search

ohsu-comp-bio / euler

Authentication (authN) and high-level Authorization (authZ) for BMEG, Dirac and Search. Includes Swift object store.
MIT License
0 stars 0 forks source link

ingress / egress issues from dms-development #7

Closed bwalsh closed 7 years ago

bwalsh commented 7 years ago

validate on exastack

Brian K, As a validation exercise, I installed the euler proxy branch on dms_development.

All tested fine, but there are issues on ingress and egress. I was hoping you could shed some light.

setup

The exact steps I took were:


# ssh to dms_dev ...

# install from git
git clone https://github.com/ohsu-computational-biology/euler.git
cd euler 

# update docker and docker compose
sudo apt-get upgrade docker-engine
sudo curl -L "https://github.com/docker/compose/releases/download/1.9.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

# set kernel param for elastic
sudo sysctl -w vm.max_map_count=262144

# setup useful aliases ... (see euler/README) 

# setup .env file 
# ... (see euler README)

# setup users in keystone
# exec keystone ... (see euler/services/keystone README)

# run tests
# exec api ... (see euler/services/api README)

test results

---------- coverage: platform linux2, python 2.7.11-final-0 ----------
Name                                                Stmts   Miss  Cover   Missing
---------------------------------------------------------------------------------
conftest.py                                            23      0   100%
dcc_proxy.py                                          125      0   100%
eve_util.py                                             4      0   100%
keystone_authenticator.py                              73      0   100%
keystone_connector.py                                  39      0   100%
publisher.py                                            3      0   100%
run.py                                                 61      0   100%
settings.py                                            23      0   100%
tests/integration/api_tests.py                         28      0   100%
tests/integration/keystone_authenticator_tests.py      88      0   100%
tests/integration/keystone_connector_tests.py          25      0   100%
tests/integration/proxy_tests.py                       89      0   100%
tests/integration/schema_tests.py                       1      0   100%
tests/integration/static_tests.py                      20      0   100%
---------------------------------------------------------------------------------
TOTAL                                                 602      0   100%

Access issues

LDAP

This query works from OHSU-secure on a mac, but not from dms-development on exastack

$ export OHSU_USER=walsbr
$ export LDAP_PASS=<see slack>
$ export LDAP_ADMIN_CN="cn=<see slack>,ou=Service Accounts,ou=User Accounts,dc=ohsum01,dc=ohsu,dc=edu"
$ export LDAP_BASE="ou=User Accounts,dc=ohsum01,dc=ohsu,dc=edu"
$ export LDAP_QUERY="(cn=$OHSU_USER)"
$ export LDAP_HOST=ldap.ohsu.edu
$ export LDAP_GROUP_BASE="OU=Distribution Groups,OU=Exchange,DC=ohsum01,DC=ohsu,DC=edu"
$ export LDAP_GROUP_QUERY="(memberOf=cn=$OHSU_USER)"
$
$ #
$ ldapsearch -x -w $LDAP_PASS -h $LDAP_HOST \
>   -D "$LDAP_ADMIN_CN" \
>   -b "$LDAP_BASE" \
>   "$LDAP_QUERY"
# extended LDIF
#
# LDAPv3
# base <ou=User Accounts,dc=ohsum01,dc=ohsu,dc=edu> with scope subtree
# filter: (cn=walsbr)
# requesting: ALL
#

# walsbr, User Accounts, ohsum01.ohsu.edu
dn: CN=walsbr,OU=User Accounts,DC=ohsum01,DC=ohsu,DC=edu
objectClass: top
...

Web access to dms-development

This works from dms-development

curl -s localhost/login  | grep h2
 <h2>Login</h2>

This fails from ohsu-secure

$ curl  dms-development/login
curl: (7) Failed to connect to dms-development port 80: Connection refused

image

bwalsh commented 7 years ago

PS - egress to dcc works fine from dms-development

$ curl localhost/api/version
{"api":"v1","portal":"4.3.24","portalCommit":"435369e","indexCommit":"19d216d","indexName":"icgc23-9"}

$curl https://dcc.icgc.org/api/version
{"api":"v1","portal":"4.3.24","portalCommit":"435369e","indexCommit":"19d216d","indexName":"icgc23-9"}
ghost commented 7 years ago

Ping requests from exastack hosts to the LDAP host succeed, so we know there is a network route. But exastack projects are behind a firewall that we don't have access to that has other rules than the the ones we define in our security group. Maybe exastack has an egress rule that doesn't allow external LDAP calls. Or, there is some other OHSU firewall between the two networks. We need to ask ITG to help resolve this.

bwalsh commented 7 years ago

image

heinlein commented 7 years ago

At this point, it looks like the load balancer that sits between exastack and the LDAP servers is lacking routes. We're working with NETI to verify that this is the issue at play and, if so, rectify it.

heinlein commented 7 years ago

Also, I've assigned the hostname dms-dev.ohsu.edu to the IPv4 address 10.96.11.151.

bwalsh commented 7 years ago

Thank you very much. I've verified that:

However, we still have a problem accessing the web port.

$ curl http://dms-dev.ohsu.edu/login
curl: (7) Failed to connect to dms-dev.ohsu.edu port 80: Connection refused
bwalsh commented 7 years ago

@heinlein I've tested the http access. All works fine. Thank you. Will reconfirm LDAP access today.

heinlein commented 7 years ago

I asked for all your standard ports, so any http-related traffic should be unhindered.

bwalsh commented 7 years ago

all good. thanks!