Anyone had any success with creating user accounts?

47 views
Skip to first unread message

Jonathan Brooks

unread,
Jun 7, 2024, 5:15:16 AMJun 7
to dcm4che
Hi All,

I'm trying to deploy a docker version of dcm4chee-arc on Ubuntu 24.04LTS. 

Things that are working:
(1) using own SSL certificate
(2) authenticating via SAML
(3) uploading the test DICOM data (wrist MRI)
(4) logging into the archive (https://<archive-host>:8443/dcm4chee-arc/ui2) with the built in user accounts (root, admin) and browsing the uploaded data
(5) downloading the test DICOM data

Not working:
(1) Browsing the archive with any other account other than admin, root (see thread "Docker container missing role (user)?")

Steps to reproduce:
Using any recent version of dcm4chee-arc (5.30->). I've tried 5.30, 5.31, 5.31.2, 5.32
Create an account through the keycloak interface (https://<archive-host>:8843/admin/dcm4che/console) - Users -> Add User, giving the new user the roles (i) auth,  and (ii) <account> view-profile 

You can log in, but you see the message "page not found" and cannot access the menu items from the button on the left. See below:

PNF.png

empty-menu.png

Any help or suggestions for how to proceed with this would be much appreciated, as this is a complete showstopper.

Best wishes,
Jon

fleetwoodfc

unread,
Jun 7, 2024, 8:07:05 AMJun 7
to dcm4che
You also need to assign the 'user' role to a new user (to access non-adminstrative functions of the UI) - apparently 'auth' allows access to the UI but not to any functions.

AUTH_USER_ROLE

User role required to access the UI and RESTful services of the Archive.
(optional, default is auth).


REGULAR_USER

Created user with password changeit with assigned Realm Role specified by AUTH_USER_ROLE and REGULAR_USER_ROLE, to access non-adminstrative functions of the UI and RESTful services of the Archive.
(optional, default is user).

REGULAR_USER_ROLE

Created user role required to access non-adminstrative functions of the UI and RESTful services of the Archive.
(optional, default is user).

Jonathan Brooks

unread,
Jun 7, 2024, 9:47:35 AMJun 7
to dcm4che

Hi fleetwoodfc,

Thanks for the info - do you have the source page for that?

Am I right in thinking that I could allocate a regular_user_role = user, or a new role that I could create in keycloak e.g. regular_user, then assign the relevant UI permissions through GUI? I think Shefki suggested doing something like this in the past.

Best wishes,
Jon

Jonathan Brooks

unread,
Jun 7, 2024, 9:55:15 AMJun 7
to dcm4che
Sorry - should have looked harder! https://github.com/dcm4che-dockerfiles/slapd-dcm4chee

So with e.g. REGULAR_USER_ROLE: regular_user supplied in the environment section of ldap in docker-compose.yml, this should then provide this role in keycloak...? Sorry for being a bit dim, just wanting to check expected  behaviour.

Best wishes,

Jon

Jonathan Brooks

unread,
Jun 7, 2024, 11:25:46 AMJun 7
to dcm4che
Some success....

Within my docker-compose.yml file, in the ldap: section I modified the environment sub-section to include (thanks fleetwoodfc):
environment:
      STORAGE_DIR: /storage/fs1
      REGULAR_USER: user
      REGULAR_USER_ROLE: user
      AUTH_USER_ROLE: auth

Took down the old container (docker-compose -p dcm4chee down) and brought it back up again: docker-compose -p dcm4chee up -d

Waited for things to settle down (important - check with top). Then went into https://<archive-host>:8843/admin/dcm4che/console logged in using user "root"

Fixed the problem with the redirect_URI for the wildfly-console client (see other thread)

From the main menu looked at Realm roles, user and auth were not present.

From main menu, went to User Federation, clicked on "ldap" (above ldap Enabled), on the right hand side of the page that opens, there is a drop down action button (I selected sync all users), which resulted in the message:
"2 users added, 1 user updated".

On the same screen, next to settings I clicked on the tab "Mappers", and chose "role", on the page that opens go to the top right and the drop down action button, select "Sync LDAP roles to Keycloak".

Now if you go back to the main menu and select Realm roles you should now additionally see user and auth as available roles.

Under Users created a new user: "Add User" - don't forget to give it an initial password under credentials (press Set password).

IMPORTANT:
When creating the new user, on the Role mapping tab, click on assign role - and select auth and user (click Assign). Then click on the top left drop-down (probably says Filter by realm roles) - change to Filter by clients - check the option for (account) view-profile then click Assign. Thanks Shefki.

Roles for the user should look like the following:

required-roles.png

This user can now browse the database and download data...

I just need to restrict what a regular user has permissions to do now... using the information here (thanks Marius/Shefki).

I suspect that I will have some fun trying to get all these roles automatically assigned to people authenticating with SAML, and will report back...

Cheers, Jon

Jonathan Brooks

unread,
Jun 8, 2024, 8:45:34 AMJun 8
to dcm4che
Problem: when coming in via SAML on first log in the user has to be mapped to a role (much like the steps in the previous message), however we need to map it to three roles (user, auth, and (account) view-profile).
FYI: on the SAML settings page, there is a separate tab 'Mappers', where I created a new one called "user-to-role-mapper", on its settings I set 'sync mode override' to Import, and 'Mapper Type' to Hardcoded Role. You then have the option of selecting one role - hence the problem.

Solution: based on the keycloak documentation here I created a composite role. 
I chose to turn the user role into a composite role. 
(1) Browse the Realm roles: select user
(2) On the drop down 'Action' button (top right), click on 'Add associated roles'
(3) Select auth, click 'Assign'.
(4) Now on the Realm roles, under the role user, you should now see a new tab 'Associated roles' with auth listed, note that 'User' is now labelled 'composite role' (see top of page).
(5) On the 'Associated role' tab press blue button 'Assign role'. 
(6) On the window that opens, change 'Filter by realm roles' to 'Filter by clients', then select (account) view-profile click 'Assign'.
(7) Back on the Identity Provider -> SAML -> Mapper tab, the Hardcoded Role can now be selected to be user, which also implies auth and (account) view-profile.

Users authenticating via SSO (SAML) can now browse the archive, download data etc...

Happy days!

Jon
Reply all
Reply to author
Forward
0 new messages