Redirection to Workbench after logging in

Installation & Configuration
#1

Hello,

I have been trying to set up Arvados on the AWS cloud. For now I want a minimal installation, where I have one EC2 instance for the Core (API + Controller), Keep(Storage etc.) the Workbench and the Websocket, and one other instance for the SSO server. The only reason I have the SSO on a different machine is that it says in the docks that only ruby v2.3 is supported, and not the 2.5 I am using in the first one. The problem I have is the following:

I can see the Workbench, and when I click on the Login button it takes me to the SSO server, where I input my credentials but then I get a We're sorry, but something went wrong. error. If I click Login again, it tells me that I have logged in, and that I can go to Arvados (providing a link). When I click on that link, it takes me to localhost:3000. Anyway, I don’t think the last part is directly correlated to my problem (localhost:3000 looks like it was hardcoded?).

Another detail is this: When I try to create a Trusted Client Flag, like it says in the Workbench installation docs, I run include CurrentApiClient, but instead of => true, I get => Object. This could just be a change in the API, but it felt worth mentioning. In the same console, ApiClient.all returns:

irb(main):003:0> ApiClient.all
=> #<ActiveRecord::Relation [#<ApiClient id: 1, uuid: "abcde-ozdt8-fz4w0ycr4rjh84l", owner_uuid: "abcde-tpzed-000000000000000", modified_by_client_uuid: nil, modified_by_user_uuid: "abcde-tpzed-000000000000000", modified_at: "2020-06-25 15:33:55", name: nil, url_prefix: "https://workbench.ClusterID.example.com/", created_at: "2020-06-25 15:33:55", updated_at: "2020-06-25 15:33:55", is_trusted: true>, #<ApiClient id: 2, uuid: "abcde-ozdt8-tj6fasaz2ta9j96", owner_uuid: "abcde-tpzed-000000000000000", modified_by_client_uuid: nil, modified_by_user_uuid: "abcde-tpzed-000000000000000", modified_at: "2020-06-26 17:26:49", name: nil, url_prefix: "https://localhost/", created_at: "2020-06-26 17:26:49", updated_at: "2020-06-26 17:26:49", is_trusted: true>, #<ApiClient id: 3, uuid: "abcde-ozdt8-csdzwgi3y6hrt9z", owner_uuid: "abcde-tpzed-000000000000000", modified_by_client_uuid: nil, modified_by_user_uuid: "abcde-tpzed-000000000000000", modified_at: "2020-06-26 22:52:17", name: nil, url_prefix: "https://13.53.137.27", created_at: "2020-06-26 22:52:17", updated_at: "2020-06-26 22:52:17", is_trusted: true>, #<ApiClient id: 4, uuid: "abcde-ozdt8-8r13xigjuvidqre", owner_uuid: "abcde-tpzed-000000000000000", modified_by_client_uuid: nil, modified_by_user_uuid: "abcde-tpzed-000000000000000", modified_at: "2020-06-27 11:32:14", name: nil, url_prefix: "https://13.53.137.27:8443", created_at: "2020-06-27 11:32:14", updated_at: "2020-06-27 11:32:14", is_trusted: true>]>

The relevant parts of the configuration are the following (feel free to ask me for more):

My config.yml file :

