Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
seek with omniauth + AzureAD ?
23 views
Skip to first unread message
Johan Loubser
May 10, 2023, 8:44:52 AM5/10/23
to SEEK
Hello seek members.
I am knew to seek.
The decision was made to use Seek for research data storage.
One of the requirement will be to have AzureAD with 2FA.
I have seen sample configs for Omniauth + oauth2 module.
Is this possible and how would i go about to do the configuration.
config.omniauth :azure_oauth2, client_id: ENV['AZURE_CLIENT_ID'], client_secret: ENV['AZURE_CLIENT_SECRET'], tenant_id: ENV['AZURE_TENANT_ID']
If this platform is not for user question please point met to best options.
Johan Loubser
Stellenbosch University
I am knew to seek.
The decision was made to use Seek for research data storage.
One of the requirement will be to have AzureAD with 2FA.
I have seen sample configs for Omniauth + oauth2 module.
Is this possible and how would i go about to do the configuration.
config.omniauth :azure_oauth2, client_id: ENV['AZURE_CLIENT_ID'], client_secret: ENV['AZURE_CLIENT_SECRET'], tenant_id: ENV['AZURE_TENANT_ID']
If this platform is not for user question please point met to best options.
Johan Loubser
Stellenbosch University
Stuart Owen
May 11, 2023, 4:28:15 AM5/11/23
to SEEK
Hi Johan,
I'm afraid I don't know an immediate answer to your question, but would you be able to raise a github issue ( @ https://github.com/seek4science/seek/issues/new ) ?
We have some other omniauth related work scheduled related to improving how we configure omniauth for the LS Login, along with better documentation, so this could looked at in conjunction with that.
It sounds very similar to how we configure Github authentiation but might require some code changes to be easy to administer, but I'm not certain.
thanks,
Stuart
From: seek4s...@googlegroups.com <seek4s...@googlegroups.com> on behalf of Johan Loubser <jwlo...@gmail.com>
Sent: 10 May 2023 13:44
To: SEEK <seek4s...@googlegroups.com>
Subject: seek with omniauth + AzureAD ?
Sent: 10 May 2023 13:44
To: SEEK <seek4s...@googlegroups.com>
Subject: seek with omniauth + AzureAD ?
--
If you have installed SEEK - please take a moment to fill out our registration form at http://www.seek4science.org/seek-registration
---
You received this message because you are subscribed to the Google Groups "SEEK" group.
To unsubscribe from this group and stop receiving emails from it, send an email to seek4science...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/seek4science/2777eced-a6fa-4a45-935e-d0c9be84d371n%40googlegroups.com.
If you have installed SEEK - please take a moment to fill out our registration form at http://www.seek4science.org/seek-registration
---
You received this message because you are subscribed to the Google Groups "SEEK" group.
To unsubscribe from this group and stop receiving emails from it, send an email to seek4science...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/seek4science/2777eced-a6fa-4a45-935e-d0c9be84d371n%40googlegroups.com.
H Ding
Jul 26, 2023, 11:26:49 AM7/26/23
to seek4s...@googlegroups.com
Hi Seek members,
When I try to access our project page, for example at https://fairdata.mit.edu/projects/2, I encounter the following error in email,
An ActionView::Template::Error occurred in projects#show: undefined method `sharing_scope' for nil:NilClass lib/seek/permissions/authorization.rb:42:in `authorized_by_policy?'
I am the administrator of the project. Interestingly, my colleague can open the same project page without any issue.
The backtrace is,
lib/seek/permissions/authorization.rb:42:in `authorized_by_policy?' lib/seek/permissions/authorization.rb:20:in `is_authorized?' lib/seek/permissions/policy_based_authorization.rb:294:in `authorized_for_action' (eval):14:in `authorized_for_view?' (eval):2:in `can_view?' lib/seek/permissions/acts_as_authorized.rb:26:in `block in authorized_for' lib/seek/permissions/acts_as_authorized.rb:26:in `authorized_for' lib/seek/permissions/policy_based_authorization.rb:81:in `authorized_for' app/helpers/related_items_helper.rb:87:in `block in related_items_hash' app/helpers/related_items_helper.rb:76:in `each' app/helpers/related_items_helper.rb:76:in `related_items_hash' app/helpers/related_items_helper.rb:57:in `get_related_resources' app/views/general/_items_related_to.html.erb:3:in `_app_views_general__items_related_to_html_erb__1339664159550633322_63004200' app/views/projects/show.html.erb:118:in `_app_views_projects_show_html_erb__2285499635538459150_60780840' app/controllers/application_controller.rb:44:in `block in with_current_user' app/models/user.rb:266:in `with_current_user' app/controllers/application_controller.rb:43:in `with_current_user'</font>
I noticed a similar issue is reported at github https://github.com/seek4science/seek/issues/1182. Do you have a clue why it happens? Any fix?
