Opencast Studio via Moodle Upload issues

[Ravishel Naicker]

Hi

I have configured the Moodle plugin and Opencast (8.5).  Features such as uploading of videos, creating series, changing metadata, visibility etc is working fine with lecturer account.

I can record videos with "Record Video" from Moodle, users are authenticated correctly. The issues arises uploading the  video.

With admin account on Moodle i can upload the videos with no issues but when a lecturer tries to upload video after recording on Studio it gets error "Upload failed: an unexpected response was returned."

Though i get that error, the video is uploaded to Opencast and is directly sent to FINISHED, without being processed/published. When i check the details, i can see the video file but under workflow there isn't any.

Note: I have un-commented and given all access which by default was there for instructor on org.opencastproject.security.lti.LtiLaunchAuthenticationHandler.cfg. 

The logs as the following (part that gives error) , attached is the full logs from the moment i click on the record button. 

Caused by: org.opencastproject.security.api.UnauthorizedException: Not allowed to set property on episode 85b234ba-6e4c-48ec-8d89-8adcc0b3c1bb

        at org.opencastproject.assetmanager.impl.AssetManagerWithSecurity.setProperty(AssetManagerWithSecurity.java:125) ~[?:?]

        at org.opencastproject.assetmanager.impl.OsgiAssetManager.setProperty(OsgiAssetManager.java:209) ~[?:?]

        at org.opencastproject.assetmanager.util.WorkflowPropertiesUtil.storeProperties(WorkflowPropertiesUtil.java:108) ~[?:?]

        at org.opencastproject.workflow.impl.WorkflowServiceImpl.start(WorkflowServiceImpl.java:540) ~[?:?]

        at org.opencastproject.workflow.impl.WorkflowServiceImpl.start(WorkflowServiceImpl.java:519) ~[?:?]

        at org.opencastproject.ingest.impl.IngestServiceImpl.ingest(IngestServiceImpl.java:1181) ~[?:?]

        at org.opencastproject.ingest.impl.IngestServiceImpl.ingest(IngestServiceImpl.java:1121) ~[?:?]

Any help will highly be appreciated.

[Carter Wallace]

Hi Ravishel,

We have also ran in to that issue and for us it came down to the user not being authenticated on the domain where studio is hosted. For Example.com/studio they had to first login to example.com.

We tried passing a general user to studio with API permissions but still ran into that exact same behaviour where it would create the event but not be able to ingest the video and attach a workflow. Watching the network activity verified that there would be a 500 server error after the call to API/event/ingest.

Currently we just have the user login instead of trying to pass credentials to studio and that works fine until we're able to figure out an SSO solution.

Carter

[Lukas Kalbertodt]

Hi there!

I don't know anything about Moodle, but here are a few hints:

- For an event to be correctly processed, the user ingesting has to have
(a) write access to that event and (b) does still need to exist until
the event is finished processing.
- (a) Make sure the user has that write access by inspecting the
event's ACL. If those are wrong, you can tell Studio which ACL to
send (see CONFIGURATION.md in the Studio repo).
- (b) You have to enable something something LTI user persistance. I
don't know any details though.
- To correctly ingest, all users using Studio have to have
`ROLE_STUDIO`. Do your LTI users have that role?


Maybe this helps.


Lukas

On 30.06.20 01:42, Ravishel Naicker wrote:
> Hi
>
> I have configured the Moodle plugin and Opencast (8.5).  Features such
> as uploading of videos, creating series, changing metadata, visibility
> etc is working fine with lecturer account.
>
> I can record videos with "Record Video" from Moodle, users are
> authenticated correctly. The issues arises uploading the  video.
>

> With *admin account on Moodle i can upload the videos with no issues*
> but when a *lecturer *tries to upload video after recording on Studio it
> gets error "U*pload failed: an unexpected response was returned."*

>
> Though i get that error, the video is uploaded to Opencast and is
> directly sent to FINISHED, without being processed/published. When i
> check the details, i can see the video file but under workflow there
> isn't any.
>
> Note: I have un-commented and given all access which by default was
> there for instructor
> on org.opencastproject.security.lti.LtiLaunchAuthenticationHandler.cfg. 
>
> The logs as the following (part that gives error) , attached is the full
> logs from the moment i click on the record button. 
> |
>

> Caused by: org.opencastproject.security.api.UnauthorizedException: *Not
> allowed to set property on episode*85b234ba-6e4c-48ec-8d89-8adcc0b3c1bb

