Closed benoitroland closed 1 year ago
dianagudu
commented
1 year ago Hi there, I believe this is the same issue as https://github.com/indigo-dc/flaat/issues/63, which was fixed in flaat v1.1.5 and will be included in the next motley-cue release, that I am preparing at the moment.
giffels
commented
1 year ago Hi @dianagudu,
thanks a lot for your answer. Do you have an estimate when the next motley-cue release will be available? We will have a demonstration in the PUNCH4NFDI context in about two weeks and need to fix the group name too long issue before that.
Thanks, Manuel
benoitroland
commented
1 year ago Dear Diana @dianagudu,
concerning the shortening of the too long group name, we can add in the latest version of the feudalAdapterLdf something like:
--- extract namespace and group name
word_split = regex.search(r'(?P
and then use the word_namespace: word = word_namespace
Cheers, Benoit
dianagudu
commented
1 year ago Hi there,
there will be a new release of motley-cue today, but this does not contain the fix for the group name too long. Regarding the timeline, two weeks is quite short, with our participation at the EGI conference next week. But it will be the next issue to tackle after that.
My understanding after our discussion was that in order to make the mapping more flexible, and at the same time that you can immediately fix this, we'd have the plan as described here, i.e.:
namespace and group informationurn:dfn.de:nfdi-de:punch:group:punch4nfdi:punch:role=intra to nfdi_punch_punch4nfdi_punch" (or actually regex 1 -> replace namespace urn:dfn.de:nfdi-de:punch with nfdi_punch and regex 2 -> what is already implemented, punch4nfdi:punch will be replaced with with punch4nfdi_punch)This feature has the potential to cause quite a bit of damage if not properly tested and documented.
dianagudu
commented
1 year ago Was fixed in feudal v0.7.1.
Use carefully! Changing the way local groups are named from entitlements will result in new groups being created and the user being removed from the old groups, so you'll have to handle any necessary data migrations manually.
Check out the note in feudal for additional information: https://git.scc.kit.edu/feudal/feudalAdapterLdf/-/issues/71#note_637005
Check out the feudal config template for how to configure the new group features: etc/feudal_adapter.conf
Dear Diana @dianagudu, dear Marcus @marcvs,
until some weeks ago, we were using motley_cue version 0.3.0-1 without any problem on some login node at KIT.
The configuration of the login node has not changed, but the use of the motley_cue version 0.3.0-1 seems now to be "broken".
The output of
mccli ssh c4p-login-dev.gridka.de --debugis the following:With the help of Manuel @giffels, we thought that there could be a possible issue with some of the
eduperson_entitlement.The output of
flaat-userinfo $(oidc-token punch-aai)contains the following entitlements:We then retrieved the information about these entitlements by adding the lines:
in the function
def is_satisfied_by(self, user_infos: UserInfos) -> CheckResult:from/usr/lib/motley-cue/lib/python3.8/site-packages/flaat/requirements.py.The output is the following:
Namely the information related to the two first entitlements does not seem to be defined.
Maybe these two entitlements are new and were not present when we did our test some weeks ago, the reason why it was working fine at that time?
If we again modify the function
def is_satisfied_by(self, user_infos: UserInfos) -> CheckResult:from/usr/lib/motley-cue/lib/python3.8/site-packages/flaat/requirements.pyto skip the "undefined" entitlements:the output of
mccli ssh c4p-login-dev.gridka.de --debugis then the following:Namely we can go "a step further" in the authentication by skipping the "undefined" entitlements.
We would like to ask you if you could please have a look at this issue?
Thanks a lot in advance!
Manuel, Benoit