Thanks,
Huiming Ding
MIT
To view this discussion on the web visit https://groups.google.com/d/msgid/seek4science/CWXP265MB2872593C24C591AB55A327D3D2749%40CWXP265MB2872.GBRP265.PROD.OUTLOOK.COM.
Finn Bacall
Jul 27, 2023, 5:04:18 AM7/27/23
to seek4s...@googlegroups.com, H Ding
Hi Huiming,
The error suggests that you somehow have one or more resources in your instance without a policy.
The fact that your colleague can open the page is a clue that it may be one of the resources that they submitted (as the authorization check will pass for them before the policy needs to be checked).
Can you access a rails console for the instance? If so, you can
run the following command to see which resource(s) is missing the
policy:
no_policy = helper.send(:get_related_resources, Project.find(2)).values.flat_map { |v| v[:items].select { |i| i.policy.nil? if i.respond_to?(:policy) } }
It would be helpful to know if there is anything special about
those resources, e.g. were they created via the API or something,
so we can figure out how this happened.
After running the above command, you can give the broken resources a default policy by:
no_policy.each { |i| disable_authorization_checks { i.policy = Policy.default; i.save! } }
After that you should be able to load the project page - and should go and adjust the policies of any affected resources if needed.
Cheers,
Finn
On 26/07/2023 16:26, H Ding wrote:
This Message Is From a New External SenderYou have not previously corresponded with this sender. Please exercise caution when opening links or attachments included in this message.Hi Seek members,
When I try to access our project page, for example at https://fairdata.mit.edu/projects/2 [fairdata.mit.edu], I encounter the following error in email,
An ActionView::Template::Error occurred in projects#show: undefined method `sharing_scope' for nil:NilClass lib/seek/permissions/authorization.rb:42:in `authorized_by_policy?'I am the administrator of the project. Interestingly, my colleague can open the same project page without any issue.
The backtrace is,lib/seek/permissions/authorization.rb:42:in `authorized_by_policy?' lib/seek/permissions/authorization.rb:20:in `is_authorized?' lib/seek/permissions/policy_based_authorization.rb:294:in `authorized_for_action' (eval):14:in `authorized_for_view?' (eval):2:in `can_view?' lib/seek/permissions/acts_as_authorized.rb:26:in `block in authorized_for' lib/seek/permissions/acts_as_authorized.rb:26:in `authorized_for' lib/seek/permissions/policy_based_authorization.rb:81:in `authorized_for' app/helpers/related_items_helper.rb:87:in `block in related_items_hash' app/helpers/related_items_helper.rb:76:in `each' app/helpers/related_items_helper.rb:76:in `related_items_hash' app/helpers/related_items_helper.rb:57:in `get_related_resources' app/views/general/_items_related_to.html.erb:3:in `_app_views_general__items_related_to_html_erb__1339664159550633322_63004200' app/views/projects/show.html.erb:118:in `_app_views_projects_show_html_erb__2285499635538459150_60780840' app/controllers/application_controller.rb:44:in `block in with_current_user' app/models/user.rb:266:in `with_current_user' app/controllers/application_controller.rb:43:in `with_current_user'</font>
I noticed a similar issue is reported at github https://github.com/seek4science/seek/issues/1182 [github.com]. Do you have a clue why it happens? Any fix?
Thanks,Huiming DingMIT
On Thu, May 11, 2023 at 4:28 AM Stuart Owen <Stuar...@manchester.ac.uk> wrote:
Hi Johan,
I'm afraid I don't know an immediate answer to your question, but would you be able to raise a github issue ( @ https://github.com/seek4science/seek/issues/new [github.com] ) ?
We have some other omniauth related work scheduled related to improving how we configure omniauth for the LS Login, along with better documentation, so this could looked at in conjunction with that.
It sounds very similar to how we configure Github authentiation but might require some code changes to be easy to administer, but I'm not certain.
thanks,Stuart
From: seek4s...@googlegroups.com <seek4s...@googlegroups.com> on behalf of Johan Loubser <jwlo...@gmail.com>
Sent: 10 May 2023 13:44
To: SEEK <seek4s...@googlegroups.com>
Subject: seek with omniauth + AzureAD ?
Hello seek members.
I am knew to seek.
The decision was made to use Seek for research data storage.
One of the requirement will be to have AzureAD with 2FA.
I have seen sample configs for Omniauth + oauth2 module.