Clusters:
  abcde:
    SystemRootToken: "..."
    ManagementToken: "..."
    API:
      RailsSessionSecretToken: "..."
    Collections:
      BlobSigningKey: "SYFZLtXLUuKp8TtBowlKBfiMXeAUtEEFHp7L7OOY5brSlDvVOe"
    PostgreSQL:
      Connection:
        host: localhost
        user: arvados
        password: ...
        dbname: arvados_production
    Services:
      Controller:
        ExternalURL: "https://13.53.137.27"
        InternalURLs:
          "http://localhost:8003": {}
      RailsAPI:
        # Does not have an ExternalURL
        InternalURLs:
          "http://localhost:8004": {}
      Keepstore:
        # No ExternalURL because they are only accessed by the internal subnet.
        InternalURLs:
          "http://localhost:25107": {} # keepstore server on the same machine
      Keepproxy:
        ExternalURL: "https://13.53.137.27:8005"
        InternalURLs:
          "http://localhost:25108": {}
      WebDAVDownload:
        ExternalURL: "https://13.53.137.27:8006" # some free port
      WebDAV:
        ExternalURL: "https://13.53.137.27:8007" # some other free port
        InternalURLs:
          "http://localhost:9002": {}
      Keepbalance:
        InternalURLs:
          "http://localhost:9005/": {}
      SSO:
        ExternalURL: "https://13.48.47.196"
      Workbench1:
        ExternalURL: "https://13.53.137.27:8443"
      Websocket:
        InternalURLs:
          "http://localhost:8008/": {}
        ExternalURL: wss://13.53.137.27:8445/websocket
    Users:
      AnonymousUserToken: "3i2xoi6d364mb0w9i872ae3jzzs51qpdghjv0ra8gdnlxy9apq"
      AutoAdminFirstUser: true
      NewUsersAreActive: true
      AutoSetupNewUsers: true
    Workbench:
      SecretKeyBase: ...
    Login:
      ProviderAppID: "arvados-server"
      ProviderAppSecret: ...
    Volumes:
      abcde-nyw5e-000000000000000:
        AccessViaHosts:
          "http://localhost:25107": {}
        Driver: Directory
        DriverParameters:
          # The directory that will be used as the backing store.
          Root: /home/ubuntu/storage

        # How much replication is performed by the underlying
        # filesystem.  (for example, a network filesystem may provide
        # its own replication).  This is used to inform replication
        # decisions at the Keep layer.
        Replication: 1

        # If true, do not accept write or trash operations, only
        # reads.
        ReadOnly: false

        # Storage classes to associate with this volume.
        StorageClasses: null

Relevant snippets from the corresponding nginx config files:

arvados-api-and-controller.conf :

proxy_http_version 1.1;
geo $external_client {
  default        1;
  127.0.0.0/24   0;
  10.20.30.0/24  0;
  13.48.47.196/32 0; # make the other instance be considered internal
#  1.2.3.4/32     0;
}

# This is the port where nginx expects to contact arvados-controller.
upstream controller {
  server     localhost:8003  fail_timeout=10s;
}

server {
  listen       *:443 ssl;
  #server_name  xxxxx.example.com;

  ssl on;
  ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

  # Refer to the comment about this setting in the passenger (arvados
  # api server) section of your Nginx configuration.
  client_max_body_size 128m;

  location / {
     ... haven't changed anything
  }
}

server {
  listen localhost:8004;
  server_name localhost-api;

  root /var/www/arvados-api/current/public;
  index  index.html index.htm index.php;

  passenger_enabled on;
  client_max_body_size 128m;
}

arvados-workbench.conf :

server {
listen       80;
#listen       13.53.137.27:8005;
#listen       8005;
#return 301   https://workbench.ClusterID.example.com$request_uri;
#return 301   https://$host$request_uri;
return 301   https://13.53.137.27:8443$request_uri;
}

server {
  listen       *:8443 ssl;
  #listen       13.53.137.27:443 ssl;

  ssl on; # possible it's not needed
  ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

  root /var/www/arvados-workbench/current/public;
  index  index.html;

  passenger_enabled on;
  passenger_friendly_error_pages on;

  client_max_body_size 128m;
}

arvados-sso.conf (on the 2nd instance) :

server {
  listen       443 ssl;

  ssl on;
  ssl_certificate    /etc/ssl/certs/nginx-selfsigned.crt; 
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

  root   /var/www/arvados-sso/current/public;
  index  index.html;

  passenger_enabled on;
}

application.yml on the instance hosting the SSO:

production:
  uuid_prefix: abcde
  secret_token: ...

  allow_account_registration: true 
  require_email_confirmation: false

In all the logs I’ve searched, the most helpful snippet I found was this, in /var/www/arvados-workbench/current/log/production.log :

