Closed benoitroland closed 1 year ago
Hi there, I believe this is the same issue as https://github.com/indigo-dc/flaat/issues/63, which was fixed in flaat v1.1.5
and will be included in the next motley-cue
release, that I am preparing at the moment.
Hi @dianagudu,
thanks a lot for your answer. Do you have an estimate when the next motley-cue
release will be available? We will have a demonstration in the PUNCH4NFDI context in about two weeks and need to fix the group name too long issue before that.
Thanks, Manuel
Dear Diana @dianagudu,
concerning the shortening of the too long group name, we can add in the latest version of the feudalAdapterLdf something like:
--- extract namespace and group name
word_split = regex.search(r'(?P
and then use the word_namespace: word = word_namespace
Cheers, Benoit
Hi there,
there will be a new release of motley-cue
today, but this does not contain the fix for the group name too long. Regarding the timeline, two weeks is quite short, with our participation at the EGI conference next week. But it will be the next issue to tackle after that.
My understanding after our discussion was that in order to make the mapping more flexible, and at the same time that you can immediately fix this, we'd have the plan as described here, i.e.:
namespace
and group
informationurn:dfn.de:nfdi-de:punch:group:punch4nfdi:punch:role=intra
to nfdi_punch_punch4nfdi_punch
" (or actually regex 1 -> replace namespace urn:dfn.de:nfdi-de:punch
with nfdi_punch
and regex 2 -> what is already implemented, punch4nfdi:punch
will be replaced with with punch4nfdi_punch
)This feature has the potential to cause quite a bit of damage if not properly tested and documented.
Was fixed in feudal v0.7.1.
Use carefully! Changing the way local groups are named from entitlements will result in new groups being created and the user being removed from the old groups, so you'll have to handle any necessary data migrations manually.
Check out the note in feudal for additional information: https://git.scc.kit.edu/feudal/feudalAdapterLdf/-/issues/71#note_637005
Check out the feudal config template for how to configure the new group features: etc/feudal_adapter.conf
Dear Diana @dianagudu, dear Marcus @marcvs,
until some weeks ago, we were using motley_cue version 0.3.0-1 without any problem on some login node at KIT.
The configuration of the login node has not changed, but the use of the motley_cue version 0.3.0-1 seems now to be "broken".
The output of
mccli ssh c4p-login-dev.gridka.de --debug
is the following:With the help of Manuel @giffels, we thought that there could be a possible issue with some of the
eduperson_entitlement
.The output of
flaat-userinfo $(oidc-token punch-aai)
contains the following entitlements:We then retrieved the information about these entitlements by adding the lines:
in the function
def is_satisfied_by(self, user_infos: UserInfos) -> CheckResult:
from/usr/lib/motley-cue/lib/python3.8/site-packages/flaat/requirements.py
.The output is the following:
Namely the information related to the two first entitlements does not seem to be defined.
Maybe these two entitlements are new and were not present when we did our test some weeks ago, the reason why it was working fine at that time?
If we again modify the function
def is_satisfied_by(self, user_infos: UserInfos) -> CheckResult:
from/usr/lib/motley-cue/lib/python3.8/site-packages/flaat/requirements.py
to skip the "undefined" entitlements:the output of
mccli ssh c4p-login-dev.gridka.de --debug
is then the following:Namely we can go "a step further" in the authentication by skipping the "undefined" entitlements.
We would like to ask you if you could please have a look at this issue?
Thanks a lot in advance!
Manuel, Benoit