>         at
> org.opencastproject.assetmanager.impl.AssetManagerWithSecurity.setProperty(AssetManagerWithSecurity.java:125)
> ~[?:?]
>         at
> org.opencastproject.assetmanager.impl.OsgiAssetManager.setProperty(OsgiAssetManager.java:209)
> ~[?:?]
>         at
> org.opencastproject.assetmanager.util.WorkflowPropertiesUtil.storeProperties(WorkflowPropertiesUtil.java:108)
> ~[?:?]
>         at
> org.opencastproject.workflow.impl.WorkflowServiceImpl.start(WorkflowServiceImpl.java:540)
> ~[?:?]
>         at
> org.opencastproject.workflow.impl.WorkflowServiceImpl.start(WorkflowServiceImpl.java:519)
> ~[?:?]
>         at
> org.opencastproject.ingest.impl.IngestServiceImpl.ingest(IngestServiceImpl.java:1181)
> ~[?:?]
>         at
> org.opencastproject.ingest.impl.IngestServiceImpl.ingest(IngestServiceImpl.java:1121)
> ~[?:?]
>
> |
>
> Any help will highly be appreciated.
>

> --
> To unsubscribe from this group and stop receiving emails from it, send
> an email to users+un...@opencast.org
> <mailto:users+un...@opencast.org>.

[Ravishel Naicker]

Hi

The lecturer is able to actually injest the video (i can see the video on Opencast uploaded and directly to finished status). I have given the ROLE_STUDIO to the instructor in the LTI configuration file.

> an email to us...@opencast.org
> <mailto:us...@opencast.org>.

[Ravishel Naicker]

Anyone ??

[Greg Logan]

Hi Ravishel,

That's telling you that the user is missing some role.  What is the full set of roles that Opencast thinks the user has?

G

To unsubscribe from this group and stop receiving emails from it, send an email to users+un...@opencast.org.

[Ravishel Naicker]

Hi

from info/me.json (after clicking the record video button from Moodle with a lecturer user) I get the following

{"org":{"anonymousRole":"ROLE_ANONYMOUS","name":"Opencast Project","adminRole":"ROLE_ADMIN","id":"mh_default_org","properties":{"admin.shortcut.editor.play_current_segment":"c","admin.shortcut.editor.play_current_segment_with_pre-roll":"C","admin.shortcut.player.previous_frame":"left","admin.shortcut.general.select_previous_dashboard_filter":"F","admin.shortcut.general.remove_filters":"r","admin.shortcut.editor.split_at_current_time":"v","admin.shortcut.player.previous_segment":"up","adminui.user.external_role_display":"false","admin.shortcut.player.next_segment":"down","org.opencastproject.admin.mediamodule.url":"/engage/ui","org.opencastproject.admin.help.documentation.url":"https://docs.opencast.org","admin.shortcut.editor.cut_selected_segment":"backspace","admin.shortcut.player.step_forward":"ctrl+right","admin.shortcut.editor.clear_list":"ctrl+backspace","admin.shortcut.player.step_backward":"ctrl+left","admin.shortcut.general.series_view":"s","admin.shortcut.general.event_view":"e","admin.shortcut.player.volume_up":"plus","admin.shortcut.player.play_pause":"space","admin.shortcut.general.main_menu":"m","admin.shortcut.player.mute":"m","org.opencastproject.admin.help.restdocs.url":"/rest_docs.html","admin.shortcut.editor.play_ending_of_current_segment":"n","admin.shortcut.general.select_next_dashboard_filter":"f","admin.shortcut.player.volume_down":"-","admin.shortcut.general.new_event":"n","org.opencastproject.oaipmh.server.hosturl":"","admin.shortcut.player.next_frame":"right","admin.shortcut.general.new_series":"N"}},"roles":["3_Instructor","ROLE_UI_EVENTS_DETAILS_COMMENTS_REPLY","ROLE_USER","ROLE_UI_EVENTS_DETAILS_COMMENTS_VIEW","ROLE_GROUP_MH_DEFAULT_ORG_SYSTEM_ADMINS","ROLE_STUDIO","ROLE_API_EVENTS_METADATA_EDIT","ROLE_UI_EVENTS_DETAILS_COMMENTS_DELETE","ROLE_ANONYMOUS","ROLE_UI_EVENTS_DETAILS_COMMENTS_RESOLVE","ROLE_API_EVENTS_METADATA_DELETE","ROLE_UI_EVENTS_DETAILS_COMMENTS_EDIT","ROLE_UI_EVENTS_EDITOR_VIEW","ROLE_ADMIN_UI","ROLE_UI_EVENTS_DETAILS_COMMENTS_CREATE","ROLE_UI_EVENTS_EDITOR_EDIT","ROLE_API_EVENTS_METADATA_VIEW","ROLE_OAUTH_USER"],"userRole":"ROLE_USER_LECTURER01","user":{"username":"lecturer01"}}

To unsubscribe from this group and stop receiving emails from it, send an email to us...@opencast.org.