{"method":"GET","path":"/users/welcome","format":"html","controller":"UsersController","action":"welcome","status":200,"duration":4.51,"view":3.52,"request_id":"req-67gfszbcc9j7jkfz6klm","params":{"return_to":"/"},"@timestamp":"2020-06-26T22:53:00.363Z","@version":"1","message":"[200] GET /users/welcome (UsersController#welcome)"}
#<ActionController::RoutingError: Path not found>
#<ActionView::MissingTemplate: Missing template links/404, application/404 with {:locale=>[:en], :formats=>["text"], :variants=>[], :handlers=>[:raw, :erb, :html, :builder, :ruby, :coffee]}. Searched in:
  * "/var/www/arvados-workbench/current/themes/default/views"
  * "/var/www/arvados-workbench/current/app/views"

Any help would be appreciated at this point. Thanks in advance and sorry for the long post!

#2

Hi @georgebax thanks for all the detail, still trying to wrap my head around it, just wanted to let you know I’m looking at it.

#3

Thanks for the attention @tetron. If it is of any help, I tried to replicate it on arvbox, so: I redirected to the arvbox’s SSO port, logged in and tried to see if the link to redirect me to the Workbench was indeed localhost:3000. It wasn’t, so it is highly likely there is something wrong with my own configuration.

#4

I made an additional observation:

In config.yml, I have this line:
ExternalURL: "https://13.53.137.27", where I don’t specify a port number (in the installation guide of course the external url is bound to the respective server name, but now I am only using ports. The fact that I am not using any ports seems kinda strange, but when I added :8003 (the Controller’s internal port) to the end of the address, I don’t see the login page. With this line, I get to the aforementioned screen where an unknown error is stated, and in the logs (production.log) I have the stack trace attached at the end of this post.

I understand that when I hit https://IPv4, it listens on 443 and redirects me to the controller, who takes me to the workbench. When I hit login from the workbench, it takes me to the SSO server, so again someone redirects me (the API server? the controller?). If so, this flow looks to be working fine.

Can you see anything I don’t see? Thanks in advance!

