Page MenuHomePhabricator

User knissen can't access Superset
Closed, ResolvedPublic

Description

I would like to access Superset, but can't login. I signed an NDA (see T168046) and I'm also able to access Turnilo/Pivot. Using the wikitech username (which works for Turnilo) is rejected by displaying the HTTP Auth dialog again. Using the LDAP username results in the error message below.

LDAP user: knissen
Wiki User: Kai Nissen (WMDE)

Sorry, something went wrong
500 - Internal Server Error
Stacktrace
         Traceback (most recent call last):
  File "/srv/deployment/analytics/superset/venv/lib/python3.7/site-packages/flask/app.py", line 2292, in wsgi_app
    response = self.full_dispatch_request()
  File "/srv/deployment/analytics/superset/venv/lib/python3.7/site-packages/flask/app.py", line 1815, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/srv/deployment/analytics/superset/venv/lib/python3.7/site-packages/flask/app.py", line 1718, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/srv/deployment/analytics/superset/venv/lib/python3.7/site-packages/flask/_compat.py", line 35, in reraise
    raise value
  File "/srv/deployment/analytics/superset/venv/lib/python3.7/site-packages/flask/app.py", line 1813, in full_dispatch_request
    rv = self.dispatch_request()
  File "/srv/deployment/analytics/superset/venv/lib/python3.7/site-packages/flask/app.py", line 1799, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/srv/deployment/analytics/superset/venv/lib/python3.7/site-packages/flask_appbuilder/security/views.py", line 565, in login
    user = self.appbuilder.sm.auth_user_remote_user(username)
  File "/srv/deployment/analytics/superset/venv/lib/python3.7/site-packages/flask_appbuilder/security/manager.py", line 756, in auth_user_remote_user
    self.update_user_auth_stat(user)
  File "/srv/deployment/analytics/superset/venv/lib/python3.7/site-packages/flask_appbuilder/security/manager.py", line 548, in update_user_auth_stat
    if not user.login_count:
AttributeError: 'bool' object has no attribute 'login_count'

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 24 2019, 5:07 PM
Nuria added a subscriber: Nuria.Jun 24 2019, 5:17 PM

Please clear your cookies and try again, we have whitelisted you for superset (sorry that this requires an additional step from turnilo)

kai.nissen closed this task as Resolved.Jun 25 2019, 8:40 AM
kai.nissen claimed this task.

@Nuria It works. Thank you!

kai.nissen reopened this task as Open.EditedJun 25 2019, 10:32 AM

Prematurely closed. Although the HTTP Basic Auth works initially, there are some resources that can't be loaded. It seems that I can login, but I still can't use Superset. Cleared cookies, used a private tab, used a different browser.

fdans reassigned this task from kai.nissen to Nuria.Jul 1 2019, 3:47 PM
fdans moved this task from Incoming to Ops Week on the Analytics board.
Nuria added a comment.Jul 1 2019, 10:01 PM

Please try again, I think a piece of config was missing on your user.

Thanks, Nuria! I can now login and see a selection of dashboards. I cannot access them, though. I'm starting to think that there might be a general issue with my account, since I cannot even login to gerrit anymore. WikiTech and Turnilo logins are working.

elukey added a subscriber: elukey.Jul 2 2019, 1:07 PM

@kai.nissen Hi! If you are on freenode do you mind to join #wikimedia-analytics? It would be easier to debug the issue while live chatting :)

elukey added a comment.Jul 2 2019, 1:55 PM

Enabled httpd log to trace8 for mod_proxy and proxy_authnz_ldap, and got this:

