Unable to authenticate when connecting to Fedora Server from islandora configuration

[Jaime Pinto]

This is a new installation:
islandora-7.x-1.3  running on Ubuntu 12.04 VM
Fedora Repository 3.Version 3.8.0-SNAPSHOT
drupal-7.31.
tuque-1.3

"Unable to authenticate when connecting to to Fedora Server (Version 3.8.0-SNAPSHOT). Please configure the Drupal Filter."

* the http://localhost:8080/fedora/admin flash page comes up and I'm able to browse the Search and Object tags. However I "ingested" a couple of text files and don't see them on the search. I expected to be asked for a login name/password, but the login seems automatic.

* I followed the steps on this page:
https://wiki.duraspace.org/pages/viewpage.action?pageId=34638844

I tried the drupalAdmin user first, but the fedoraAdmin also fails. At this point I'm not sure which one to use.

<FilterDrupal_Connection>
<!--  <connection server="localhost" dbname="drupalDB" user="drupalAdmin" password="drupalAdmin" port="3306"> -->
    <connection server="localhost" dbname="fedora3" user="fedoraAdmin" password="fedoraAdmin" port="3306">
    <sql>
                  <!--Different sql statement for each connection.  This is for drupal multisites that are setup using one database with
                  table prefixes.  We don't do this but some people might.-->
                  SELECT DISTINCT u.uid AS userid, u.name AS Name, u.pass AS Pass, r.name AS Role FROM (users u LEFT JOIN users_roles ON
                  u.uid=users_roles.uid) LEFT JOIN role r ON r.rid=users_roles.rid WHERE u.name=? AND u.pass=?;
    </sql>
  </connection>
</FilterDrupal_Connection>

* drupal files are at the root of the webserver

* I did the curl test as follows, and it seems to work
curl -u fedoraAdmin:fedoraAdmin -X POST http://localhost:8080/fedora/objects/new\?namespace\=test
test:1
curl -u fedoraAdmin:fedoraAdmin -X POST http://localhost:8080/fedora/objects/new\?namespace\=test
test:2
curl -u fedoraAdmin:fedoraAdmin -X POST http://localhost:8080/fedora/objects/new\?namespace\=test
test:3

Some of the text objects I ingested initially seem to have landed inside this path:
/usr/local/fedora/data/objectStore
07/info%3Afedora%2Fchangeme%3A4
63/info%3Afedora%2Fchangeme%3A2
92/info%3Afedora%2Fchangeme%3A3

And the curl tests in:
33/info%3Afedora%2Ftest%3A3
79/info%3Afedora%2Ftest%3A1

I installed and enabled the islandora module and a few of the other solr/solution packages

I also turned some privilege check in a config from TRUE to FALSE with nano (can't remember where anymore).

I obviously missed something, but I retraced my steps and can not find what is it. I hope there are enough hints here.

Thanks for any help
Jaime

[Peter Murray]

Just to verify — what is needed for user=“” and password=“” is the same username/password used by Drupal itself to connect to the database. You’d find these in the settings.php file, like such:

$databases = array (

  'default' => 

  array (

    'default' => 

    array (

      'database' => ‘>>>THIS DBNAME<<<',

      'username' => ‘>>>THIS USER<<<',

      'password' => ‘>>>THIS PASSWORD<<<',

      'host' => ‘localhost',

      'port' => '',

      'driver' => 'mysql',

      'prefix' => '',

    ),

  ),

);

It kinda sounds like you were trying to use the username/password to log into the Drupal web interface.

If that doesn’t work, I suggest turning on the FESL logging in Fedora ($FEDORA_HOME/server/config/logback.xml):

  https://github.com/fcrepo3/fcrepo/blob/3.8.0-SNAPSHOT/fcrepo-server/src/main/resources/fcfg/server/logback.xml#L25-L47

Peter

On Aug 26, 2014, at 9:23 AM, Jaime Pinto <g6pi...@gmail.com> wrote:

I tried the drupalAdmin user first, but the fedoraAdmin also fails. At this point I'm not sure which one to use. 

<FilterDrupal_Connection>
<!--  <connection server="localhost" dbname="drupalDB" user="drupalAdmin" password="drupalAdmin" port="3306"> -->
    <connection server="localhost" dbname="fedora3" user="fedoraAdmin" password="fedoraAdmin" port="3306">
    <sql>
                  <!--Different sql statement for each connection.  This is for drupal multisites that are setup using one database with
                  table prefixes.  We don't do this but some people might.-->
                  SELECT DISTINCT u.uid AS userid, u.name AS Name, u.pass AS Pass, r.name AS Role FROM (users u LEFT JOIN users_roles ON
                  u.uid=users_roles.uid) LEFT JOIN role r ON r.rid=users_roles.rid WHERE u.name=? AND u.pass=?;
    </sql>
  </connection>
</FilterDrupal_Connection>

--
Peter Murray
Assistant Director, Technology Services Development
LYRASIS
Peter....@lyrasis.org
+1 678-235-2955
800.999.8558 x2955

[Jaime Pinto]

Thanks for the reply Peter.

