pam login issue

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

pam login issue

Sandra Maksimovic
Hi there,

Galaxy newbie here. I have a brand new v20.01 instance but am having a problem getting user PAM based user logins to work correctly.

The problem it seems to me has to do with the service not having sufficient permissions to create a 'new' user account folder because it wants to append our org's email suffix to the folder name instead of just detecting that the correctly named username folder without the suffix in fact already exists (mounted via NFS), and therefore does not need to be created.

Note that this mechanism was previously working in v19.05.

Here is the issue:

galaxy.webapps.galaxy.controllers.user DEBUG 2020-04-30 16:25:49,481 [p:86293,w:1,m:0] [uWSGIWorker1Core0] trans.app.config.auth_config_file: /hpc/software/installed/galaxy/20.01/config/auth_conf.xml
galaxy.auth.providers.pam_auth DEBUG 2020-04-30 16:25:49,482 [p:86293,w:1,m:0] [uWSGIWorker1Core0] use username: True use email False email None username sandra
galaxy.auth.providers.pam_auth DEBUG 2020-04-30 16:25:49,482 [p:86293,w:1,m:0] [uWSGIWorker1Core0] PAM auth: will use external helper: False
galaxy.auth.providers.pam_auth DEBUG 2020-04-30 16:25:49,868 [p:86293,w:1,m:0] [uWSGIWorker1Core0] PAM authentication successful for sandra
galaxy.auth.util DEBUG 2020-04-30 16:25:49,873 [p:86293,w:1,m:0] [uWSGIWorker1Core0] Email: [hidden email], auto-register with username: sandra
galaxy.web.framework.decorators ERROR 2020-04-30 16:25:50,042 [p:86293,w:1,m:0] [uWSGIWorker1Core0] Uncaught exception in exposed API method:
Traceback (most recent call last):
 File "lib/galaxy/web/framework/decorators.py", line 282, in decorator
    rval = func(self, trans, *args, **kwargs)
  File "lib/galaxy/webapps/galaxy/controllers/user.py", line 122, in login
    return self.__validate_login(trans, payload, **kwd)
  File "lib/galaxy/webapps/galaxy/controllers/user.py", line 147, in __validate_login
    message, user = self.__autoregistration(trans, login, password)
  File "lib/galaxy/webapps/galaxy/controllers/user.py", line 105, in __autoregistration
    trans.handle_user_login(user)
  File "lib/galaxy/web/framework/webapp.py", line 720, in handle_user_login
    self.user_checks(user)
  File "lib/galaxy/web/framework/webapp.py", line 665, in user_checks
    self.check_user_library_import_dir(user)
  File "lib/galaxy/web/framework/webapp.py", line 657, in check_user_library_import_dir
    safe_makedirs(os.path.join(self.app.config.user_library_import_dir, user.email))
  File "lib/galaxy/util/path/__init__.py", line 114, in safe_makedirs
    makedirs(path)
  File "/hpc/software/installed/galaxy/20.01/.venv/lib64/python3.6/os.py", line 220, in makedirs
    mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/home/[hidden email]'

Here is the auth_conf.xml:

<?xml version="1.0"?>
<auth>
    <authenticator>
        <type>PAM</type>
        <options>
            <auto-register>True</auto-register>
            <maildomain>mcri.edu.au</maildomain>
            <login-use-username>True</login-use-username>
            <pam-service>sshd</pam-service>
        </options>
    </authenticator>
</auth>

FYI in case it's relevant the server's sssd.conf has also been customised to drop the domain suffix.

Any ideas? Is there perhaps some additional config in the v20.01 galaxy.yml that I've missed?

Thanks,

Sandra Maksimovic
Systems Administrator
Information Technology

Murdoch Children's Research Institute
The Royal Children's Hospital, 50 Flemington Road
Parkville, Victoria 3052 Australia

T    +61 3 8341 6498
E    [hidden email]<mailto:[hidden email]>
W   mcri.edu.au<https://www.mcri.edu.au/>

Disclaimer

This e-mail and any attachments to it (the "Communication") are, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Murdoch Children’s Research Institute (MCRI) ABN 21 006 566 972 or any of its related entities. MCRI does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  %(web_page_url)s

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
| Threaded
Open this post in threaded view
|

Re: pam login issue

Sandra Maksimovic
Solution: Disable all user_library_import settings.

