[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T373702

Unable to log in to Netbox
Open, MediumPublic
Actions

Description

For some reason I'm not able to log in to Netbox, instead I get a (for some reason unstyled) "Application Not Authorized to Use CAS" error page:

image.png (353×1 px, 35 KB)

The CAS logs are not much more helpful, either:

2024-08-30 16:45:19,972 WARN [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Cannot grant access to service [netbox_oidc]; it is not authorized for use by [Majavah].>
2024-08-30 16:45:19,974 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController] - <Cannot grant service access netbox_oidc to Majavah
	RegisteredServiceAccessStrategyUtils.java:ensurePrincipalAccessIsAllowedForService:149
	RegisteredServiceAccessStrategyAuditableEnforcer.java:byServiceAndRegisteredServiceAndPrincipal:148
	RegisteredServiceAccessStrategyAuditableEnforcer.java:lambda$execute$2:190
>

The main page at https://idp.wikimedia.org/login does list cn=nda,ou=groups,dc=wikimedia,dc=org in memberOf so I should have the right permissions.

Details

SubjectRepoBranchLines +/-
C:netbox: Allow NDA group to access Netbox.operations/puppetproduction+1 -1
Customize query in gerrit

Related Objects

Event Timeline

taavi created this task.Fri, Aug 30, 4:50 PM
Southparkfan subscribed.Sat, Aug 31, 12:23 PM
SLyngshede-WMF claimed this task.Mon, Sep 2, 2:37 PM
SLyngshede-WMF triaged this task as Medium priority.
SLyngshede-WMF added a comment.Mon, Sep 2, 2:40 PM

Netbox is limited to the groups "ops" and "wmf", seems a little weird that CAS would error out like that though.

cmooney subscribed.Tue, Sep 3, 1:03 PM
In T373702#10110637, @SLyngshede-WMF wrote:

Netbox is limited to the groups "ops" and "wmf", seems a little weird that CAS would error out like that though.

I was looking at T302870 there which seems to suggest nda did indeed previously have access? Can/should we therefore add the nda group to it? Or do we understand properly what changed since the earlier task was closed?

cmooney added a comment.Tue, Sep 3, 1:13 PM
In T373702#10112853, @cmooney wrote:

do we understand properly what changed since the earlier task was closed?

Maybe this?

https://gerrit.wikimedia.org/r/c/operations/puppet/+/932231

Southparkfan added a comment.Tue, Sep 3, 3:50 PM
In T373702#10112892, @cmooney wrote:
In T373702#10112853, @cmooney wrote:

do we understand properly what changed since the earlier task was closed?

Maybe this?

https://gerrit.wikimedia.org/r/c/operations/puppet/+/932231

Taavi re-added the group in bb989a1c77e3cd34b844dd19b5f352efd043716a. I'm not sure what's wrong either.

Southparkfan mentioned this in T373518: Grant Access to ldap/nda for Southparkfan.Tue, Sep 3, 4:14 PM
cmooney added a comment.Wed, Sep 4, 10:54 AM
In T373702#10113687, @Southparkfan wrote:

Taavi re-added the group in bb989a1c77e3cd34b844dd19b5f352efd043716a. I'm not sure what's wrong either.

Actually you're right - it's ops that isn't there now, but both 'wmf' and 'nda' is in the latest production branch.

SLyngshede-WMF added a comment.Wed, Sep 4, 10:57 AM

Netbox is configured to

SOCIAL_AUTH_ALLOW_GROUPS = ['ops', 'wmf']

so we might want to add nda there. I just think it's a little strange that it would trigger an error on CAS and not Netbox

gerritbot added a comment.Wed, Sep 4, 10:59 AM

Change #1070563 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] C:netbox: Allow NDA group to access Netbox.

https://gerrit.wikimedia.org/r/1070563

gerritbot added a project: Patch-For-Review.Wed, Sep 4, 10:59 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits