Dashboard Slow To Load After CAS (OnDemand SELinux)

Hey All,

So I am getting some concerns regarding my production instance of Open OnDemand 2.0.27 that I have running on my cluster’s head node. After it passes through our university’s CAS, the Dashboard takes about 1-2 minutes to load fully. Additionally, when it does, all of the top navigation does not actually work (just adding # to the end of the URL) unless you manually go to a pages like pun/sys/dashboard/activejobs first by URL.

I believe this is probably related to SELinux given when I turn enforcement off the load time speeds up and the # linking only appears to have started after I changed ondemand_use_shell_app to on.

(base) [root@link ~]# semanage boolean -l | grep ondemand
ondemand_manage_user_home_dir  (off  ,  off)  Allow ondemand to manage user home dir
ondemand_manage_vmblock        (off  ,  off)  Allow ondemand to manage vmblock
ondemand_use_kerberos          (off  ,  off)  Allow ondemand to use kerberos
ondemand_use_kubernetes        (off  ,  off)  Allow ondemand to use kubernetes
ondemand_use_ldap              (off  ,  off)  Allow ondemand to use ldap
ondemand_use_nfs               (on   ,   on)  Allow ondemand to use nfs
ondemand_use_shell_app         (on   ,   on)  Allow ondemand to use shell app
ondemand_use_slurm             (on   ,   on)  Allow ondemand to use slurm
ondemand_use_ssh               (on   ,   on)  Allow ondemand to use ssh
ondemand_use_sssd              (on   ,   on)  Allow ondemand to use sssd
ondemand_use_torque            (off  ,  off)  Allow ondemand to use torque

Any ideas?

~ Joe G.

So this issue is really starting to cause a lot of disappointment from faculty and students. I have confirmed that this is not due to the CAS section, its 100% related to the PUN spin up.

@jeff.ohrstrom , have any thoughts on this?

~ Joe G.

I’d open your browsers console logs and see if there’s anything funny there. My guess is you can’t download assets (javascript) so clicking stuff doesn’t do anything (because there’s no javascript to do the thing or it barfs in trying to do the thing).

So this was the output of the console:

Mixed Content: The page at 'https://link.phys.wvu.edu/pun/sys/dashboard' was loaded over HTTPS, but requested an insecure script 'http://sso.wvu.edu/cas/login?service=https%3a%2f%2flink.phys.wvu.edu%2fpun%2fsys%2fdashboard%2fpacks%2fjs%2fapplication-9f00c6b9497e18dcada3.js'. This request has been blocked; the content must be served over HTTPS.

Mixed Content: The page at 'https://link.phys.wvu.edu/pun/sys/dashboard' was loaded over HTTPS, but requested an insecure stylesheet 'http://sso.wvu.edu/cas/login?service=https%3a%2f%2flink.phys.wvu.edu%2fpun%2fsys%2fdashboard%2fpacks%2fcss%2fapplication-0679c5e6.css'. This request has been blocked; the content must be served over HTTPS.

Mixed Content: The page at 'https://link.phys.wvu.edu/pun/sys/dashboard' was loaded over HTTPS, but requested an insecure stylesheet 'http://sso.wvu.edu/cas/login?service=https%3a%2f%2flink.phys.wvu.edu%2fpun%2fsys%2fdashboard%2fassets%2fapplication-2fde447313952cf2d4f0c8cf0b2f0549ed7eac0e3aaf162a376b4fbe0589ac7e.css'. This request has been blocked; the content must be served over HTTPS.

Mixed Content: The page at 'https://link.phys.wvu.edu/pun/sys/dashboard' was loaded over HTTPS, but requested an insecure script 'http://sso.wvu.edu/cas/login?service=https%3a%2f%2flink.phys.wvu.edu%2fpun%2fsys%2fdashboard%2fassets%2fapplication-58aa39ab65897a0114c919411ff150acdeb067cdfd4b57acb833f552e153e70b.js'. This request has been blocked; the content must be served over HTTPS.

This lead me to /etc/httpd/conf.d/auth_cas.conf and the CAS URL was pointed to http:// rather than https:// . Fixing this and restarting httpd addressed the issue and it now loads snappily and without the above issues.

My only thought as to why turning off SELinux fixes that there is a boolean set to look at these kinds of scripts and raising a permission flag when they get accessed not through HTTPS. Anyway, problem solved!

~ Joe G.