I indeed logged in to the Drupal web interface using the user="drupalAdmin" password="drupalAdmin". That is the only account on drupal database at the moment.
I returned the FilterDrupal to its previous format, whose credentials are the same as in the settings.php file:

<connection server="localhost" dbname="drupalDB" user="drupalAdmin" password="drupalAdmin" port="3306">

And I enabled the FESL logging in Fedora. All seems fine (see log except further below).

However I'm still confused about the fedora3/drupalDB and the users on each of those databases.
How is the fedora repository to know that drupalAdmin (or any user in the drupal structure) is supposed to login and access the fedora3 database. Those 2 databases are completely independent, although in the same mysql server. At no time in the installation sequence there was an instruction to grant drupalAdmin  access fedora3.

I came across an "anonymous" user or access in one of the instruction pages (can't recall which one), but I'm not sure if that has a play on this process. I'm assuming this to be the case at least for reading/searching, since when I used the flash interface to access http://localhost:8080/fedora I was not prompted for a user/password login screen. But I would expect not to be able to perform writes to the repository.

In addition, the curl test was done using the fedoreAdmin account, which does have granted access to fedora3 database.

Would anyone be able to enlighten me on this process?

Thanks
Jaime


oot@islandora-test:/usr/local/fedora/server/logs# cat fesl.log
INFO 2014-08-26 15:16:15.218 [localhost-startStop-1] (AuthFilterJAAS) using FEDORA_HOME: /usr/local/fedora
INFO 2014-08-26 15:16:15.218 [localhost-startStop-1] (AuthFilterJAAS) initialised servlet filter: org.fcrepo.server.security.jaas.AuthFilterJAAS
DEBUG 2014-08-26 15:16:34.552 [http-bio-8080-exec-1] (AuthFilterJAAS) incoming filter: org.fcrepo.server.security.jaas.AuthFilterJAAS
DEBUG 2014-08-26 15:16:34.555 [http-bio-8080-exec-1] (AuthFilterJAAS) session-id: C80E4BCB11E82458A24D48021490EEA4
DEBUG 2014-08-26 15:16:34.557 [http-bio-8080-exec-1] (AuthFilterJAAS) auth username: drupalAdmin
DEBUG 2014-08-26 15:16:34.563 [http-bio-8080-exec-1] (XmlUsersFileModule) using FEDORA_HOME: /usr/local/fedora
DEBUG 2014-08-26 15:16:34.563 [http-bio-8080-exec-1] (XmlUsersFileModule) login module initialised: org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModule
DEBUG 2014-08-26 15:16:34.564 [http-bio-8080-exec-1] (XmlUsersFileModule) org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModule login called.
DEBUG 2014-08-26 15:16:34.764 [http-bio-8080-exec-1] (AuthFilterJAAS) found userPrincipal [org.fcrepo.server.security.jaas.auth.UserPrincipal]: drupalAdmin
DEBUG 2014-08-26 15:16:34.765 [http-bio-8080-exec-1] (SubjectUtils) checking for attributes (class name): java.util.HashMap
DEBUG 2014-08-26 15:16:34.765 [http-bio-8080-exec-1] (SubjectUtils) checking for attributes (key object name): java.lang.String
DEBUG 2014-08-26 15:16:34.765 [http-bio-8080-exec-1] (SubjectUtils) checking for attributes (value object name): java.util.HashSet
DEBUG 2014-08-26 15:16:34.765 [http-bio-8080-exec-1] (AuthFilterJAAS) found role: administrator
DEBUG 2014-08-26 15:16:34.765 [http-bio-8080-exec-1] (AuthFilterJAAS) found role: authenticated user

[pcdigitalservices]

If it's worth anything, I had a plethora of issues trying to get islandora to see fedora as well until I installed an older version of fedora (3.6.2 to be exact). Everything seemed to work fine after that.

[Jaime Pinto]

For now I'll give others in the group a chance to think of a fix, or some step I may have missed, even because it might help with the deployment of the more recent versions, but if there is no progress by the end of the week I too may have to go back to older release(s).

Thanks
Jaime

[Nick Ruest]

Since Fedora 3.8.0 has not been release, there has not been a Drupal
Filter[1] created for it. You should be able to use any version of
Fedora listed on that link.

Additionally, the 7.x-1.3 Release Notes[2] has a section on support
version of the software stack that work with the latest release.

