"Forbidden" after first login

[cjv]

Hi!


Following step-by-step the "Run secured archive services and Elastic Stack on a single host" installation guide (docker-compose) I always get a "Forbidden" message atfer first login for any user (admin or user).
This happens everytime I follow any "secure" guide of DCM4CHEE-ARC-LIGHT server.

Here are the steps followed:

• CentOS7 minimal installation (plus wget, curl, vim, mlocate, net-tools, telnet) and system updates.
  
• sudo mkdir -p /mnt/storage/fs1
  
• sudo chmod -R 777 /mnt/storage
  
• sudo ln -s /mnt/storage /storage
  
• sudo yum install -y yum-utils device-mapper-persistent-data lvm2
  
• sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
  
• sudo yum install -y docker-ce
  
• systemctl start docker.service; systemctl enable docker.service; systemctl status docker.service
  
• yum -y install epel-release
  
• sudo yum install -y python-pip
  
• sudo pip install docker-compose
  
• sudo pip install --upgrade pip
  
• sudo yum update -y python*
  
• mkdir /root/dcm4che-secure-elastic-docker
  
• cd /root/dcm4che-secure-elastic-docker
  
• echo 'vm.swappiness=1' >> /etc/sysctl.conf
  
• echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
  
• vim /root/dcm4che-secure-elastic-docker/docker-compose.yml
  

version: "3"
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.4.1
environment:
ES_JAVA_OPTS: -Xms512m -Xmx512m
TAKE_FILE_OWNERSHIP: 1
logging:
driver: json-file
options:
max-size: "10m"
ports:
- "9200:9200"
- "9300:9300"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/local/dcm4chee-arc/elasticsearch:/usr/share/elasticsearch/data
kibana:
image: docker.elastic.co/kibana/kibana-oss:6.4.1
logging:
driver: json-file
options:
max-size: "10m"
depends_on:
- elasticsearch
volumes:
- /etc/localtime:/etc/localtime:ro
logstash:
image: dcm4che/logstash-dcm4chee:6.4.1-6
logging:
driver: json-file
options:
max-size: "10m"
ports:
- "12201:12201/udp"
- "8514:8514/udp"
- "8514:8514"
depends_on:
- elasticsearch
volumes:
- /etc/localtime:/etc/localtime:ro
ldap:
image: dcm4che/slapd-dcm4chee:2.4.44-14.1
logging:
driver: gelf
options:
gelf-address: "udp://myhost.mydomain:12201"
tag: slapd
ports:
- "389:389"
env_file: docker-compose.env
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/local/dcm4chee-arc/ldap:/var/lib/ldap
- /var/local/dcm4chee-arc/slapd.d:/etc/ldap/slapd.d
keycloak:
image: dcm4che/keycloak:4.4.0-14.1-logstash
logging:
driver: gelf
options:
gelf-address: "udp://myhost.mydomain:12201"
tag: keycloak
ports:
- "8880:8880"
- "8843:8843"
- "8990:8990"
env_file: docker-compose.env
environment:
HTTP_PORT: 8880
HTTPS_PORT: 8843
MANAGEMENT_HTTP_PORT: 8990
KEYCLOAK_WAIT_FOR: ldap:389 logstash:8514
depends_on:
- ldap
- logstash
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/local/dcm4chee-arc/keycloak:/opt/keycloak/standalone
keycloak-proxy:
image: dcm4che/keycloak-proxy:4.4.0-2
logging:
driver: gelf
options:
gelf-address: "udp://myhost.mydomain:12201"
tag: keycloak-proxy
ports:
- "8601:8601"
- "8643:8643"
env_file: docker-compose.env
environment:
HTTP_PORT: 8601
HTTPS_PORT: 8643
depends_on:
- logstash
- kibana
- keycloak
volumes:
- /etc/localtime:/etc/localtime:ro
db:
image: dcm4che/postgres-dcm4chee:10.4-14
logging:
driver: gelf
options:
gelf-address: "udp://myhost.mydomain:12201"
tag: postgres
ports:
- "5432:5432"
env_file: docker-compose.env
depends_on:
- logstash
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/local/dcm4chee-arc/db:/var/lib/postgresql/data
arc:
image: dcm4che/dcm4chee-arc-psql:5.14.1-logstash-secure
logging:
driver: gelf
options:
gelf-address: "udp://myhost.mydomain:12201"
tag: dcm4chee-arc
ports:
- "8080:8080"
- "8443:8443"
- "104:104"
- "9990:9990"
- "11112:11112"
- "2575:2575"
env_file: docker-compose.env
environment:
WILDFLY_CHOWN: /opt/wildfly/standalone /storage
WILDFLY_WAIT_FOR: ldap:389 db:5432 logstash:8514
depends_on:
- ldap
- keycloak
- db
- logstash
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/local/dcm4chee-arc/wildfly:/opt/wildfly/standalone
- /var/local/dcm4chee-arc/storage:/storage

• vim /root/dcm4che-secure-docker/docker-compose.env
  

SYSLOG_HOST=logstash
SYSLOG_PORT=8514
SYSLOG_PROTOCOL=TLS
STORAGE_DIR=/storage/fs1
POSTGRES_DB=pacsdb
POSTGRES_USER=pacs
POSTGRES_PASSWORD=pacs
AUTH_SERVER_URL=https://myhost.mydomain:8843/auth

• docker-compose -p dcm4chee up -d
  
• https://myhost.mydomain:8843/auth/admin/dcm4che/console
  

OIDC client ---> dcm4chee-arc-ui

Valid Redirect URI: https://myhost.mydomain:8443/dcm4chee-arc/ui2/*

Valid Redirect URI: http://myhost.mydomain:8080/dcm4chee-arc/ui2/*

OIDC client ---> kibana

 Valid Redirect URI: https://myhost.mydomain:8643/*

 Valid Redirect URI: http://myhost.mydomain:8601/*

•  https://myhost.mydomain:8443/dcm4chee-arc/ui2
  

"Forbidden"

 This behaviour happens in each "secure" DCM4CHEE-ARC version. Someone can help find what I'm doing wrong?

Thanks.

[gunterze]

Login directly on keycloak ( https://myhost.mydomain:8843/auth/admin/dcm4che/console ) and verify that users which shall have access to the archive UI have the role "user" assigned.

[cjv]

In Keycloak > Users > "Admin" > Role Mappings > Client Roles > dcm4chee-arc-ui > Available Roles don't have any role available. Are you refering to this setting? Is it supposed to be empty? What can I do?

[Pela Silveira]

I had a similar problem. Verify that all the Hostnames áre resolvable from inside the containers.

The are diferent ways to achieve that. I have added a line in the yml file for every services: dns: x.x.x.x

[cjv]

All hostnames? I only have one hostname! I've followed your suggestion by adding "dns" to each service but still have no result.

docker-compose -p dcm4chee stop

vim docker-compose.yml

version: "3"

services:

elasticsearch:

  image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.4.1

   dns:

- x.x.x.x

- y.y.y.y

   dns_search:

- mydomain

...

docker-compose -p dcm4chee start

https://myhost.mydomain:8443/dcm4chee-arc/ui2

"Forbidden"

Is docker containers supposed to work from scratch or is the guideline missing some steps?

[gunterze]

Looks correct. Any WARN or ERROR in keycloak or wildfly server.log?

[Pela Silveira]

I mean by host to each container. Yo can execute a bash inside the containers to see if they actualy ser between each other by its hostnames.

Other option Is to ser this env variable with an IP rather than a name
AUTH_SERVER_URL=https://<docker-host>:8843/auth