Arrange access to GRNET OpenStack

[backeb]

Hi @kkoumantaros for this use case we need access to GRNET's cloud, and later probably HPC. The VO is currently being enabled in PERUN, see #1. Please advise what we, the users, should do on our side to get access to the GRNET OpenStack. Thanks Bjorn cc @sandragaytan @avgils @nikosT @soumplis @sebastian-luna-valero @yan0s @ntellgrnet

[kkoumantaros]

please assign this one to @yan0s

[kkoumantaros]

Also I think you will need to provide some configuration info @enolfc ?

[yan0s]

We have currently integrated EGI Check-In with our OpenStack. Is the VO registered in EGI? As a first step I need my account to become a member of this VO. How can I do that?

[yan0s]

@backeb

[enolfc]

@yan0s you can register at https://perun.egi.eu/fed/registrar/?vo=hisea it should work with your existing Check-in identity. In any case, you don't need to be a member of the VO to support it at the site (unless of course you want to test things)

[yan0s]

Hello @enolfc , I goτ the following error:

[nikosT]

Hello @enolfc , I goτ the following error:

I also experience the same error

[sebastian-luna-valero]

Hi @yan0s @nikosT

I had a similar issue. Please try clicking It's not me to pass that pop-up window and see if you get something similar to this:

If yes, then click submit.

Then, according to https://operations-portal.egi.eu/vo/view/voname/hisea.c-scale.eu @sandragaytan should receive and approve your request to join the VO.

I hope that helps.

Best regards, Sebastian

[yan0s]

Thanks @sebastian-luna-valero. That did it. Now I can see in Perun that I am a member of the VO. To provide access to OpenStack to the members of the VO, the EGI login must provide a hisea specific entitlement. It was my impression that being a member of the VO in Perun would grant me some kind of new entitlement, but I see that this is not the case.

My test to make sure EGI Check-In is integrated with OpenStack was to create a group in EGI, become a member and then the entilement "urn:mace:egi.eu:group:registry:cloud.grnet.gr:role=member#aai.egi.eu" was granted to all members of the group. I then used this entitlement to map users having it as users that can access a certain project in OpenStack.

How can we get something similar with Perun? @enolfc

[nikosT]

Hi @yan0s @nikosT

I had a similar issue. Please try clicking It's not me to pass that pop-up window and see if you get something similar to this:

If yes, then click submit.

Then, according to https://operations-portal.egi.eu/vo/view/voname/hisea.c-scale.eu @sandragaytan should receive and approve your request to join the VO.

I hope that helps.

Best regards, Sebastian

I also confirm that. I'm waiting now for the approval.

Thanks @sebastian-luna-valero !

[sebastian-luna-valero]

Hi @yan0s

Enol may confirm later but I think the conversation here might be relevant regarding your question about the entilement.

Best regards, Sebastian

[yan0s]

Hi @sebastian-luna-valero, according to the conversation you mentioned I should have the entitlement "urn:mace:egi.eu:group:hisea:members:role=member#aai.egi.eu". Trying to connect to our OpenStack service I can see that I do not have such an entitlement. Is there, maybe, an extra step in Perun or in EGI needed in order to release this entitlement?

[enolfc]

In principle there shouldn't be any extra step for Check-in to get this info (if you are using the same user in Perun and Check-in). If this is not happening we need to get in touch with Check-in support to clarify.

[sebastian-luna-valero]

I have reported the issue to Check-in and will report back the answer.

[sebastian-luna-valero]

PERUN support confirmed that this issue is solved now.

@yan0s could you please check whether you have the entitlement now?

However, here is the error I get when I try to log into the GRNET's OpenStack service today:

An error occurred during a connection to keystone-louros.cloud.grnet.gr:5000. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

I think yesterday was working fine.

[soumplis]

@sebastian-luna-valero Can you please try again, there were some transient issues earlier today.

[sebastian-luna-valero]

That's working for me now, thank you very much!

I guess we wait until others have joined the VO and confirmed access to the Horizon dashboard before closing the ticket?

[backeb]

When I follow this link: https://perun.egi.eu/fed/registrar/?vo=hisea I get: You are already registered Your membership in hisea.c-scale.eu is valid until 2023-08-23.

@yan0s can you share the link to your OpenStack Dashboard so we can try instantiate a VM?

[soumplis]

@backeb Please use https://ui.cloud.grnet.gr

[backeb]

@backeb Please use https://ui.cloud.grnet.gr

Thanks @soumplis I can access the OpenStack Dashboard. @sandragaytan could you follow the link and sign in using EGI SSO. If it works for you we can set up a test VM for @lorincmeszaros

[backeb]

@backeb @lorincmeszaros @avgils test workflow to get access and feedback issues (if any)

[backeb]

Hi @soumplis 👋 For some reason now, when I follow the link to https://ui.cloud.grnet.gr and try login using EGI SSO I get the following error: {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}

[kkoumantaros]

I guess you mean egi check-in not EGI SSO I'm able to login with GRNET idp using EGI Check-in perhaps the issue is with egi SSO

[backeb]

Yes, sorry I mean EGI Check-in (how is EGI Check-in different EGI SSO?)

After this step it takes me to https://aai.egi.eu and talks about "EGI AAI OpenID Connect Provider Proxy requires that the information below is transferred."

After clicking "Yes" I get {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}

@enolfc @sebastian-luna-valero is there something going on with EGI Check-in?

[kkoumantaros]

try incognito window, I think you have stale cache.