-nruest

[1] https://github.com/Islandora/islandora_drupal_filter/releases
[2]
https://wiki.duraspace.org/display/ISLANDORA713/Release+Notes+and+Downloads

> --
> For more information about using this group, please read our Listserv
> Guidelines: http://islandora.ca/content/welcome-islandora-listserv
> ---
> You received this message because you are subscribed to the Google
> Groups "islandora" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to islandora+...@googlegroups.com
> <mailto:islandora+...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/islandora.
> For more options, visit https://groups.google.com/d/optout.

[Peter Murray]

The Drupal Filter authentication plug-in to Fedora3 takes the username/password that comes from the web request and compares it with what is in the Drupal database; it is the bridge between Fedora and Drupal for identity purposes.

Your fesl.log looks fine; it pretty much matches mine.  Other than needing to compile a version specific to Fedora-3.8.0-SNAPSHOT (which Nick suggested), I’m not sure what might be going wrong.

Peter

--
For more information about using this group, please read our Listserv Guidelines: http://islandora.ca/content/welcome-islandora-listserv

[Jaime Pinto]

I really would like to understand in more details the authentication mechanism between the drupal/islandora combination and fedora.

Peter, you seem to imply that the Drupal Filter basically does a loopback credential verification with mysql, in which case, that would be independent to the fedora infrastructure, or the release I'm using.

On the other hand I was arm twisted into the 3.8 version because I could not access the localhost:8080/fedora or localhost:8080/fedora/admin pages with 3.7.1, independently if any additional installation of drupal or islandora. That was a suggestion from the fedora group that finally got me through, and it took me some 5 days last week of messing around just with that part.

I know by now that going back to 3.7.1 will not get me too far, unless I can count on people on THIS group to help me out.

Thanks
Jaime

[Nick Ruest]

Hi Jamie-

Peter explained the basics of how the filter works. I'm not sure what
else you're looking for. Maybe check out the README file here[1], and/or
browse the code.

As for 3.7.1, I'm pretty sure folks on the Fedora list explained how you
can use 3.7.1. You just need to clone the repo, and build the jar file.
Then you are good to go. Arm twisting is a little misleading.

Finally, there is something about the way you convey yourself here that
comes off as very insulting. At least that is the way I'm taking it. It
might be useful check out the listserv welcome message[2]. Remember that
we're all volunteers here, helping each other out, and your mileage here
may vary depending on how your message to the community is crafted.

-nruest

[1] https://github.com/Islandora/islandora_drupal_filter
[2] http://islandora.ca/content/welcome-islandora-listserv

> --
> For more information about using this group, please read our Listserv
> Guidelines: http://islandora.ca/content/welcome-islandora-listserv

[Jaime Pinto]

Apologies to all for how the messages may be coming across. It's not intentional. The many hours/days of frustrated efforts to get things going can get me on the edge at times. Thanks for you help and feedback.
Jaime

[Nick Ruest]

I understand that frustration very well. The stack has a pretty steep
learning curve given all of the moving components.

FWIW, I noticed that the first step in the 'Installing & Configuring
Drupal Filter'[1] of the documentation was a little unclear. I have
updated to to explicitly state that you need a Drupal Filter that
corresponds to the version of Fedora that you are running.

If you notice anything else in the installation instructions that seem
unclear, or incorrect, please let us know.

-nruest

[1] https://wiki.duraspace.org/pages/viewpage.action?pageId=45547883

[Jaime Pinto]

Hey Nick

I spent some time analyzing the readme files and to some extent the java code for this 4 classes, as you suggested:
DrupalAuthModule.java
DrupalUserInfo.java
FilterDrupal.java
FilterIslandoraAuth.java

All this filter seems to do is check whether or not a user that just accessed the drupal web interface did so with an existing user/passwd in the drupal database. If the user exists then it parses that 'awareness' of an authenticated user to fedora. If that user does not exist on that particular drupal site, or if the login session fails to authenticate, or yet if the drupal site does not require a login session to access the site (as it is the case with many drupal/islandora sites), THEN the filter will parse a awareness of an *anonymous* user to fedora.

I could be mistaken on my assessment, but the description on the README file from the link below is incorrect:
https://github.com/Islandora/islandora_drupal_filter/blob/master/README.md
'This is the servlet filter to permit the Fedora Commons repository software to authenticate against a Drupal database"

That is not the case at all: this servlet is to permit a potential drupal user to authenticate against the drupal database. Fedora never authenticates back against drupal

The description on this link is correct:
https://wiki.duraspace.org/pages/viewpage.action?pageId=45547883

"If you use the Drupal servlet filter to connect to multiple Drupal databases there is potential for users with the same username in each database to access each others private objects. To avoid this, use the Drupal LDAP module. A Drupal multi-site environment utilizing the LDAP module for all sites ensures a unique username/site configuration."

