Problem with user mapping

Host OS: RHEL 8.4
OOD deployed with Puppet OOD module

I’m setting up OOD to authenticate through ACCESS and I’m having an issue with user mapping. After going through ACCESS, I get an error instead of being sent to the dashboard.

### Puppet config
openondemand::oidc_remote_user_claim: "eppn"
openondemand::user_map_cmd: "/opt/ood/ood_auth_map/bin/ood_auth_map.mapfile -f /sw/admin/grid-security/oauth-mapfile.cron"

It appears the OOD is receiving the user claim (eppn) correctly, from the error message:

Error -- failed to map user (yanzhan2@ncsa.illinois.edu)

And the mapping script works properly on its own (I’m using the OOD shipped script):

# /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile -f /sw/admin/grid-security/oauth-mapfile.cron 'yan
zhan2@ncsa.illinois.edu'
yanzhan2

And I’m not seeing anything in HTTPD error logs.

Could you suggest where else I might look and what could be the issue here?

Thanks,
Yan

I saw Issue using user_map_cmd and tried to do some debugging:

  elseif user_map_cmd ~= nil then
    r:debug("mapping command: " .. user_map_cmd .. " '" .. (remote_user) .. "'")
    local handle = io.popen(user_map_cmd .. " '" .. (remote_user) .. "'")
    sys_user = handle:read()
    handle:close()
  end

It still isn’t matching for me…

[Mon Feb 27 17:27:20.540467 2023] [lua:debug] [pid 40959] @/opt/ood/mod_ood_proxy/lib/ood/user_map.lua(17): [client 73.246.209.138:50567] mapping command: /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile -f /sw/admin/grid-security/oauth-mapfile.cron 'yanzhan2@ncsa.illinois.edu'
[Mon Feb 27 17:27:20.602247 2023] [lua:debug] [pid 40959] @/opt/ood/mod_ood_proxy/lib/ood/user_map.lua(24): [client 73.246.209.138:50567] Mapped 'yanzhan2@ncsa.illinois.edu' => '' [61.771 ms]
# /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile -f /sw/admin/grid-security/oauth-mapfile.cron 'yanzhan2@ncsa.illinois.edu'
yanzhan2

Hi and welcome!

Your timing is excellent! Remote user is being URL encoded, so what’s being passed during the actual execution is not yanzhan2@ncsa.illinois.edu but is in fact yanzhan2%40ncsa.illinois.edu.

I’ve updated our 2.1 documentation and will update our latest documentation tomorrow (2-28).

I’m using 2.0.28 and it appears that the mapping script doesn’t support the encoded string:

# /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile -f /sw/admin/grid-security/test/grid-mapfile.yanzhan2_test 'yanzhan2%40ncsa.illinois.edu'

# cat /sw/admin/grid-security/test/grid-mapfile.yanzhan2_test
"yanzhan2%40ncsa.illinois.edu" yanzhan2

I then made my own script to parse the encoded string:

# /opt/ood/custom/ood-gridmap.py 'yanzhan2%40ncsa.illinois.edu'
yanzhan2

But I still can’t get it to match:

[Tue Feb 28 10:04:14.429398 2023] [lua:debug] [pid 41291] @/opt/ood/mod_ood_proxy/lib/ood/user_map.lua(15): [client 141.142.146.144:61117] Mapping command: /opt/ood/custom/ood-gridmap.py 'yanzhan2%40ncsa.illinois.edu'
[Tue Feb 28 10:04:14.448394 2023] [lua:debug] [pid 41291] @/opt/ood/mod_ood_proxy/lib/ood/user_map.lua(22): [client 141.142.146.144:61117] Mapped 'yanzhan2@ncsa.illinois.edu' => '' [18.989 ms]

I would say

  • It’s good to use your own mapping script. We stopped shipping our own, and it’s unclear how long ood_auth_map.mapfile has worked and indeed if it even continues to work.
  • Check /var/log/httpd24-httpd/error_log for any errors that script may throw. I’m thinking loading/library errors from python. The environment this is executed under is limited in the sense that it may not have all the things you’ve loaded in a shell environment.
  • Use the syslogger if you can to print any errors or debug information to journalctl.

