Docker container missing role (user)?

131 views
Skip to first unread message

Jonathan Brooks

unread,
May 21, 2024, 10:08:20 AMMay 21
to dcm4che
Hi Gunter/devs/anyone else,

I've performed a very straightforward installation of dcm4chee-arc-light 5.32.0, running on Docker on Linux (Ubuntu 22.04).

Everything has gone really smoothly - thank you so much for putting in the time and effort to develop the docker containers.

One thing that's a little unusual about our set up is that we will use SAML/single sign on to authenticate regular users, and as part of that you need to map new users to roles. I've added a role-mapper, with the following settings:

(1) add a mapper to the SAML (single sign on) identity provider
role-mapper1.png
(2) Configure mapper:
role-mapper2.png

(3) Choose role
role-mapper3.png

Note that the role "user" which is essential for a new user to be able to access the web UI is not available.

Do I have to add this manually?

Best wishes,
Jon

Jonathan Brooks

unread,
May 21, 2024, 12:36:55 PMMay 21
to dcm4che
Just to add, that we have previously used SAML to authenticate users in a non-Docker installation of dcm4chee-arc-light (5.25.2).
In that instance, the Mapper maps users to the pre-existing "user" role - and they are able to browse the database as expected...

Not sure if this is something that's changed with recent versions e.g. 5.32?

Last thing to add, with this new Docker installation, the pre-existing accounts (root/admin) work fine - we're able to import data to the archive and browse as these users, so just need to add the SAML stuff for regular users...

Any help/suggestions would be much appreciated.

Best wishes,

Jon
Message has been deleted
Message has been deleted

Jonathan Brooks

unread,
May 22, 2024, 1:33:10 PMMay 22
to dcm4che
Bizarrely, following a restart of the machine and docker, the user role has magically appeared...

However, if I map an incoming user to the role "user" they don't see the archive interface upon accessing the normal address - instead they see the archive background image, and the menu item only (top left). Selecting Navigate from the menu brings the following up:

Plus a whole load of Error 401 messages that disappeared before I could take the snapshot.

archive.png

Any ideas?

Cheers, Jon

Shefki Esadi

unread,
May 23, 2024, 4:37:55 AMMay 23
to dcm4che
Hi, 

the role `user` was replaced with the role `auth` as the role `user` was sometimes used as a normal role ( which had other implications ) and it was not clear that it had an imported connection with the KeyCloak authentication.

Best Regards
Shefki Esadi

Jonathan Brooks

unread,
May 23, 2024, 10:39:47 AMMay 23
to dcm4che
Dear Shefki,

Thanks for your reply. Can I check that if I were to grant any new user the role 'auth' then they should be able to view the UI and access RESTful services...?
Currently if I do this I get a "Forbidden" message on trying to access the UI. 

I'm not sure where to start with troubleshooting this, but one thing that I think Gunter has suggested is turning on logging for keycloak.org (setting to DEBUG level). Can you advise me on how to do this?

Kind regards,
Jon

Jonathan Brooks

unread,
May 23, 2024, 11:10:05 AMMay 23
to dcm4che
Just tried again, this time no forbidden message, but I do see the dreaded 401.... 

401.png

Jonathan Brooks

unread,
May 23, 2024, 11:16:12 AMMay 23
to dcm4che
Forgot to add, that I'm not using 'localhost' anywhere in the configuration. The device is registered with DNS and has a fully qualified domain name (present in /etc/hosts), which is used in the docker-compose.yml file...

Feels like I'm missing something here....

Just to reiterate, as admin or root I can successfully browse the archive through the UI, it's only when a new user comes along, and is granted the role 'auth' that I see problems...

Any ideas?

Jon

Shefki Esadi

unread,
May 27, 2024, 6:17:29 AMMay 27
to dcm4che

Hi,

sorry we are in middle of modifying some processis regarding the roles and saving the language flag in the KeyClaok. Try to add also the "view-profile" role from account ( On Role mapping tab in KeyCloak, Click Assign Role, On The filter Field click "Filter by clients" now you should see allso the account  roles, add the account view-profile.

Best Regrads
Shefki Esadi
Message has been deleted

Jonathan Brooks

unread,
Jun 5, 2024, 1:53:43 PMJun 5
to dcm4che
Hi Shefki,

I added that role/account ("view-profile") to an account created by logging in using SAML. When I logged on it showed my username (top-right) and the edit account/logout options, but I can no longer access the menu items on the left (the button is there, but the menu is empty). There is also a message "page not found".

Do you think this will be easily fixed, or should I be considering using an older docker image? If that's the case, is there an easy way to find out what the different versions for slapd, mariadb, postgresql etc should be to run e.g. version 5.30.0? Is there an archive of the relevant docker-compose.yml files for older docker images?

Best wishes,
Jon

Jonathan Brooks

unread,
Jun 6, 2024, 12:15:13 PMJun 6
to dcm4che
Just in case this helps anyone: here's the link that explains how to access older versions of a wiki hosted on github 


This was really helpful in finding previous versions of docker-compose.yml with the relevant image versions and config options...

Best wishes,
Jon

Shefki Esadi

unread,
Jun 12, 2024, 1:10:24 PMJun 12
to dcm4che
Hi,
sorry I missed your message. Did you manage to fix? I will leave anyway this here so that others can see if they have the same problem, If the requests are without errors ( If you open the inspect for example in chrome or firefox and go to Network tab and reload the page ), than the user that you just created is missing the ui permissions. You can add them by logging in as a user that has access to the config and going to configuration->mane archive device ( default: dcm4chee-arc)->Device Extension ( Edit extension) -> Child Object ->Ui Config ->default->Permission. In the Permission drop-down you can edit the elements that you want and add the newly created role to give it permissions.

Best Regards
Shefki Esadi
Reply all
Reply to author
Forward
0 new messages