Closed ejbolt closed 4 years ago
inferno-chromium
commented
4 years ago Please add that work email on https://console.cloud.google.com/iam-admin/iam. Once you login, you can add any additional accounts using /configuration page. Also, checkout gae/auth.yaml in your config dir, you can add domains, etc.
ejbolt
commented
4 years ago Interesting. I've added that email in IAM, and I've added our domain to the auth.yaml file (assuming the following syntax given commented out examples:
- my.org
However, I still cannot login. Is there an app deploy command I need to run for this (apologies, this is my first time working with Google Cloud, I appreciate the fast response and help you're giving).
Also of note, 'create_config' gives this output for pip installation of some GCloud dependencies:
| ERROR: google-cloud-storage 1.13.2 has requirement google-cloud-core<0.30dev,>=0.29.0, but you'll have google-cloud-core 0.28.1 which is incompatible. | ERROR: google-cloud-firestore 1.6.2 has requirement google-cloud-core<2.0dev,>=1.0.3, but you'll have google-cloud-core 0.28.1 which is incompatible. | Installing collected packages: antlr4-python2-runtime, backports.lzma, configparser, six, google-resumable-media, setuptools, protobuf, googleapis-common-protos, pytz, f utures, certifi, urllib3, chardet, idna, requests, cachetools, pyasn1, rsa, pyasn1-modules, google-auth, enum34, grpcio, google-api-core, google-cloud-core, google-cloud-s torage, msgpack, cachecontrol, google-cloud-firestore, firebase-admin, future, httplib2, google-auth-httplib2, uritemplate, google-api-python-client, ipaddress, pycparser, cffi, cryptography, pyjwt, oauthlib, requests-oauthlib, google-auth-oauthlib, google-cloud-datastore, google-cloud-monitoring, redis, google-cloud-ndb, google-cloud-profi ler, MarkupSafe, Jinja2, requests-toolbelt, pbr, defusedxml, jira, distro, mozfile, mozinfo, mozprocess, oauth2client, python-dateutil, PyYAML, selenium, python-http-clien t, sendgrid, webob, webapp2
inferno-chromium
commented
4 years ago Interesting. I've added that email in IAM, and I've added our domain to the auth.yaml file (assuming the following syntax given commented out examples:
That is so weird, if you added that email in IAM with Project Editor or Project Owner role, then it should just allow that email in login. What role did you add it ?
- my.orgHowever, I still cannot login. Is there an app deploy command I need to run for this (apologies, this is my first time working with Google Cloud, I appreciate the fast response and help you're giving).
https://google.github.io/clusterfuzz/production-setup/clusterfuzz/#deploying-new-changes
Also of note, 'create_config' gives this output for pip installation of some GCloud dependencies:
| ERROR: google-cloud-storage 1.13.2 has requirement google-cloud-core<0.30dev,>=0.29.0, but you'll have google-cloud-core 0.28.1 which is incompatible. | ERROR: google-cloud-firestore 1.6.2 has requirement google-cloud-core<2.0dev,>=1.0.3, but you'll have google-cloud-core 0.28.1 which is incompatible. | Installing collected packages: antlr4-python2-runtime, backports.lzma, configparser, six, google-resumable-media, setuptools, protobuf, googleapis-common-protos, pytz, f utures, certifi, urllib3, chardet, idna, requests, cachetools, pyasn1, rsa, pyasn1-modules, google-auth, enum34, grpcio, google-api-core, google-cloud-core, google-cloud-s torage, msgpack, cachecontrol, google-cloud-firestore, firebase-admin, future, httplib2, google-auth-httplib2, uritemplate, google-api-python-client, ipaddress, pycparser, cffi, cryptography, pyjwt, oauthlib, requests-oauthlib, google-auth-oauthlib, google-cloud-datastore, google-cloud-monitoring, redis, google-cloud-ndb, google-cloud-profi ler, MarkupSafe, Jinja2, requests-toolbelt, pbr, defusedxml, jira, distro, mozfile, mozinfo, mozprocess, oauth2client, python-dateutil, PyYAML, selenium, python-http-clien t, sendgrid, webob, webapp2
Ignore this message, it is hard to keep all deps with updated version and not break others.
ejbolt
commented
4 years ago That is so weird, if you added that email in IAM with Project Editor or Project Owner role, then it should just allow that email in login. What role did you add it ?