[Tue Jul 02 13:46:08.785077 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(523): [client 10.64.0.132:25347] AH01691: auth_ldap authenticate: using URL ldaps://ldap-labs.eqiad.wikimedia.org ldap-labs.codfw.wikimedia.org/ou=people,dc=wikimedia,dc=org?uid
[Tue Jul 02 13:46:08.785163 2019] [authnz_ldap:trace1] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(544): [client 10.64.0.132:25347] auth_ldap authenticate: final authn filter is (&(objectclass=*)(uid=knissen))
[Tue Jul 02 13:46:08.817425 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(620): [client 10.64.0.132:25347] AH01697: auth_ldap authenticate: accepting knissen
[Tue Jul 02 13:46:08.817461 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(922): [client 10.64.0.132:25347] AH01713: auth_ldap authorize: require group: testing for group membership in "cn=wmf,ou=groups,dc=wikimedia,dc=org"
[Tue Jul 02 13:46:08.817469 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(930): [client 10.64.0.132:25347] AH01714: auth_ldap authorize: require group: testing for member: uid=knissen,ou=people,dc=wikimedia,dc=org (cn=wmf,ou=groups,dc=wikimedia,dc=org)
[Tue Jul 02 13:46:08.819519 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(949): [client 10.64.0.132:25347] AH01719: auth_ldap authorize: require group "cn=wmf,ou=groups,dc=wikimedia,dc=org": didn't match with attr member [Comparison false (adding to cache)][5 - Compare False]
[Tue Jul 02 13:46:08.819535 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(930): [client 10.64.0.132:25347] AH01714: auth_ldap authorize: require group: testing for uniqueMember: uid=knissen,ou=people,dc=wikimedia,dc=org (cn=wmf,ou=groups,dc=wikimedia,dc=org)
[Tue Jul 02 13:46:08.820556 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(949): [client 10.64.0.132:25347] AH01719: auth_ldap authorize: require group "cn=wmf,ou=groups,dc=wikimedia,dc=org": didn't match with attr uniqueMember [Comparison no such attribute (adding to cache)][16 - No such attribute]
[Tue Jul 02 13:46:08.820573 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(966): [client 10.64.0.132:25347] AH01716: auth_ldap authorise: require group "cn=wmf,ou=groups,dc=wikimedia,dc=org": failed [Comparison no such attribute (adding to cache)][16 - No such attribute], checking sub-groups
[Tue Jul 02 13:46:09.168437 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(989): [client 10.64.0.132:25347] AH01718: auth_ldap authorise: require group (sub-group) "cn=wmf,ou=groups,dc=wikimedia,dc=org": didn't match with attr Comparison false (adding to cache) [member][5 - Compare False]
[Tue Jul 02 13:46:09.168488 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(966): [client 10.64.0.132:25347] AH01716: auth_ldap authorise: require group "cn=wmf,ou=groups,dc=wikimedia,dc=org": failed [Comparison false (adding to cache)][5 - Compare False], checking sub-groups
[Tue Jul 02 13:46:09.168502 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(989): [client 10.64.0.132:25347] AH01718: auth_ldap authorise: require group (sub-group) "cn=wmf,ou=groups,dc=wikimedia,dc=org": didn't match with attr Comparison true (cached) [uniqueMember][5 - Compare False]
[Tue Jul 02 13:46:09.168508 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(996): [client 10.64.0.132:25347] AH01720: auth_ldap authorize group: authorization denied for user knissen to /

@jbond @MoritzMuehlenhoff I'd need some advice in here since I am a bit ignorant about LDAP. As far as I can see from the logs, it seems that the nda group membership check is not performed for the user knissen (superset is on analytics-tool1004). I am probably missing something, and it seems not happening all the times. The user tried different browsers, same issue. Do you have any suggestion about where to check next? Tried on seaborgium but didn't find anything useful..

jbond added a comment.Jul 2 2019, 4:14 PM

i looked into this a bit and i *think* the debug messages which mention cn=wmf,ou=groups,dc=wikimedia,dc=org can be ignored as we see the following in the logs as well

[Tue Jul 02 13:46:09.168629 2019] [authnz_ldap:debug] [pid 31706:tid 140223660926720] mod_authnz_ldap.c(930): [client 10.64.0.132:25347] AH01714: auth_ldap authorize: require group: testing for member: uid=knissen,ou=people,dc=wikimedia,dc=org (cn=nda,ou=groups,dc=wikimedia,dc=org)
[Tue Jul 02 13:46:09.297335 2019] [authnz_ldap:trace1] [pid 31705:tid 140223702890240] mod_authnz_ldap.c(544): [client 10.64.48.101:22869] auth_ldap authenticate: final authn filter is (&(objectclass=*)(uid=knissen))
[Tue Jul 02 13:46:09.297361 2019] [authnz_ldap:debug] [pid 31705:tid 140223702890240] mod_authnz_ldap.c(620): [client 10.64.48.101:22869] AH01697: auth_ldap authenticate: accepting knissen
[Tue Jul 02 13:46:09.297382 2019] [authnz_ldap:debug] [pid 31705:tid 140223702890240] mod_authnz_ldap.c(930): [client 10.64.48.101:22869] AH01714: auth_ldap authorize: require group: testing for member: uid=knissen,ou=people,dc=wikimedia,dc=org (cn=wmf,ou=groups,dc=wikimedia,dc=org)
[Tue Jul 02 13:46:09.297426 2019] [authnz_ldap:debug] [pid 31705:tid 140223702890240] mod_authnz_ldap.c(930): [client 10.64.48.101:22869] AH01714: auth_ldap authorize: require group: testing for uniqueMember: uid=knissen,ou=people,dc=wikimedia,dc=org (cn=wmf,ou=groups,dc=wikimedia,dc=org)
[Tue Jul 02 13:46:09.297474 2019] [authnz_ldap:debug] [pid 31705:tid 140223702890240] mod_authnz_ldap.c(996): [client 10.64.48.101:22869] AH01720: auth_ldap authorize group: authorization denied for user knissen to /superset/welcome
[Tue Jul 02 13:46:09.297497 2019] [authnz_ldap:debug] [pid 31705:tid 140223702890240] mod_authnz_ldap.c(930): [client 10.64.48.101:22869] AH01714: auth_ldap authorize: require group: testing for member: uid=knissen,ou=people,dc=wikimedia,dc=org (cn=nda,ou=groups,dc=wikimedia,dc=org)

