lhuang
(Luis)
April 1, 2024, 4:04pm
1
Struggling to get auth working. On the hpc node this shows up in the syslog.
rserver[29190]: ERROR Failed to validate sign-in with invalid CSRF form; LOGGED FROM: bool rstudio::server::auth::common::validateSignIn(const rstudio::core::http::Request&, rstudio::core::http::Response*) src/cpp/server/auth/ServerAuthCommon.cpp:136
This is my view.html.erb
<script>
var hostButton=$( "a.btn.btn-primary.btn-sm.fas.fa-terminal" );
var hostname=hostButton.text();
hostButton.replaceWith(hostname);
document.cookie = "csrf-token=<%= csrf_token %>; path=/rnode/<%= host %>/<%= port %>; secure";`
</script>
<form action="/rnode/<%= host %>/<%= port %>/auth-do-sign-in" method="post" target="_blank">
<input type="hidden" name="username" value="<%= ENV["USER"] %>"/>
<input type="hidden" name="password" value="<%= password %>"/>
<input type="hidden" name="staySignedIn" value="1"/>
<input type="hidden" name="appUri" value=""/>
<input id="csrfToken" type="hidden" name="csrf-token" value="<%= csrf_token %>"/>
<button class="btn btn-primary" type="submit">
<i class="fab fa-r-project"></i> Connect to RStudio Server
</button>
</form>
submit.yml
---
batch_connect:
template: "basic"
conn_params:
- csrf_token
before.sh.erb
# Export the module function if it exists
[[ $(type -t module) == "function" ]] && export -f module
# Find available port to run server on
port=$(find_port ${host})
# Define a password and export it for RStudio authentication
password="$(create_passwd 16)"
export RSTUDIO_PASSWORD="${password}"
# create CSRF token
<%-
require 'securerandom'
csrftoken=SecureRandom.uuid
-%>
export csrf_token="<%= csrftoken %>"
I do see the connection.yml file gets populated with the csrf token and password. I’ve tried copy and pasting in the password and I still can’t get through it. It will always show csrf invalid on the hpc node.
csrf_token: d27d4914-d045-4f72-a472-752a308156c9
host: devslurmvm01.nygenome.org
port: 52195
password: YazTPS3NLq6pFbFv
Hello, and welcome!
I’ve been unable to reproduce this issue, and what I’ve found is that it’s probably pretty tied to specifics about how RStudio manages authentication and will require further investigation. I have found that you’re not the only one to have faced it and that there is a closed rstudio issue with the same error .
I am continuing to investigate this issue and will keep you updated on what I find.
lhuang
(Luis)
April 1, 2024, 8:57pm
3
Thanks, if this helps. We’re on Centos 7.9 OS and container with singularity/3.8.6.
In addition to this, even if I access the hpc node directly without going through the url rewrite. It still doesn’t take the password.
This is the script.sh.erb
#!/usr/bin/env bash
# Load the required environment
setup_env () {
# Additional environment which could be moved into a module
# Change these to suit
export RSTUDIO_SERVER_IMAGE="/gpfs/commons/home/lhuang/ondemand/dev/RStudio/rserver-launcher-centos7.simg"
export SINGULARITY_BINDPATH="/etc,/media,/mnt,/opt,/srv,/usr,/var,/nfs/sw,/nfs/scratch"
export PATH="$PATH:/nfs/sw/rstudio-server/rstudio-server-2023.12.1-402/usr/lib/rstudio-server/bin/"
export SINGULARITYENV_PATH="$PATH"
# In Singularity 3.5.x it became necessary to explicitly pass LD_LIBRARY_PATH
# to the singularity process
export SINGULARITYENV_LD_LIBRARY_PATH="$LD_LIBRARY_PATH"
module load rstudio-server/2023.12.1-402
module load singularity
module load R/3.6.0
}
setup_env
#
# Start RStudio Server
#
# PAM auth helper used by RStudio
export RSTUDIO_AUTH="/gpfs/commons/home/lhuang/ondemand/dev/Rstudio/template/bin/auth"
# Generate an `rsession` wrapper script
export RSESSION_WRAPPER_FILE="${PWD}/rsession.sh"
(
umask 077
sed 's/^ \{2\}//' > "${RSESSION_WRAPPER_FILE}" << EOL
#!/usr/bin/env bash
# Log all output from this script
export RSESSION_LOG_FILE="${PWD}/rsession.log"
exec &>>"\${RSESSION_LOG_FILE}"
# Launch the original command
echo "Launching rsession..."
set -x
exec rsession --r-libs-user "${R_LIBS_USER}" "\${@}"
EOL
)
chmod 700 "${RSESSION_WRAPPER_FILE}"
# Set working directory to home directory
cd "${HOME}"
export TMPDIR="$(mktemp -d)"
mkdir -p "$TMPDIR/rstudio-server"
python -c 'from uuid import uuid4; print(uuid4())' > "$TMPDIR/rstudio-server/secure-cookie-key"
chmod 0600 "$TMPDIR/rstudio-server/secure-cookie-key"
set -x
# Launch the RStudio Server
echo "Starting up rserver..."
singularity run -B "$TMPDIR:/tmp" "$RSTUDIO_SERVER_IMAGE" \
--www-port "${port}" \
--auth-none 0 \
--auth-pam-helper-path "${RSTUDIO_AUTH}" \
--auth-encrypt-password 0 \
--rsession-path "${RSESSION_WRAPPER_FILE}" \
--server-data-dir "/nfs/scratch/$USER" \
--database-config-file "/nfs/sw/rstudio-server/rstudio-server-2023.12.1-402/etc/rstudio/local.conf" \
--server-user "$USER"
lhuang
(Luis)
April 1, 2024, 10:21pm
4
I’ve figured this out based on someone else solution. It was in the auth script. I had to change “ne” to “lt”
if [[ $# -ne 1 ]]; then
… Okay so can confirm replacing ‘-ne’ with ‘-lt’ in the template/bin/auth totally fixed our issue. I absolutely love that this worked and thanks for the call out… but dang SO much time for that one issue.
Thanks!
This is also because the step by step instructions is to clone from GitHub - OSC/bc_example_rstudio: An example OnDemand interactive RStudio app using Singularity
Which is slightly out of date hence why the difference in auth file.
system
(system)
Closed
September 28, 2024, 10:21pm
5
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.