It is the project owner, in the IAM page.
https://google.github.io/clusterfuzz/production-setup/clusterfuzz/#deploying-new-changes
Huh, well that's embarrassing... That did it! I can log in with a Google account now. The email login option is still missing, and I am not authorized to access the configuration page (says I need admin access?), but I can do other tasks.
ejbolt
commented
4 years ago Turns out I cannot access the /jobs page either. Should a separate issue be opened for this since it's more permissions-related?
Dor1s
commented
4 years ago Let's re-open this one. What error are you seeing on the /jobs page?
ejbolt
commented
4 years ago I simply see this and am told I need access.
On /configuration, I see this:
What's strange is I have a support email set up (the same as the one I'm logging in with), but it doesn't show up on these pages. This account is the owner of the project.
inferno-chromium
commented
4 years ago This is because of you added domain in auth.yaml, so all emails from that domain work as a regular user (with non-privileged access to /configuration, /jobs). The part i dont understand is adding stuff to project iam as owner always work, maybe something else is needed in firebase config (+ @oliverchang )
ejbolt
commented
4 years ago Okay, that makes sense for why I can't access those pages. But it's still strange that when that domain is not in auth.yaml, I can't log in at all. My first thought was to use a service account with admin privileges, but since I can't log in with an email/password combination, that wouldn't work either.
urbanenomad
commented
4 years ago I believe I had the same issue where I placed users in the GCP IAM page as App Engine Admin yet they still could not access the privileged pages. I believe I solved it by adding the correct OAuth Admin service account into the $CONFIG/gae/auth.yaml. So I added the
That being said I wanted to bring up another option that I am trying to figure out. Is there a way to turn off Firebase authentication? My company would like to use this tool for internal clusterfuzzing. I was able to turn on IAP access control for the appEngine app which can control access based on google groups. This is preferred for our company since we link our ldap groups to google groups and we can control access from our internal tools via ActiveDirectory. I notice that when I turn IAP on with the app I get prompted twice once for IAP and next for firebase. So I would prefer that we just turn firebase auth off from the app. I am looking into the code right now to modify it but it looks like access is encoded into the appEngineApp. Any chance we can remove Firebase Auth and just use IAP out of the box. I know that we will lose authorization controls for privileged access but we really don't care about preventing privileged access since all people getting IAP access will only be people with privileged access.
inferno-chromium
commented
4 years ago We welcome any patches you have to use IAP auth when available. @oliverchang fyi
urbanenomad
commented
4 years ago I didn’t have to do much to get IAP to work. I just turned it on from the appEngine web console for the 2 url, default and cron-service. It would be nice if we can force the prod GCP deployment UI access to toggle to use the local deployment UI access so no firebase authentication is needed.
oliverchang
commented
4 years ago We shouldn't completely disable auth for IAP in production.. some accountability is nice.
To support getting the user's identity via IAP, this should be very simple and require change to only one file:
And following the boilerplate code from https://cloud.google.com/iap/docs/signed-headers-howto
oliverchang
commented
4 years ago Filed https://github.com/google/clusterfuzz/issues/1523 for IAP auth.
inferno-chromium
commented
4 years ago IAP support is now there, closing.
Have clusterfuzz successfully deployed to GCloud. However, I cannot log in to the server. I've enabled Google and Email logins. However, there is no option to log in with an email/password combination, only a Google account. When I used a Google account, it says my account does not have access (I'm using my work email, not sure if that's the issue? It shouldn't be since I have a Google account with that email), despite the fact that that same email address is listed as the project owner. Is there any guidance for this issue? I'm unsure if it's Firebase or OAuth but I followed the documentation at https://google.github.io/clusterfuzz/production-setup/clusterfuzz/.
Thank you