[yan0s]

Hello @backeb, to access the "C-SCALE-HiSea" project in our OpenStack you need to have the entitlement "urn:mace:egi.eu:group:group:hisea:role=member#aai.egi.eu" in your EGI account. You can verify you have this entitlement when logging in when you are on this page

If you don't have the entitlement you need to register to the hisea group in Perun.

[sebastian-luna-valero]

Hi,

I am having the same issue. I also tried an incognito window.

Please note that the VO info is hosted in Perun so I am wondering whether this is related:

https://github.com/tdviet/fedcloudclient/issues/54

Is the group:group expected in:

urn:mace:egi.eu:group:group:hisea:role=member#aai.egi.eu

Could @sustr4 please confirm?

By the way @backeb here is https://aai.egi.eu/oidc/manage/user/profile how to get @yan0s info.

Best regards, Sebastian

[backeb]

Hi @kkoumantaros and @yan0s

I've tried also in an incognito window and still get the same error.

I also have the entitlement urn:mace:egi.eu:group:group:hisea:role=member#aai.egi.eu in my EGI account

[yan0s]

It was a typo on my part, it should be fixed now. Can you, please, try again?

[sebastian-luna-valero]

It's working now.

Thank you very much @yan0s

[backeb]

Thanks @yan0s, I can confirm it works for me now as well.

[mariojmdavid]

please, tell me why and well justified do the entitlement now has a duplicate "group" since a week ago or so, because I can assure it didn't have before that date

these changes in either the identity or atribute providers simply breaks things, i.e. authorization of the users, with no notification whatsoever to the resource providers

[backeb]

@kkoumantaros this morning when I tried to access https://ui.cloud.grnet.gr/ using EGI SSO, I get an error: {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}

I guess something changed in the backend again with EGI Check-in can someone please fix this?

cc @yan0s @sebastian-luna-valero @avgils

[kkoumantaros]

I’m able to login could you try a private window.

On 7 Sep 2021, at 9:52 AM, Bjorn Backeberg @.**@.>> wrote:

@kkoumantaroshttps://github.com/kkoumantaros this morning when I tried to access https://ui.cloud.grnet.gr/ using EGI SSO, I get an error: {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}

I guess something changed in the backend again with EGI Check-in can someone please fix this?

cc @yan0shttps://github.com/yan0s @sebastian-luna-valerohttps://github.com/sebastian-luna-valero @avgilshttps://github.com/avgils

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/c-scale-community/use-case-hisea/issues/5#issuecomment-914039885, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AASE2ACXO563UJ6OR6AI5VDUAWZD5ANCNFSM47BARLKQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

Koumantaros Kostas, MSc Head of Strategy and Proposals Unit European Infrastructures and Projects Directorate

---

GRNET - Greek Research and Technology Network 7, Kifisias Av., 115 23, Athens, Greece

t: +30 210 7474241 f: +30 210 7474490 Follow us: www.grnet.grhttp://www.grnet.gr Twitter: @grnet_gr | Facebook: @grnet.gr LinkedIn: grnet | YouTube: GRNET EDET

[sebastian-luna-valero]

Same problem here. I tried logging in with a clean session.

Could this be related to the entitlement update? Before we had:

urn:mace:egi.eu:group:group:hisea:role=member#aai.egi.eu

Now we have

urn:mace:egi.eu:group:hisea:role=member#aai.egi.eu

i.e. group is no longer duplicated.

Please have a look at the Check-in configuration change explained in https://github.com/tdviet/fedcloudclient/issues/54#issuecomment-900220819

[backeb]

@kkoumantaros I get the same error with an incognito window. I agree it could be related to the issue above @sebastian-luna-valero describes. Had the same issue on INCD

[yan0s]

Hello @backeb , it seems that the entitlement that the users of "hisea" group get from EGI (or Perun) has changed from: urn:mace:egi.eu:group:group:hisea:role=member#aai.egi.eu to urn:mace:egi.eu:group:hisea:role=member#aai.egi.eu I changed the mapping in our deployment with the updated entitlement. It should be ok now.

[sebastian-luna-valero]

Many thanks @yan0s

It works for me now.

[sebastian-luna-valero]

Hi,

After a recent change in Perun (see this ticket FYI) I no longer have access to:

• https://stratus.ncg.ingrid.pt/ for aquamonitor.c-scale.eu(please @mariojmdavid could you please check?)
• https://ui.cloud.grnet.gr/ for hisea.c-scale.eu (please @yan0s could you please check?)

Summary of the change for C-SCALE VOs

• https://operations-portal.egi.eu/vo/view/voname/aquamonitor.c-scale.eu: from aquamonitor to aquamonitor.c-scale.eu
• https://operations-portal.egi.eu/vo/view/voname/hisea.c-scale.eu: from hisea to hisea.c-scale.eu

Sorry for the inconvenience!

[sustr4]

Summary of the change for C-SCALE VOs   https://operations-portal.egi.eu/vo/view/voname/aquamonitor.c-scale.eu : from aquamonitor to aquamonitor.c-scale.eu   https://operations-portal.egi.eu/vo/view/voname/hisea.c-scale.eu: from hisea to hisea.c-scale.eu

Hi, sorry, I may have underestimated the need to advertise this change. I only sought agreement from Bjorn at the WP leaders' meeting. Yes, the Perun team asked for our agreement with renaming the VOs. Wherever the former "short" names are written literally in configuration, they should be updated.

Zdeněk

[mariojmdavid]

mapping updated at INCD, please check

[sebastian-luna-valero]

It works for me again at INCD. Thanks @mariojmdavid