[Ravishel Naicker]

Any help

Do note that the video is uploaded to Opencast and goes directly to Finished without getting published or processed .

So if the user did not have the necessary permission will that happen ? This doesnt happen when Moodle admin user does it.

Regards

[Greg Logan]

Hi Ravishel,

What does the ACL on the failed episode look like? Do any of the roles in there show up in the users roles? 

G

To unsubscribe from this group and stop receiving emails from it, send an email to users+un...@opencast.org.

[Ravishel Naicker]

Hi Attached 

To unsubscribe from this group and stop receiving emails from it, send an email to us...@opencast.org.

[Ravishel Naicker]

Hi 

I have noticed if i give the ROLE_ADMIN to the instructor they are able to upload the videos. With the following roles they cannot ROLE_STUDIO,ROLE_GROUP_MH_DEFAULT_ORG_EXTERNAL_APPLICATIONS,ROLE_SUDO

Kind Regards

Ravishel

To unsubscribe from this group and stop receiving emails from it, send an email to us...@opencast.org.

[Dietmar Zenker]

Hi Ravishel,

just a guess: maybe the instructor additionally requires the role "ROLE_API_WORKFLOW_INSTANCE_CREATE", as this role is necessary to initiate a new WF (defined in the security config):

    <sec:intercept-url pattern="/api/workflows" method="POST" access="ROLE_ADMIN, ROLE_API_WORKFLOW_INSTANCE_CREATE"/>

Greetings,

Dietmar

[Ravishel Naicker]

Hi

Still no luck, i have given the following roles but still having the error 

ROLE_API, ROLE_API_CAPTURE_AGENTS_VIEW, ROLE_API_EVENTS_ACL_DELETE, ROLE_API_EVENTS_ACL_EDIT, ROLE_API_EVENTS_ACL_VIEW, ROLE_API_EVENTS_CREATE, ROLE_API_EVENTS_DELETE, ROLE_API_EVENTS_EDIT, ROLE_API_EVENTS_MEDIA_VIEW, ROLE_API_EVENTS_METADATA_DELETE, ROLE_API_EVENTS_METADATA_EDIT, ROLE_API_EVENTS_METADATA_VIEW, ROLE_API_EVENTS_PUBLICATIONS_VIEW, ROLE_API_EVENTS_SCHEDULING_EDIT, ROLE_API_EVENTS_SCHEDULING_VIEW, ROLE_API_EVENTS_VIEW, ROLE_API_GROUPS_CREATE, ROLE_API_GROUPS_DELETE, ROLE_API_GROUPS_EDIT, ROLE_API_GROUPS_VIEW, ROLE_API_SECURITY_EDIT, ROLE_API_SERIES_ACL_EDIT, ROLE_API_SERIES_ACL_VIEW, ROLE_API_SERIES_CREATE, ROLE_API_SERIES_DELETE, ROLE_API_SERIES_EDIT, ROLE_API_SERIES_METADATA_DELETE, ROLE_API_SERIES_METADATA_EDIT, ROLE_API_SERIES_METADATA_VIEW, ROLE_API_SERIES_PROPERTIES_EDIT, ROLE_API_SERIES_PROPERTIES_VIEW, ROLE_API_SERIES_VIEW, ROLE_API_STATISTICS_VIEW, ROLE_API_WORKFLOW_DEFINITION_VIEW, ROLE_API_WORKFLOW_INSTANCE_CREATE, ROLE_API_WORKFLOW_INSTANCE_DELETE, ROLE_API_WORKFLOW_INSTANCE_EDIT, ROLE_API_WORKFLOW_INSTANCE_VIEW, ROLE_CAPTURE_AGENT_LTEST,ROLE_STUDIO, ROLE_SUDO

[Ravishel Naicker]

Hi

Finally managed to solve the issues. In my ui-config/mh_default_org/studio/settings.json

ACL as false. As i have changed to true it is successful

Thanks everyone for the support.