#<ArvadosApiClient::NoApiResponseException: OpenSSL::SSL::SSLError error connecting to API server>
/var/www/arvados-workbench/current/app/models/arvados_api_client.rb:158:in `rescue in block in api'
/var/www/arvados-workbench/current/app/models/arvados_api_client.rb:155:in `block in api'
/var/www/arvados-workbench/current/app/models/arvados_api_client.rb:154:in `synchronize'
/var/www/arvados-workbench/current/app/models/arvados_api_client.rb:154:in `api'
/var/www/arvados-workbench/current/app/models/user.rb:13:in `current'
/var/www/arvados-workbench/current/app/controllers/application_controller.rb:604:in `load_api_token'
/var/www/arvados-workbench/current/app/controllers/application_controller.rb:534:in `using_specific_api_token'
/var/www/arvados-workbench/current/app/controllers/projects_controller.rb:319:in `public'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_controller/metal/basic_implicit_render.rb:4:in `send_action'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/abstract_controller/base.rb:188:in `process_action'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_controller/metal/rendering.rb:30:in `process_action'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/abstract_controller/callbacks.rb:20:in `block in process_action'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:126:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:506:in `block (2 levels) in compile'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:455:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:448:in `block (2 levels) in around'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:271:in `block in halting_and_conditional'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:447:in `block in around'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:455:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:448:in `block (2 levels) in around'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:286:in `block (2 levels) in halting'
/var/www/arvados-workbench/current/app/controllers/application_controller.rb:664:in `set_thread_api_token'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:382:in `block in make_lambda'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:285:in `block in halting'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:447:in `block in around'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:455:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:448:in `block (2 levels) in around'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:286:in `block (2 levels) in halting'
/var/www/arvados-workbench/current/app/controllers/application_controller.rb:589:in `set_current_request_id'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:382:in `block in make_lambda'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:285:in `block in halting'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:447:in `block in around'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:455:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:448:in `block (2 levels) in around'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:286:in `block (2 levels) in halting'
/var/www/arvados-workbench/current/app/controllers/application_controller.rb:581:in `thread_clear'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:382:in `block in make_lambda'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:285:in `block in halting'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:447:in `block in around'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:455:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:101:in `__run_callbacks__'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:750:in `_run_process_action_callbacks'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:90:in `run_callbacks'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/abstract_controller/callbacks.rb:19:in `process_action'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_controller/metal/rescue.rb:20:in `process_action'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_controller/metal/instrumentation.rb:32:in `block in process_action'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/notifications.rb:164:in `block in instrument'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/notifications/instrumenter.rb:21:in `instrument'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/notifications.rb:164:in `instrument'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_controller/metal/instrumentation.rb:30:in `process_action'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_controller/metal/params_wrapper.rb:248:in `process_action'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activerecord-5.0.7.2/lib/active_record/railties/controller_runtime.rb:18:in `process_action'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/abstract_controller/base.rb:126:in `process'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionview-5.0.7.2/lib/action_view/rendering.rb:30:in `process'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_controller/metal.rb:190:in `dispatch'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_controller/metal.rb:262:in `dispatch'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/routing/route_set.rb:50:in `dispatch'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/routing/route_set.rb:32:in `serve'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/journey/router.rb:39:in `block in serve'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/journey/router.rb:26:in `each'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/journey/router.rb:26:in `serve'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/routing/route_set.rb:727:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/rack-2.2.2/lib/rack/etag.rb:27:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/rack-2.2.2/lib/rack/conditional_get.rb:27:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/rack-2.2.2/lib/rack/head.rb:12:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/rack-2.2.2/lib/rack/session/abstract/id.rb:266:in `context'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/rack-2.2.2/lib/rack/session/abstract/id.rb:260:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/middleware/cookies.rb:613:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/middleware/callbacks.rb:38:in `block in call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:97:in `__run_callbacks__'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:750:in `_run_call_callbacks'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/callbacks.rb:90:in `run_callbacks'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/middleware/callbacks.rb:36:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/middleware/remote_ip.rb:79:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/middleware/debug_exceptions.rb:49:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/lograge-0.10.0/lib/lograge/rails_ext/rack/logger.rb:15:in `call_app'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/railties-5.0.7.2/lib/rails/rack/logger.rb:24:in `block in call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/tagged_logging.rb:69:in `block in tagged'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/tagged_logging.rb:26:in `tagged'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/tagged_logging.rb:69:in `tagged'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/railties-5.0.7.2/lib/rails/rack/logger.rb:24:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/request_store-1.4.1/lib/request_store/middleware.rb:19:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/middleware/request_id.rb:24:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/rack-2.2.2/lib/rack/method_override.rb:24:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/rack-2.2.2/lib/rack/runtime.rb:22:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/activesupport-5.0.7.2/lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/middleware/executor.rb:12:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/rack-2.2.2/lib/rack/sendfile.rb:110:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/actionpack-5.0.7.2/lib/action_dispatch/middleware/ssl.rb:84:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/railties-5.0.7.2/lib/rails/engine.rb:522:in `call'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/railties-5.0.7.2/lib/rails/railtie.rb:193:in `public_send'
/var/www/arvados-workbench/shared/vendor_bundle/ruby/2.5.0/gems/railties-5.0.7.2/lib/rails/railtie.rb:193:in `method_missing'
/usr/lib/ruby/vendor_ruby/phusion_passenger/rack/thread_handler_extension.rb:107:in `process_request'
/usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:149:in `accept_and_process_next_request'
/usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler/thread_handler.rb:110:in `main_loop'
/usr/lib/ruby/vendor_ruby/phusion_passenger/request_handler.rb:415:in `block (3 levels) in start_threads'
/usr/lib/ruby/vendor_ruby/phusion_passenger/utils.rb:113:in `block in create_thread_and_abort_on_exception'
#5

Hi @georgebax. A few observations:

a) for the controller, ExternalURL: “https://13.53.137.27”, without port number is fine. The “https” in the URL implies port 443.

b) the original error you got, “something went wrong”, was likely at the SSO server. Have you looked in the SSO server rails log? There’s likely to be a backtrace there. Based on the config snippet you provided for SSO’s application.yml, it looks like you did not configure an authentication source, which means SSO would default to a local database.

c) the redirect to localhost:3000 is the default in the SSO server, if the “default_link_url” field is not specified in its application.yml. You should configure that to match the URL for your workbench, so in this case:

default_link_url: https://13.53.137.27:8443

Does this help?

