Context Navigation

← Previous Ticket
Next Ticket →

Ticket #1131 (closed defect: fixed)

Opened 9 years ago

Last modified 9 years ago

Error in AuthorisationService when calling from GridFTP SAML callout

Reported by:	spascoe	Owned by:	pjkersha
Priority:	major	Milestone:
Component:	component1	Version:
Keywords:		Cc:

Description (last modified by spascoe) (diff)

The apache error log shows the following when I configure the GridFTP SAML callout to contact hyttps://sandstorm.ceda.ac.uk/AuthorisationService/1/. So far I have not been able to capture the request but this
looks like an internal error that should be trapped.

[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207] client denied by server configuration: /srv/www/vhosts/sandstorm.ceda.ac.uk/htdocs/
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207] mod_wsgi (pid=3535): Exception occurred processing WSGI script '/srv/www/vhosts/sandstorm.ceda.ac.uk/wsgi-scripts/authorisationservice_dap.wsgi'.
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207] Traceback (most recent call last):
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]   File "/usr/local/ndg-security/eggs/ndg_security_server-2.2.0-py2.6.egg/ndg/security/server/wsgi/authz/service.py", line 122, in __call__
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]     return self._app(environ, start_response)
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]   File "/usr/local/ndg-security/eggs/ndg_saml-0.5.5-py2.6.egg/ndg/saml/saml2/binding/soap/server/wsgi/queryinterface.py", line 402, in __call__
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]     samlQuery = self.deserialise(queryElem)
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]   File "/usr/local/ndg-security/eggs/ndg_saml-0.5.5-py2.6.egg/ndg/saml/xml/etree.py", line 1832, in fromXML
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]     action = ActionElementTree.fromXML(childElem)
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]   File "/usr/local/ndg-security/eggs/ndg_saml-0.5.5-py2.6.egg/ndg/saml/xml/etree.py", line 1710, in fromXML
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]     action.namespace = namespace
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]   File "/usr/local/ndg-security/eggs/ndg_saml-0.5.5-py2.6.egg/ndg/saml/saml2/core.py", line 2891, in _setNamespace
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]     self.__actionTypes.keys())
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207] TypeError: not enough arguments for format string

Change History

comment:1 Changed 9 years ago by spascoe

Description modified (diff)

The request was:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:protocol">
  <SOAP-ENV:Body>
    <ns1:AuthzDecisionQuery Resource="gsiftp://cmip-bdm1.badc.rl.ac.uk//esg_dataroot/test/sftlf.nc" IssueInstant="2011-10-14T15:26:08Z" Version="2.0" ID="140736355764416">
      <ns2:Subject>
        <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">https://ceda.ac.uk/openid/Stephen.Pascoe</ns2:NameID>
      </ns2:Subject>
      <ns2:Action Namespace="urn:oasis:names:tc:SAML:2.0:assertion">Read</ns2:Action>
    </ns1:AuthzDecisionQuery>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

comment:2 follow-up: ↓ 3 Changed 9 years ago by spascoe

Fix applied in changeset:7938. Not tested yet.

comment:3 in reply to: ↑ 2 Changed 9 years ago by spascoe

Replying to spascoe:

Fix applied in changeset:7938. Not tested yet.

Correction changeset:7939

comment:4 Changed 9 years ago by spascoe

Status changed from new to assigned
Owner changed from somebody to pjkersha

This doesn't fix the underlying problem that the namespace action type is not recognised.

The request has Namespace="urn:oasis:names:tc:SAML:2.0:assertion" which looks right in this context. However other SAML requests I've seen haven't used this attribute.

Is the request correct or is this a feature missing from NDGSecurity?

comment:5 Changed 9 years ago by pjkersha

Status changed from assigned to closed
Resolution set to fixed

This is a bug in the GridFTP callout. It should be passed on to Neill.

urn:oasis:names:tc:SAML:2.0:assertion is the assertion namespace rather than an action namespace. The SAML 2.0 core spec gives a number of alternative namespaces. For ESGF we omit it to get the default, urn:oasis:names:tc:SAML:1.0:action:rwedc-negation. This defines a constrained vocab of values for the action:

Read Write Execute Delete Control ~Read ~Write ~Execute ~Delete ~Control

Note: See TracTickets for help on using tickets.

Download in other formats: