geonode icon indicating copy to clipboard operation
geonode copied to clipboard

Published 20 hours ago verified publisher icon GeoNode

Editing style requires authentication

Open NyakudyaA opened this issue 2 years ago • 8 comments

Problem

When running GeoNode in a Kubernetes cluster and trying to update the style you encounter the following

image

This is due to the checkpoint URLs which are being written to the${GEOSERVER_DATA_DIR}/security/role/geonode REST role service/config.xml as http://geonode:80/api/o/v4/tokeninfo/

Solution

  • Update set_geoserver_auth.sh to the following
 # Setting new substituted value
    case $i in
        proxyBaseUrl )
            if [ ${GEONODE_LB_HOST_IP} ]
            then
                echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$SUBSTITUTION_URL'"
                newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$SUBSTITUTION_URL@"`
            else
                echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$NGINX_BASE_URL'"
                newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$NGINX_BASE_URL@"`
            fi;;
        accessTokenUri |  baseUrl )
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$NGINX_BASE_URL'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$NGINX_BASE_URL@"`;;
        checkTokenEndpointUrl |userAuthorizationUri | redirectUri | logoutUri )
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$SUBSTITUTION_URL'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$SUBSTITUTION_URL@"`;;
        *) echo -n "an unknown variable has been found";;
    esac

This will allow the checkpoint URL to be https://${GEONODE_LB_HOST_IP}/api/o/v4/tokeninfo/

This also works for docker-compose versions as this changes the checkpoint URL to communicate over the external IP / domain

NyakudyaA avatar Jul 20 '23 09:07 NyakudyaA

Hello. I managed to have it working on K8s by simply setting the SUBSTITUTION_URL variable to a suitable value.

AlexGacon avatar Oct 06 '23 12:10 AlexGacon

hey are you using genode-k8s on this? i run into the same issue there, maybe we can add it to the kis deployment

mwallschlaeger avatar Oct 22 '23 20:10 mwallschlaeger

This is due to the checkpoint URLs which are being written to the${GEOSERVER_DATA_DIR}/security/role/geonode REST role service/config.xml as http://geonode:80/api/o/v4/tokeninfo/

Solution

  • Update set_geoserver_auth.sh to the following
 # Setting new substituted value
    case $i in
        proxyBaseUrl )
            if [ ${GEONODE_LB_HOST_IP} ]
            then
                echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$SUBSTITUTION_URL'"
                newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$SUBSTITUTION_URL@"`
            else
                echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$NGINX_BASE_URL'"
                newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$NGINX_BASE_URL@"`
            fi;;
        accessTokenUri |  baseUrl )
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$NGINX_BASE_URL'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$NGINX_BASE_URL@"`;;
        checkTokenEndpointUrl |userAuthorizationUri | redirectUri | logoutUri )
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$SUBSTITUTION_URL'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$SUBSTITUTION_URL@"`;;
        *) echo -n "an unknown variable has been found";;
    esac

I guess you refer to the set_geoserver_auth.sh part of the latest GeoServer version used by GeoNode v4.3.1. (As far as I know, the GeoServer image used here had been built from the GeoNode project repository).

Seems to be outdated (at least compared with master). SUBSTITUTION_URL seems not being used anymore:

case $i in
        authApiKey)
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$OAUTH2_API_KEY'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@.*@$OAUTH2_API_KEY@"`;;
        cliendId)
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$OAUTH2_CLIENT_ID'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@.*@$OAUTH2_CLIENT_ID@"`;;
        clientSecret)
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$OAUTH2_CLIENT_SECRET'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@.*@$OAUTH2_CLIENT_SECRET@"`;;
        proxyBaseUrl | redirectUri | userAuthorizationUri | logoutUri )
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$GEOSERVER_LOCATION'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@^(https?://[^/]+)@${GEOSERVER_LOCATION%/}@"`;;
        baseUrl | accessTokenUri | checkTokenEndpointUrl )
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$GEONODE_LOCATION'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@^(https?://[^/]+)@${GEONODE_LOCATION%/}@"`;;
        *) echo -n "an unknown variable has been found";;
    esac

Note: Some refactoring had been done recently, based on a (longer) discussion to carve out Docker components to a dedicated repository (for transparency and maintenance reasons). In general, all such discussion are also related to the question, how to improve to upgrade GeoNode to newer versions.

ridoo avatar Oct 23 '23 06:10 ridoo

I'm seeing this issue on 4.1.3 final running on docker on Ubuntu 22.04LTS. I pulled the 4.1.x branch from github up to tag 4.1.3. I can't seem to find the set_geoserver_auth.sh file in this repo. Any idea how I can fix this as it's impossible now to edit styles?

SimonAnnetts avatar Oct 24 '23 11:10 SimonAnnetts

hey @SimonAnnetts I figured it out for the kubernetes deployment, see my PR on https://github.com/zalf-rdm/geonode-k8s/pull/104 . I would you guide to check the geonode admin interface -> Django OAuth Toolkit -> Applications -> GeoServer and check that the clientID and clientSecret are set. Same thing on geoserver side, login as admin into geoserver click yourself to security -> authentication and click on the geonode-oauth2 Authentication Filter. Check if the clientID and clientSecret is the same as in geonode. Further check if the urls are configured properly.

mwallschlaeger avatar Oct 28 '23 11:10 mwallschlaeger

@mwallschlaeger thanks for that. Checked and all good now.

SimonAnnetts avatar Nov 01 '23 17:11 SimonAnnetts

When deploying with docker, from a configuration that I thought would work, from another server, I had the same problem of edit style requiring login. I had the client id and keys right, but the URL for Access Token and Check Token endpoint were my URL (example.com), but they should be http://geonode:80.

Selection_977

Like this it works.

syldor avatar Jul 12 '24 02:07 syldor

@syldor it's a matter of environmental variables and rendered configurations for Geoserver (which normally happens the first time you deploy the containers).

The exact env variables to check depend on the GeoNode version. Starting from GeoNode 4.2.0 they are expected to be these

giohappy avatar Jul 12 '24 08:07 giohappy