Skip to Content.
Sympa Menu

grouper-users - [grouper-users] An odd thing happened....

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] An odd thing happened....


Chronological Thread 
  • From: "Black, Carey M." <>
  • To: "" <>
  • Subject: [grouper-users] An odd thing happened....
  • Date: Thu, 19 Jul 2018 18:25:54 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is 128.146.138.10) smtp.mailfrom=osu.edu; internet2.edu; dkim=pass (signature was verified) header.d=osu.edu;internet2.edu; dmarc=pass action=none header.from=osu.edu;
  • Authentication-results-original: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:4RLVfxfhPiI0kLM58V6F3pSolGMj4u6mDksu8pMizoh2WeGdxcWyZx7h7PlgxGXEQZ/co6odzbaO7ea4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahYL5+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v6bpgRh31hycdLzM38H/ZhNFsjKxVoxyhpgBwzYHbb4yOKPp+Z7/Rcc8GSWZdQMpcUTFKDIOmb4sICuoMJehUopT5p1QUsRS+BhGgD/7xxzBSnH/5w6072PkmHw3c0gArAtUDv2/QrNrvKKgSUvq5wLTWwTjNdP5W3iz96JXSfh8/vP6MQKt9fMzMwkchEAPFi0+fqY3jPz6NyuQNs3Kb4PR6Wu2ykWInsRxxoj63yscxlonJh4YVxkrC9Spn3IY4I8CzRk1jYdO8DpdfrT2WO5ZzT88/Xm1kpSM3yrMJtJKnYCQHzZonyADQZvOadoWF5xDuWPuPLjtgmX5oeb2yiwyv/US8yODwTNe43VlLoyZfj9XBuXEA2wTd6seZSfZx4kKs1DOR2A3c6+xIP0U5mKnAJJE/zbM9k5UevEfeESL1nUj6ka6be0U+9eWu9u/peK/ppoWGOI9xkgz+Mrohmsi4AekgKgYDQ2+V9fiz2bH640D3WahGguQxkqbCrp/WP8MbprOlAwBO1YYj9hC/ACq83NQAh3kHK05FdwybgIj1OlHOJ/b4Ae24g1SxjDdrw/fGPrriApnXMnfDl7Lhca58605a1gUz0chS64xOBb0dPf7+X1L9uMHFAhI8PQy5zPrrBMl424MQR22CDbKWPabXvFKK++4gPfGAZIoPtzb8L/gl6eTujXg8mVIFZqap2YEYZ2y7Hvh8PkmVf3Thj8wGEWcRowoyVvLlh0CfUTJLfXa9Q7o85i0nCIKhFYrDSZqtgLuc3CejAJJWfHlKCk2XEXj2bYWEQOwBaCaTIs96jjwETqatR5Ug1RGoqA/11aBnLuzK9S0Eq57vzsZ66PDOlUJ6yTshRcuH1HyVQnsxg3gFXSQe3aZjrFZ7x0vZl6V0nrYQQdNJ4O5RXx1/KIXR1fdSCtbuVxjHc8vTDluqX4P1Lys2S4d76dsHaEU5U/6rlB3Slw/sSfdBnbiCD59yq/iH93/qOoBwx2uQh/pptEUvXsYabT7uvaV47QWGX9STwUyEi6anc7gd1yfR9WCFiHCDp1xcTBUpAPyXRmgRM1Pfts+xpljPSbOjE/wGCkNA0obbcPsMM4G3ywwdFLG6YJW7ASqqnnuoQxOBx7eCdo3vLmIGwWPQBFVX2wEV4XucMwUiXGGsr3+NRDBtFFe6e0r36qE+s3K0SEYo0huHJ1JozPKr9wQUi/2RR7J2vPoEtS4tpi8yEAO6xM+QBtad9AtnYKhGZ94huhFK2X+K/wB4N4arerhrnUVWeg9rvkToghNwDIgIkcUjoH4wigRoLqfN10hcMT6UwMP9
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

All,

Yesterday I was alerted to an odd behavior of our grouper install. While
investigating the condition the "odd behavior" resolved itself and returned
to normal.
( I changed nothing. I did not even restart anything. I was still
looking at logs and testing myself when it fixed itself. )
BTW: Grouper 2.3

I have my suspicions about what it might have been, but I want to describe
the behavior and see if someone can tell me what the logs are really saying.
( Or as I suspect, not saying.)


When a user logged in to the UI ( it may have affected existing users, I
don't know for sure ) they were given an error page informing them that they
are not in the group that allows them access to the UI. ( AKA:
require.group.for.logins setting )

The users that reported the behavior were existing members of that group
prior to the event. ( And had been members for months. )
Even my account was effected. [ Gulp.... Uh..... WT? ]

It may be of note that for our install:
" Subject id: XXXX " is the users "username" , and " login subject:
"YYYY-for XXXX"," is a unique identifier supplied by our IDM system
(available to Grouper via the Subject API )


This is the only thing that found the logs that looked related ( sanitized ) :
"
2018-07-18 15:56:57,175: [ajp-nio-8009-exec-1] ERROR
GrouperUiFilter.ensureUserAllowedInSection(446) - - Error, user Subject id:
XXXX, sourceId: SSSS needs to be in one of the following groups: <
require.group.for.logins >
2018-07-18 15:56:57,176: [ajp-nio-8009-exec-1] ERROR
GrouperUiFilter.initRequest(898) - - Cant find login subject: "YYYY-for
XXXX", ADMIN_UI
java.lang.RuntimeException: Error, user Subject id: XXXX, sourceId: SSSS
needs to be in one of the following groups: < require.group.for.logins >
at
edu.internet2.middleware.grouper.ui.GrouperUiFilter.ensureUserAllowedInSection(GrouperUiFilter.java:457)
at
edu.internet2.middleware.grouper.ui.GrouperUiFilter.retrieveSubjectLoggedIn(GrouperUiFilter.java:306)
at
edu.internet2.middleware.grouper.ui.GrouperUiFilter.retrieveSubjectLoggedIn(GrouperUiFilter.java:292)
at
edu.internet2.middleware.grouper.ui.GrouperUiFilter.initRequest(GrouperUiFilter.java:893)
at
edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:993)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:624)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:478)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1441)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
2018-07-18 15:56:57,178: [ajp-nio-8009-exec-1] ERROR
GrouperUiFilter.initRequest(942) - - error in init
edu.internet2.middleware.grouper.ui.exceptions.ControllerDone
at
edu.internet2.middleware.grouper.ui.GrouperUiFilter.initRequest(GrouperUiFilter.java:905)
at
edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:993)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:624)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:478)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1441)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
"



OK. Now to color your thoughts with my guess....

During the login process I suspect that the SubjectAPI failed to return a
result for REMOTE_USER. And the values that were logged were sourced from a
grouper cache for that "REMOTE_USER" (AKA " Subject id: XXXX " ) value. That
failure may have prevented the lookup of the membership for the user. Which
was surfaced to the logs and UI as "you are not a member of the group" error.

So, my guess, is that the real error was masked and a "downstream error" was
surfaced.


Can anyone:
Confirm that makes sense? (or is possible)
Or
Suggest an alternate explanation?
And (please)
Identify any log setting I could enable to catch/identify this condition in
the future?


Thanks in advance.

--
Carey Matthew





  • [grouper-users] An odd thing happened...., Black, Carey M., 07/19/2018

Archive powered by MHonArc 2.6.19.

Top of Page