Grouper Users - Open Discussion List

["Hyzer, Chris" <>]

Its more complicated than just that flag.  You need a uid and gid and change 
things over to that in a subimage.

https://engineering.bitnami.com/articles/running-non-root-containers-on-openshift.html

See this wiki

https://spaces.at.internet2.edu/display/Grouper/Grouper+Container+v2.5+running+as+non-root

Did you do the chown and channgeuid in a subimage?

The error about /home/tomcat implies that you did not

Grouper will run as you are describing that you want...

Thanks
Chris

-----Original Message-----
From:  On Behalf Of Oliver Trieu
Sent: Friday, May 29, 2020 1:41 PM
To: 
Subject: Re: [grouper-users] Grouper 2.5 on Openshift

Hi Carey,


Thank you very much for your fast reply!

I gave 2.5.28 (and 2.5.29) a go.

Using GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true will result in an error 
complaining that /home/tomcat/.bashrc is missing.

I think that is a general problem with openshift since i cannot 
guarantee any user at all. Instead openshift will generate a random GUID 
each run.

So permissions are handled via groups (thats why you see the strange 
permission handling in my dockerfile).

So there is no way for me to guarantee the user tomcat (or any user).


Anyway i just went ahead an started TomEE manually.

This worked and the UI is no longer presenting the NullPointerException.

However once i actually click something in the UI i run into CSRF errors:

ERROR CsrfGuardLogger.log(47) -  - potential cross-site request forgery 
(CSRF) attack thwarted (user:oliver,  method:POST, 
uri:/grouper/grouperUi/app/UiV2Stem.viewStem, error:request token does 
not match session token)


I should mention that we dont use the apache or shib implementation 
inside the container.

We have a speperate container running apache and handling the shibboleth 
login for us.

This setup has worked very well for us with grouper 2.4.


If i look at the Client side i can see my Post requests only partly 
containing a CSRF token.

Request URLs in the CLient:

https://my.grouper.url/grouper/grouperExternal/public/UiV2Public.postIndex?function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=BMAH-0KYJ-ZNY2-50TB-M1S6-XDUG-I7ZC-2JJO

https://my.grouper.url/grouper/grouperUi/app/UiV2Stem.viewStem?stemId=1aa6aa124e7846e294b98fcf559a9a32


TomEE access-log:

"POST 
/grouper/grouperUi/app/UiV2Stem.viewStem?stemId=1aa6aa124e7846e294b98fcf559a9a32&csrfExtraParam=xyz
 
HTTP/1.1" 302 -

"POST 
/grouper/grouperExternal/public/UiV2Public.postIndex?function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=BMAH-0KYJ-ZNY2-50TB-M1S6-XDUG-I7ZC-2JJO
 
HTTP/1.1" 200 4051

So the viewStem request is missing the Token and triggers the Error.

Any ideas what the problem could be?



Kind Regards

Oliver




Am 29.05.2020 um 16:30 schrieb Black, Carey M.:
> REF: 
> https://spaces.at.internet2.edu/display/Grouper/Grouper+container+documentation+for+v2.5
> "
> -e GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true
> (v2.5.28+)
>
> Will run the tomee process as the only process in the container, not 
> supervisor. Note, this is advanced, and should be run as the tomcat user.
> See this wiki
> "
>
> Try on a later image. I think v2.5.28+ will do what you want.
>