From: Sandra Maksimovic [mailto:[hidden email]]
Sent: Thursday, 30 April 2020 4:28 PM
To: [hidden email]
Subject: [galaxy-dev] pam login issue

Hi there,

Galaxy newbie here. I have a brand new v20.01 instance but am having a problem getting user PAM based user logins to work correctly.

The problem it seems to me has to do with the service not having sufficient permissions to create a 'new' user account folder because it wants to append our org's email suffix to the folder name instead of just detecting that the correctly named username folder without the suffix in fact already exists (mounted via NFS), and therefore does not need to be created.

Note that this mechanism was previously working in v19.05.

Here is the issue:

galaxy.webapps.galaxy.controllers.user DEBUG 2020-04-30 16:25:49,481 [p:86293,w:1,m:0] [uWSGIWorker1Core0] trans.app.config.auth_config_file: /hpc/software/installed/galaxy/20.01/config/auth_conf.xml
galaxy.auth.providers.pam_auth DEBUG 2020-04-30 16:25:49,482 [p:86293,w:1,m:0] [uWSGIWorker1Core0] use username: True use email False email None username sandra
galaxy.auth.providers.pam_auth DEBUG 2020-04-30 16:25:49,482 [p:86293,w:1,m:0] [uWSGIWorker1Core0] PAM auth: will use external helper: False
galaxy.auth.providers.pam_auth DEBUG 2020-04-30 16:25:49,868 [p:86293,w:1,m:0] [uWSGIWorker1Core0] PAM authentication successful for sandra
galaxy.auth.util DEBUG 2020-04-30 16:25:49,873 [p:86293,w:1,m:0] [uWSGIWorker1Core0] Email: [hidden email]<mailto:[hidden email]>, auto-register with username: sandra
galaxy.web.framework.decorators ERROR 2020-04-30 16:25:50,042 [p:86293,w:1,m:0] [uWSGIWorker1Core0] Uncaught exception in exposed API method:
Traceback (most recent call last):
File "lib/galaxy/web/framework/decorators.py", line 282, in decorator
rval = func(self, trans, *args, **kwargs)
File "lib/galaxy/webapps/galaxy/controllers/user.py", line 122, in login
return self.__validate_login(trans, payload, **kwd)
File "lib/galaxy/webapps/galaxy/controllers/user.py", line 147, in __validate_login
message, user = self.__autoregistration(trans, login, password)
File "lib/galaxy/webapps/galaxy/controllers/user.py", line 105, in __autoregistration
trans.handle_user_login(user)
File "lib/galaxy/web/framework/webapp.py", line 720, in handle_user_login
self.user_checks(user)
File "lib/galaxy/web/framework/webapp.py", line 665, in user_checks
self.check_user_library_import_dir(user)
File "lib/galaxy/web/framework/webapp.py", line 657, in check_user_library_import_dir
safe_makedirs(os.path.join(self.app.config.user_library_import_dir, user.email))
File "lib/galaxy/util/path/__init__.py", line 114, in safe_makedirs
makedirs(path)
File "/hpc/software/installed/galaxy/20.01/.venv/lib64/python3.6/os.py", line 220, in makedirs
mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/home/[hidden email]'

Here is the auth_conf.xml:

<?xml version="1.0"?>
<auth>
<authenticator>
<type>PAM</type>
<options>
<auto-register>True</auto-register>
<maildomain>mcri.edu.au</maildomain>
<login-use-username>True</login-use-username>
<pam-service>sshd</pam-service>
</options>
</authenticator>
</auth>

FYI in case it's relevant the server's sssd.conf has also been customised to drop the domain suffix.

Any ideas? Is there perhaps some additional config in the v20.01 galaxy.yml that I've missed?

Thanks,

Sandra Maksimovic
Systems Administrator
Information Technology

Murdoch Children's Research Institute
The Royal Children's Hospital, 50 Flemington Road
Parkville, Victoria 3052 Australia

T +61 3 8341 6498
E [hidden email]<mailto:[hidden email]<mailto:[hidden email]%3cmailto:[hidden email]>>
W mcri.edu.au<https://www.mcri.edu.au/<https://www.mcri.edu.au>>

Disclaimer

This e-mail and any attachments to it (the "Communication") are, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Murdoch Children’s Research Institute (MCRI) ABN 21 006 566 972 or any of its related entities. MCRI does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
%(web_page_url)s

To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/<http://galaxyproject.org/search>
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  %(web_page_url)s

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/