ondemand icon indicating copy to clipboard operation
ondemand copied to clipboard
verified publisher icon OSC

OnDemand does not respond to user group change for disabling applications

Open HazelGrant opened this issue 11 months ago • 10 comments

https://discourse.openondemand.org/t/ondemand-does-not-respond-to-user-group-change-for-disabling-applications/4029

I've been able to reproduce this.

HazelGrant avatar Feb 11 '25 14:02 HazelGrant

This solution works fine, but only after the user clicks on the “Restart Web Server” link.

I think a restart is expected here. Besides, shouldn't we be caching things for speed? I wonder if the proper guidance here is if you're going to expect everyone to pick up new configs, you should bounce all their puns as the admin.

johrstrom avatar Feb 11 '25 14:02 johrstrom

we have a cron in place that checks all nginx process for the known groups and compares them with the secondary groups of the owner. and only if they do not match, we kill/cleanup the nginx. user activity will retrigger them with latest group associations.

fyi, this is "normal" linux behaviour for any running process, notthing to do with caching. and it is a security issue in the sense that if you were once in a group, you stay in that group as long as the process is alive. so kicking someone out of the group might still leave them with access.

stdweird avatar Feb 12 '25 19:02 stdweird

we have a cron in place that checks all nginx process for the known groups and compares them with the secondary groups of the owner

I found a task "ood" in /etc/etc/cron.d

#!/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
0 */2 * * * root [ -f /opt/ood/nginx_stage/sbin/nginx_stage ] && /opt/ood/nginx_stage/sbin/nginx_stage nginx_clean 2>&1 | logger -t nginx_clean

is this it?

serden85 avatar Feb 17 '25 09:02 serden85

I found a task "ood" in /etc/etc/cron.d

That is one that we ship to stop PUNs if they're inactive. @stdweird seems to imply they have their own code to do something different.

johrstrom avatar Feb 17 '25 14:02 johrstrom

my apologies. yes, we have our own cron to keep our ood backend sane. this is one the things it does. if interested, i can share it.

stdweird avatar Feb 17 '25 14:02 stdweird

Part of the problem was solved. For example, I set the session timeout to 10 minutes (oidc_session_inactivity_timeout: 600) and changed the /etc/etc/cron.d/ood execution interval to once every 10 minutes. Now, if a session is closed due to inactivity, then after logging in, user’s group membership is updated and thus application availability is controlled.

Do I understand correctly that if it is possible to reduce the execution interval of another cron, then the user’s group membership will be updated directly during the user session? If so, how can I reduce the execution interval оf another cron?

serden85 avatar Feb 17 '25 15:02 serden85

Do I understand correctly that if it is possible to reduce the execution interval of another cron, then the user’s group membership will be updated directly during the user session?

Not 100% sure what you're asking here, but you cannot update a running process (session). You have to restart the process by stopping/killing it then starting it again, thereby getting a new session.

johrstrom avatar Feb 17 '25 15:02 johrstrom

You have to restart the process by stopping/killing it then starting it again, thereby getting a new session

Thanks for the detailed explanation. As I understand it, this happens when the user clicks the “Restart Web Server”.

@stdweird explanation

we have a cron in place that checks all nginx process for the known groups and compares them with the secondary groups of the owner. and only if they do not match, we kill/cleanup the nginx. user activity will retrigger them with latest group associations.

gives me hope that it is possible to automate the process of “Restart Web Server” for a user session.

As a result, I want that after changing the user’s group membership, the “Restart Web Server” event will automatically occur, and it doesn’t matter whether the user’s session is currently active or not. The question is how to do this?

serden85 avatar Feb 18 '25 07:02 serden85

We used to have something that would either alert the user of the change or redirect the user automatically. Here's the snippet I found. Not sure how/where we'd want this but we'd also likely want some documentation.

https://github.com/OSC/ood-dashboard/blob/a8f28afe966aebe9e5dc077250d17ed29b4b6984/app/controllers/apps_controller.rb#L11

johrstrom avatar Oct 21 '25 18:10 johrstrom

Notes from GitHub review meeting:

Explained when users are added to or removed from groups, the PUN (per-user NGINX) doesn't pick up changes until restarted Found previous code that detected group changes and notified users Suggested implementing a solution in application controller to check before every request Conclusion Issue scheduled for version 4.2 Team will look into implementing a solution similar to what was previously used

moffatsadeghi avatar Oct 22 '25 20:10 moffatsadeghi