:
>>> INSERT INTO usergroupmembers
>>> (userid, usergroupid) VALUES
>>> (id_from_step_2, id_from_step_4);
>>>
>>> Then, your shibboleth account should have admin access (assuming you
>>> left the adminUsers group having admin access).
>>
>> The good news is that (with some help from our IDM folks) I have Shib
>> working for my devel VCL instance, and my account is logged in currently.
>>
>> The bad news is that I still don't have admin rights. The only
>> navigation links on the VCL page are "HOME", "New Reservation", "Block
>> Allocation", "User Preferences", "Statistics", and "Logout".
>>
>> Not sure if this is relevant or not, but when I did step 1 above, I got
>> two records back instead of one:
>>
>> +----+---------+
>> | id | unityid |
>> +----+---------+
>> | 6 | mjinks |
>> | 10 | mjinks |
>> +----+---------+
>>
>> When I tried to add them to the adminUsers group, I found that id 6 was
>> already there, probably as a result of my previous efforts to get this
>> working. I added id 10 as well, but that didn't make any difference.
>>
>> I'm able to use the "Logout" button and log back in as a local admin,
>> thank goodness... When I go to the "Privileges" page, I find that
>> "Cascade to Child Nodes" is set for the adminUsers@Local group, and
>> permissions there are a Christmas tree, all boxes checked.
>>
>> Any idea what else I might have missed?
>>
>> Thanks as always.
>>
>> --Michael
>
> --
> Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
> University of Chicago IT Services