On the other hand, there seems to be a 2nd stage to this mechanism in which the drupal servlet will access the fedora repository (fedora3 database) with a default internal service account with credentials user="djatoka", password="djatoka", and depending on the policies already defined on the fedora repository for an authenticated or anonymous user, fedora will return the results of a search for example. That authenticated/anonymous awareness would also determine who/how/whether fedora would allow data to be ingested (by whichever user is logged in by the drupal application layer above).

What is not clear yet is if/how/where we can overwrite the djatoka internal service account somewhere on the drupal/islandora configuration with the already existing fedoraAdmin account, which has all necessary/granted permissions to manipulate fedora3.

Please correct me on those points that I misinterpreted this mechanism.

In the meantime I'll create a djatoka/djatoka  user/passwd in the fedora3 database with the same permissions as fedoraAdmin is see what happens to the islandora-to-fedora authentication.

Thanks for any input/addition/correction/feedback
---
Jaime

[Nick Ruest]

If you familiar with the fork and full request process, feel free to
submit a pull request for any of the README changes that you think
should be made.

As for the Djatoka username and password, that is only if you have API-A
completely locked down[1]. In a normal setup, this is not required.

-nruest

[1]
https://github.com/Islandora/islandora_drupal_filter/blob/180d9c6e703c2ce1b1b762ced19423b0b9273b24/src/main/java/ca/upei/roblib/fedora/servletfilter/FilterIslandoraAuth.java#L29

On 14-08-26 10:51 PM, Jaime Pinto wrote:
> Hey Nick
>
> I spent some time analyzing the readme files and to some extent the java
> code for this 4 classes, as you suggested:
> DrupalAuthModule.java
> DrupalUserInfo.java
> FilterDrupal.java
> FilterIslandoraAuth.java
>
> All this filter seems to do is check whether or not a user that just
> accessed the drupal web interface did so with an existing user/passwd in
> the drupal database. If the user exists then it parses that 'awareness'
> of an authenticated user to fedora. If that user does not exist on that
> particular drupal site, or if the login session fails to authenticate,
> or yet if the drupal site does not require a login session to access the
> site (as it is the case with many drupal/islandora sites), THEN the
> filter will parse a awareness of an *anonymous* user to fedora.
>
> I could be mistaken on my assessment, but the description on the README
> file from the link below is incorrect:
> https://github.com/Islandora/islandora_drupal_filter/blob/master/README.md

> 'This is the servlet filter to permit the *Fedora *Commons repository
> software to authenticate *against *a *Drupal database*"
>
> That is not the case at all: this servlet is to permit *a potential
> drupal user *to authenticate *against *the *drupal database*. Fedora

> never authenticates back against drupal
>
> The description on this link is correct:
> https://wiki.duraspace.org/pages/viewpage.action?pageId=45547883
>
> "If you use the Drupal servlet filter to connect to multiple Drupal
> databases there is potential for users with the same username in each
> database to access each others private objects. To avoid this, use the
> Drupal LDAP module. A Drupal multi-site environment utilizing the LDAP
> module for all sites ensures a unique username/site configuration."
>
> On the other hand, there seems to be a 2nd stage to this mechanism in
> which the drupal servlet will access the fedora repository (fedora3
> database) with a default internal service account with credentials

> user="*djatoka*", password="*djatoka*", and depending on the policies

> already defined on the fedora repository for an authenticated or
> anonymous user, fedora will return the results of a search for example.
> That authenticated/anonymous awareness would also determine
> who/how/whether fedora would allow data to be ingested (by whichever
> user is logged in by the drupal application layer above).
>

> What is not clear yet is if/how/where we can overwrite the *djatoka
> *internal service account somewhere on the drupal/islandora
> configuration with the already existing *fedoraAdmin *account, which has

> all necessary/granted permissions to manipulate fedora3.
>
> Please correct me on those points that I misinterpreted this mechanism.
>

> In the meantime I'll create a *djatoka/**djatoka user/passwd *in the

> fedora3 database with the same permissions as fedoraAdmin is see what
> happens to the islandora-to-fedora authentication.
>
> Thanks for any input/addition/correction/feedback
> ---
> Jaime
>

[Jaime Pinto]

Just a quick follow up:
I managed to get islandora going since yesterday, but using strictly the versions of the packages listed in the installation link below as being the tested configuration.
https://wiki.duraspace.org/display/ISLANDORA713/Chapter+8+-++Installing+Islandora

For instance:
oracle-java7-installer
fcrepo-installer-3.7.0.jar
drupal-7.1.tar.gz
fcrepo-drupalauthfilter-3.7.0.jar
tuque-1.3.zip
islandora_batch-7.x-1.3
fedoragsearch-2.6.zip
solr-4.2.0.tgz

Thanks
Jaime