Is this possible and how would i go about to do the configuration.
config.omniauth :azure_oauth2, client_id: ENV['AZURE_CLIENT_ID'], client_secret: ENV['AZURE_CLIENT_SECRET'], tenant_id: ENV['AZURE_TENANT_ID']
If this platform is not for user question please point met to best options.
Johan Loubser
Stellenbosch University
--
If you have installed SEEK - please take a moment to fill out our registration form at http://www.seek4science.org/seek-registration [seek4science.org]
---
You received this message because you are subscribed to the Google Groups "SEEK" group.
To unsubscribe from this group and stop receiving emails from it, send an email to seek4science...@googlegroups.com.
--To view this discussion on the web visit https://groups.google.com/d/msgid/seek4science/2777eced-a6fa-4a45-935e-d0c9be84d371n%40googlegroups.com [groups.google.com].
If you have installed SEEK - please take a moment to fill out our registration form at http://www.seek4science.org/seek-registration [seek4science.org]
---
You received this message because you are subscribed to the Google Groups "SEEK" group.
To unsubscribe from this group and stop receiving emails from it, send an email to seek4science...@googlegroups.com.
--To view this discussion on the web visit https://groups.google.com/d/msgid/seek4science/CWXP265MB2872593C24C591AB55A327D3D2749%40CWXP265MB2872.GBRP265.PROD.OUTLOOK.COM [groups.google.com].
If you have installed SEEK - please take a moment to fill out our registration form at http://www.seek4science.org/seek-registration [seek4science.org]
---
You received this message because you are subscribed to the Google Groups "SEEK" group.
To unsubscribe from this group and stop receiving emails from it, send an email to seek4science...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/seek4science/CAJbUZXjoquZfr-8tmnkMzJ-vzrF91M2YLbCnNbbuKEUB1GNjOQ%40mail.gmail.com [groups.google.com].
H Ding
Jul 27, 2023, 9:17:41 AM7/27/23
to Finn Bacall, seek4s...@googlegroups.com
Hi Finn,
Thanks for your prompt reply.
I got the following message from running,
2.4.10 :001 > no_policy = helper.send(:get_related_resources, Project.find(2)).values.flat_map { |v| v[:items].select { |i| i.policy.nil? if i.respond_to?(:policy) } }
ActiveRecord::RecordNotFound: Couldn't find Project with 'id'=2
ActiveRecord::RecordNotFound: Couldn't find Project with 'id'=2
I also gave the broken
resources a default policy by running
no_policy.each { |i| disable_authorization_checks { i.policy = Policy.default; i.save! } }
The project page still shows the same error.
My colleague did upload a good number of samples to the database, for which I have different entries in the sample_auth_lookup. Could it be the reason for the issue?
Thanks,
Huiming
Finn Bacall
Jul 27, 2023, 9:52:24 AM7/27/23
to H Ding, seek4s...@googlegroups.com
Is the console connected to the right database? You may need to add `-e production` to the command.
Project.find(2) should return the project at https://fairdata.mit.edu/projects/2 .
The auth lookup table is probably in an inconsistent state also. After you have fixed the policies you can run a rake task:
RAILS_ENV=production bundle exec rake seek:repopulate_auth_lookup_tables
which will queue up several jobs to rebuild the tables.
Cheers,
Finn
On 27/07/2023 14:17, H Ding wrote:
H Ding
Jul 27, 2023, 10:51:48 AM7/27/23
to Finn Bacall, seek4s...@googlegroups.com
Hi Finn,
Thank you very much for the great help. The problem is resolved at the end.
Here is what I did. Open the project dashboard page, in my case, it is
https://fairdata.mit.edu/projects/2/stats/dashboard. Check the "Asset accessibility" section on the page, where it shows all assets published, project accessible or otherwise. When I choose the "Type" from "All" to "Samples", I received another email showing the following error message:
A NoMethodError occurred in stats#asset_accessibility:
undefined method `public?' for nil:NilClass
lib/seek/permissions/publishing_permissions.rb:66:in `is_published?'
So I know the original issue was caused by the policies set up for samples, which was checked using the SQL query,
SELECT * FROM
seek_production.samples A
left join seek_production.policies B
on A.policy_id=B.id
where B.id is NULL;
seek_production.samples A
left join seek_production.policies B
on A.policy_id=B.id
where B.id is NULL;
The query above returned two samples with a policy id but such policy id does not exist in the policies table. Not sure why it happened. However, after manually entering two valid policies for those two samples, all the issues are resolved. The project page is shown correctly, and the project stats on the dashboard are also shown correctly without any error.
Thank, Finn, for pointing out the "-e production" option used for the right database. I ran the code again and found no "no_policy" issue at all afterwards.
Hope the information is useful for anyone in the similar situation.
Best regards,
Huiming
Reply all
Reply to author
Forward
0 new messages