Regards

On Monday, 13 July 2020 20:11:04 UTC+12, Dietmar Zenker wrote:

[Ravishel Naicker]

Hi

Just another query i have, so when a lecturer records a video the video gets the ACL of ROLE_USER_Username. 

The problem is that now the lecturer is not able to view the video till he changes the visibility of the video (make it available to students), then the video gets the ACL of ContextID_Instructor.

We could get list of username and add it to respective seriess ACL, but we have over 500 course shell every semester and every shell has 2-3 instructor thus will be difficult.

If we have the ACL has true on the setting of studio, the instructor is unable to upload the video, any suggestions ?

Regards

[Lukas Kalbertodt]

I'm not fully understanding the issue, but you can always change the ACL
that Studio uploads. There, you can also already add
`ContextID_Instructor` to the read/write roles. See:

https://github.com/elan-ev/opencast-studio/blob/opencast-8/CONFIGURATION.md#specify-acl

So you probably want to add a read and write permission to
`{{ltiCourseId}}_Instructor` or something like that.

> an email to users+un...@opencast.org
> <mailto:users+un...@opencast.org>.

[Dietmar Zenker]

Hi Ravishel,

as all users also get the role "ROLE_USER" per default, you could try to add this role with read access to the respective series ACL.

Greetings,

Dietmar

[Ravishel Naicker]

The video that is uploaded from the studio only has one ACL and thats ROLE_USER_Username.

So even if i add the role_user to the series, it does not inherit or show as the event (video) has only one role. I will try what Lukas has suggested and see.

[Ravishel Naicker]

Hi

Just going over the document, have few questions.

1. So i should make a file acl.xml and put in lets say /etc/opencast .

2. Have the acl:true in the setting.json for the studio

3. Have the default ACL xml edited to have  ${ltiCourseId}_Instructor  read and write access 

?? 

[Lukas Kalbertodt]

Not quite. Also see this documentation:

https://docs.opencast.org/r/8.x/admin/#modules/studio/

> If you want to pre-configure the ACL that is sent by studio, place a
file `acl.xml` in `etc/ui-config/mh_default_org/studio/` and set
`upload.acl` in `settings.json` to `"/ui/config/studio/acl.xml"`.

"upload": {
"acl": "/ui/config/studio/acl.xml"
}

Re your third point: yes. You can basically just copy the two big blocks
in the default ACL and then replace
{{ userRole }}
with
{{ ltiCourseId }}_Instructor

Note the correct {{ }} syntax. ${} does not work in the XML template.

[Ravishel Naicker]

Hi

just question for clarification, why we have the path as  /ui/config/studio/acl.xml  and not   ui-config/mh_default_org/studio/acl.xml 

[Ravishel Naicker]

Just tested, and it is getting the ContextID_instructor role for the event from the studio.

Thanks for the support, really appreciate it.

On Wednesday, 15 July 2020 at 22:34:34 UTC+12 Lukas Kalbertodt wrote:

[Lukas Kalbertodt]

> just question for clarification, why we have the path as
/ui/config/studio/acl.xml and not
ui-config/mh_default_org/studio/acl.xml

This is just because Opencast serves static files from
`ui-config/mh_default_org/` under the URL `/ui/config/`.

---

I just noticed: you probably want to make sure that the ACL rules for
`*_Instructor` are only applied if the Studio user actually comes from
an LTI context. You can use Mustache conditionals for that {{ #foo }}
... {{ /foo }}.

So the whole thing probably looks something like this:


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Policy PolicyId="mediapackage-1"

RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
Version="2.0"
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os">
<Rule RuleId="user_read_Permit" Effect="Permit">
<Target>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">{{ userRole
}}</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
<Rule RuleId="user_write_Permit" Effect="Permit">
<Target>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">{{ userRole
}}</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
{{ #ltiCourseId }}
<Rule RuleId="user_read_Permit" Effect="Permit">
<Target>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">{{ ltiCourseId
}}_Instructor</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
<Rule RuleId="user_write_Permit" Effect="Permit">
<Target>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">{{ ltiCourseId
}}_Instructor</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
{{ /ltiCourseId }}
</Policy>

[Ravishel Naicker]

Thanks alot buddy , i have managed to successfully achieve what i wanted.

Regards