Okay, I tried logging to syslog and found that the script didn’t finish.
Script:

#!/bin/python3
mapfile="/sw/admin/grid-security/oauth-mapfile.cron"

import sys
import syslog
syslog.syslog("importing urllib")
import urllib.parse as urlparse

syslog.syslog("finished import")

inputuser=urlparse.unquote(sys.argv[1])

syslog.syslog("input user: "+inputuser)

usermapping=dict(authuser="",mapped="")

for line in open(mapfile,'r'):
    (authuser,mapped) = line.split()
    usermapping[authuser.strip("\"")]=mapped

syslog.syslog("finished reading "+str(len(usermapping))+" entries")

if inputuser in usermapping:
    print(usermapping[inputuser])
    syslog.syslog("mapped "+inputuser+" to "+usermapping[inputuser])
else:
    print("")
    syslog.syslog("unable to map "+inputuser)

Logs:

Feb 28 10:45:22 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[42122]: importing urllib
Feb 28 10:45:22 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[42122]: finished import
Feb 28 10:45:22 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[42122]: input user: yanzhan2@ncsa.illinois.edu

So looks like it didn’t have problems loading libraries but for some reason stopped at the for loop loading the mapfile. Is there a memory restriction here?

I don’t think so. I just tested against just over 3,000 entries. I’d guess there’s some sort of error it encountered. Is there anything in /var/log/httpd24-httpd/error_log? If not, add a try and except block and log the error.

Feb 28 17:08:47 97b05dc2ed01 /test.py[733]: importing urllib
Feb 28 17:08:47 97b05dc2ed01 /test.py[733]: finished import
Feb 28 17:08:47 97b05dc2ed01 /test.py[733]: input user: jeff@localhost
Feb 28 17:08:47 97b05dc2ed01 /test.py[733]: finished reading 3017 entries
Feb 28 17:08:47 97b05dc2ed01 /test.py[733]: mapped jeff@localhost to jeff

I’m not sure what the equivalent of /var/log/httpd24-httpd/error_log on RHEL 8 is but I’m not seeing any errors in /var/log/httpd/_error_ssl.log.

Let me see if I can catch anything with a try-except.

Sorry, I can never tell who’s on what system. It would be /var/log/httpd/error_log. Just error_log with no extension or ssl or hostname in the filename.

Also I’m finding that /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile does continue to work, although just with the test file I generated - 3,000 users generated from random strings. So there could be something I’m missing in the test file generation.

Ah… maybe it’s our config but I don’t have an “error_log” without hostname. My Lua messages go to the log file with the hostname.

As for try-except - it looks like it failed on the first entry:

Feb 28 11:23:12 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[43339]: importing urllib
Feb 28 11:23:12 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[43339]: finished import
Feb 28 11:23:12 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[43339]: input user: yanzhan2@ncsa.illinois.edu
Feb 28 11:23:12 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[43339]: failed to read mapping
Feb 28 11:23:12 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[43339]: finished reading 2 entries
Feb 28 11:23:12 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[43339]: unable to map yanzhan2@ncsa.illinois.edu

Maybe there is some kind of restriction on Apache on our end. There are 1800 entries and it runs fine on its own, as you tested:

Feb 28 11:31:46 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[43661]: importing urllib
Feb 28 11:31:46 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[43661]: finished import
Feb 28 11:31:46 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[43661]: input user: yanzhan2@ncsa.illinois.edu
Feb 28 11:31:46 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[43661]: finished reading 1800 entries
Feb 28 11:31:46 ood-test.delta.internal.ncsa.edu /ood-gridmap.py[43661]: mapped yanzhan2@ncsa.illinois.edu to yanzhan2

Got it, yea it’s likely encoding like the LANG environment variable is C_ASCII - that’s not right, I’m blanking on what the bad/old encoding LANG could be, but you’d see it in a crontab output. in any case, it’s not UTF-8.

Try forcing utf-8 encoding here when you’re rading the file.

for line in open(mapfile,'r', encoding="utf-8"):

I found out why :man_facepalming: It failed at the line to open the mapfile. Likely a permission issue.

Edit: permission issue indeed.

1 Like