search

aws / res

Research and Engineering Studio (RES) is an AWS supported open source product that enables IT administrators to provide an easy-to-use web portal for scientists and engineers to run technical computing workloads on AWS.
https://github.com/aws/res
Apache License 2.0
80 stars 15 forks source link

[BUG] Failed to login AD users #63

Open BoPeng opened 2 weeks ago

BoPeng commented 2 weeks ago

Describe the bug With a fresh installation, non-clusteradmin users cannot login. Resetting password through AWS Directory Service does not work either.

This could be the same issue as https://github.com/aws/res/issues/36

Steps to reproduce Steps to reproduce the behavior:

  1. default installation
  2. reset password through user1, user2 etc does not work.

Expected behavior AD users should be able to login.

Environment (please complete the following information):

Additional context

Users can login to windows Admin node through corp\user1 with the same password. After a failed login attempt, the <env>/cluster-manager log group shows the following message but no details on why login failed.

[2024-09-16 17:42:40,085] [INFO] [api] (res) [actor:unknown|auth:public] Auth.InitiateAuth (1 ms) [UNAUTHORIZED_ACCESS]

The cognito user pool has one user clusteradmin.

It would be helpful to know where to look for more debug information.

junbo75 commented 2 weeks ago

Thanks for reporting the issue. Could you provide the following information so that we can look more into it?

BoPeng commented 2 weeks ago

Were you able to reset the user password in the AWS Directory Service console successfully?

I was able to reset password through the AWS DS console, and through Server Management from windows admin nodes. I can login in to the windows admin node with the new password if I change passord through the AWS DS console.

Have you set up SSO following ...

No. I am working with our institutional IT on this. Without SSO and with a non-working AD, we only have one user clusteradmin in the system.

Are there any users in the .accounts.users DynamoDB table?

I have three users in this table. One clusteradmin, two copied from AD. I initially could not see these two users in RES, but I figured out the problem. (see https://github.com/aws/res/issues/62).

Are there any cluster-manager logs which indicates that RES has detected users and groups from AD?

I do see message like

2024-09-18T23:00:36.346Z
[2024-09-18 23:00:36,243] [INFO] [ad-sync] Fetching RES users

but I could not find any details about failed authentication attempts. Resetting password did not either. The system says an email has been sent but no email was received.

Edit: When I failed to login, the browser console window shows:

image
junbo75 commented 1 week ago

You can only login the RES portal via AD users after SSO is enabled. Note that clusteradmin doesn't exist in AD and was created by the RES deployment in Cognito.

In the normal workflow, you should receive an email which include the clusteradmin user credentials after installing RES. After login as the clusteradmin user, you can configure SSO following https://docs.aws.amazon.com/res/latest/ug/manage-users.html.

If you didn't receive emails about the clusteradmin user credentials, I would suggest to check:

  1. Whether the AdministratorEmail parameter was provided correctly during the RES installation
  2. Whether the sender (no-reply@verificationemail.com) was blocked or whether the email was filtered out for some reason

To get around the problem, you can manually reset cluteradmin password using the AWS CLI. Please check https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-reset-user-password.html

BoPeng commented 1 week ago

You can only login the RES portal via AD users after SSO is enabled.

Could you please elaborate why this is the case? According to RES documentation on Create a demo environment, users should be able to reset password from AD console and login. The documentation does not mention SSO integration.

I am also confused about the SSO/Cognito users and AD users. When a user logs in with SSO, an 'external user' is created under Cognito. Will this user be syned to AD? If a user logs in with AD users (which does not work for me now), will the users to syned to Cognito user pool? If the users are present both in AD and Cognito and we change user' password through AD, will the user still be able to login through SSO password?