Further i took a look at the Apache logs and it seems to me that it is the downstream application which is throwing the 401 messages for some only some of the flask endpoints and not apache

$ awk '$(NF-2)="knissen" {print $1,$3,$4,$7}' /var/log/apache2/superset.wikimedia.org-access.log
2019-07-02T13:45:57 10.64.16.22 proxy-server/401 http://superset.wikimedia.org/
2019-07-02T13:45:58 10.64.16.22 proxy-server/401 http://superset.wikimedia.org/
2019-07-02T13:46:08 10.64.0.132 proxy-server/302 http://superset.wikimedia.org/
2019-07-02T13:46:09 10.64.48.101 proxy-server/302 http://superset.wikimedia.org/superset/welcome
2019-07-02T13:46:09 10.64.48.103 proxy-server/302 http://superset.wikimedia.org/login/
2019-07-02T13:46:09 10.64.0.130 proxy-server/302 http://superset.wikimedia.org/
2019-07-02T13:46:09 10.64.32.67 proxy-server/200 http://superset.wikimedia.org/superset/welcome
2019-07-02T13:46:09 10.64.0.132 proxy-server/200 http://superset.wikimedia.org/static/appbuilder/css/font-awesome.min.css
2019-07-02T13:46:09 10.64.48.101 proxy-server/200 http://superset.wikimedia.org/static/assets/dist/theme.535bb66bcca7cb731c7f.entry.css
2019-07-02T13:46:09 10.64.16.24 proxy-server/200 http://superset.wikimedia.org/static/assets/dist/welcome.445ab9cc1622a1a68943.entry.css
2019-07-02T13:46:09 10.64.48.101 proxy-server/200 http://superset.wikimedia.org/static/appbuilder/css/flags/flags16.css
2019-07-02T13:46:09 10.64.16.24 proxy-server/200 http://superset.wikimedia.org/static/assets/images/loading.gif
2019-07-02T13:46:09 10.64.16.24 proxy-server/200 http://superset.wikimedia.org/static/assets/images/superset-logo@2x.png
2019-07-02T13:46:09 10.64.16.24 proxy-server/200 http://superset.wikimedia.org/static/assets/dist/theme.535bb66bcca7cb731c7f.entry.js

Further i see the following in the application logs

$ grep knissen  /var/log/superset/syslog.log
Jun 24 16:57:24 analytics-tool1004 superset[450]: 2019-06-24 16:57:24,267:ERROR:flask_appbuilder.security.sqla.manager:Error adding new user to database. (_mysql_exceptions.IntegrityError) (1062, "Duplicate entry '-' for key 'email'") [SQL: 'INSERT INTO ab_user (first_name, last_name, username, password, active, email, last_login, login_count, fail_login_count, created_on, changed_on, created_by_fk, changed_by_fk) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)'] [parameters: ('knissen', '-', 'knissen', '***REMOVED***, 1, '-', None, None, None, datetime.datetime(2019, 6, 24, 16, 57, 24, 258237), datetime.datetime(2019, 6, 24, 16, 57, 24, 258246), None, None)] (Background on this error at: http://sqlalche.me/e/gkpj)

This seems stalled, is there anything I can do to help?

Checked on the db and the username seems ok:

MariaDB [superset_production]> select * from ab_user where username = 'knissen';
+-----+------------+-----------+----------+----------+--------+----------------------+---------------------+-------------+------------------+---------------------+---------------------+---------------+---------------+
| id  | first_name | last_name | username | password | active | email                | last_login          | login_count | fail_login_count | created_on          | changed_on          | created_by_fk | changed_by_fk |
+-----+------------+-----------+----------+----------+--------+----------------------+---------------------+-------------+------------------+---------------------+---------------------+---------------+---------------+
| 203 | Kai        | Nissen    | knissen  | NULL     |      1 | knissen@wikimedia.de | 2019-07-12 15:14:31 |          21 |                0 | 2019-06-24 17:16:30 | 2019-06-24 17:16:30 |             3 |             3 |
+-----+------------+-----------+----------+----------+--------+----------------------+---------------------+-------------+------------------+---------------------+---------------------+---------------+---------------+
1 row in set (0.00 sec)

And re-checked on ldap, the uid is knissen, so it should be ok..

@kai.nissen if you have patience to come again online on IRC to debug further it would be great..

Tried to delete your user and dashboard to restart from a clean state, but apparently I was only able to do the latter (your user still holds some data that I don't know where it is defined). Let's try again with a login so I'll be able to check logs..

Not sure, if this is a problem, but the email address is wrong (knissen@wikimedia.de instead of kai.nissen@wikimedia.de).

Not sure, if this is a problem, but the email address is wrong (knissen@wikimedia.de instead of kai.nissen@wikimedia.de).

Fixed! In theory it shouldn't be an issue..

After a chat with Kai on IRC, it seems that this is a re-occurrence of https://phabricator.wikimedia.org/T224159

elukey closed this task as Resolved.Jul 18 2019, 9:21 AM

Closing this task in favor of https://phabricator.wikimedia.org/T224159