update_ood_portal creates OIDC settings though there's no OIDC in ood-portal.yml

OSC / ondemand

Supercomputing. Seamlessly. Open, Interactive HPC Via the Web

https://openondemand.org/

MIT License

294 stars 106 forks source link

update_ood_portal creates OIDC settings though there's no OIDC in ood-portal.yml #3831

Open aw-huit opened 2 months ago

aw-huit commented 2 months ago

Hello:

Here's the relevant part of my /etc/ood/config/ood_portal.yml:

ssl:
  - 'SSLCertificateFile "/etc/ssl/private/cert.crt"'
  - 'SSLCertificateKeyFile "/etc/ssl/private/private_key.key"'
dex_uri: /dex
dex:
    ssl: true
    connectors:
        - type: ldap
          id: ldap
          name: LDAP
          config:
            host: hostname
            insecureSkipVerify: false
            insecureNoSSL: false
            bindDN: something
            bindPW: notpassword
            userSearch:
              baseDN: dc=one,dc=two
              filter: "(objectClass=three)"
              username: x
              idAttr: y
              emailAttr: z
              nameAttr: 1
              preferredUsernameAttr: 2
host_regex: '[^/]+'
node_uri: '/node'
rnode_uri: '/rnode'
user_map_cmd: '/etc/ood/add_user.sh'

Here's the relevant section of /etc/httpd/conf.d/ood-portal.conf

SetEnv OOD_PUN_URI "/pun"
  <Location "/pun">
    AuthType openid-connect
    Require valid-user

    ProxyPreserveHost On
    ProxyAddHeaders On
    ProxyPassReverse "http://localhost/pun"

Why is it setting /pun to openid-connect?

johrstrom commented 2 months ago

Why is it setting /pun to openid-connect?

You have dex enabled and dex is OIDC.

aw-huit commented 2 months ago

We are seeing these errors in our httpd logs, and we get "internal server error" when trying to log in, but the user's home directory is created.

[Thu Sep 26 12:25:12.523482 2024] [auth_openidc:warn] [pid 2806:tid 2863] [client 10.38.64.107:49654] oidc_check_x_forwarded_hdr: header X-Forwarded-Proto received but OIDCXForwardedHeaders not configured for it, referer: https://myhost/dex/auth/ldap/login?back=&state=zsizec6htjrwpdsyeojzyv2fk
[Thu Sep 26 12:25:12.523523 2024] [proxy:warn] [pid 2806:tid 2863] [client 10.38.64.107:49654] AH01144: No protocol handler was valid for the URL /pun/sys/dashboard (scheme 'unix'). If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: https://myhost/dex/auth/ldap/login?back=&state=zsizec6htjrwpdsyeojzyv2fk

Do you know where should I look next?

johrstrom commented 2 months ago

Do you know where should I look next?

Are you using httpd 2.4.62 on Amazon Linux? I'm working on getting the fixes through to 3.1 release - but you can apply the patches directly while we wait for 3.1.9 to get released.

You need these 2 patches. The first is in 3.1.8, the second I'm still working getting through.

https://github.com/OSC/ondemand/pull/3730 https://github.com/OSC/ondemand/pull/3827 (you don't need the tests, only the update to mod_ood_proxy/lib/node_proxy.lua)

aw-huit commented 2 months ago

Yes I reverted to an older OS Image with an earlier httpd and the auth part works now. I think I'll just wait for 3.1.9, any idea when it's going to be released?

johrstrom commented 2 months ago

Yes I reverted to an older OS Image with an earlier httpd and the auth part works now. I think I'll just wait for 3.1.9, any idea when it's going to be released?

To be clear - it's not an issue with auth, but with the lua code that proxies. In any case, 3.1.9 is coming as soon as I can push it through.