#6

Thank you very much for your response.

a) This part appears to be ok. In any case I don’t see any error at the nginx’s side.

b) Indeed I did not set an authentication source, so it defaults to a local DB, which I have set up. In fact, if I navigate to the login server directly I can log in, so I guessed that the login mechanism was working fine (see logs as well to confirm).

c) I did not know about default_link_url (is it specified anywhere in the docs?). I set it as you suggested but didn’t make a difference. Now if I navigate to SSO, login, and then click the link, it takes me to the workbench but I’m not logged in.

Also, as for the error in the last log, could it just be that the certificate is in fact self-signed, and all else is OK ? I set ARVADOS_API_HOST_INSECURE=1 in my /etc/environment but still get the same error.

Now the logs are as follows:

/var/www/arvados-sso/current/log/production.log:

Started GET "/auth/josh_id/authorize?auth_provider&client_id=arvados-server&redirect_uri=https%3A%2F%2F13.53.137.27%2Fauth%2Fjoshid%2Fcallback%3Freturn_to%3D%252Chttps%253A%252F%252F13.53.137.27%253A8443%252Fusers%252Fwelcome%253Freturn_to%253D%25252F&response_type=code&state=632a9ba16ba5127c896e049e8ee8a3214476481c77be2a9e" for 85.73.255.52 at 2020-07-07 14:51:06 +0000
Processing by AuthController#authorize as HTML
  Parameters: {"auth_provider"=>nil, "client_id"=>"arvados-server", "redirect_uri"=>"https://13.53.137.27/auth/joshid/callback?return_to=%2Chttps%3A%2F%2F13.53.137.27%3A8443%2Fusers%2Fwelcome%3Freturn_to%3D%252F", "response_type"=>"code", "state"=>"632a9ba16ba5127c896e049e8ee8a3214476481c77be2a9e"}
Completed 401 Unauthorized in 0.5ms
Started GET "/users/sign_in" for 85.73.255.52 at 2020-07-07 14:51:06 +0000
Processing by SessionsController#new as HTML
  Rendered sessions/new.html.erb within layouts/application (1.2ms)
  Rendered application/_links.html.erb (0.3ms)
Completed 200 OK in 3.1ms (Views: 2.6ms | ActiveRecord: 0.0ms)
Started POST "/users/sign_in" for 85.73.255.52 at 2020-07-07 14:51:10 +0000
Processing by SessionsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"/UQsdyuhgbQxpVBuSmMwqdLS663U+kAQAlIOx0Ro6N4=", "user"=>{"email"=>"admin@scienomics.com", "password"=>"[FILTERED]"}, "commit"=>"Sign in"}
Redirected to https://13.48.47.196/auth/josh_id/authorize?auth_provider&client_id=arvados-server&redirect_uri=https%3A%2F%2F13.53.137.27%2Fauth%2Fjoshid%2Fcallback%3Freturn_to%3D%252Chttps%253A%252F%252F13.53.137.27%253A8443%252Fusers%252Fwelcome%253Freturn_to%253D%25252F&response_type=code&state=632a9ba16ba5127c896e049e8ee8a3214476481c77be2a9e
Completed 302 Found in 60.5ms (ActiveRecord: 0.3ms)
Started GET "/auth/josh_id/authorize?auth_provider&client_id=arvados-server&redirect_uri=https%3A%2F%2F13.53.137.27%2Fauth%2Fjoshid%2Fcallback%3Freturn_to%3D%252Chttps%253A%252F%252F13.53.137.27%253A8443%252Fusers%252Fwelcome%253Freturn_to%253D%25252F&response_type=code&state=632a9ba16ba5127c896e049e8ee8a3214476481c77be2a9e" for 85.73.255.52 at 2020-07-07 14:51:10 +0000
Processing by AuthController#authorize as HTML
  Parameters: {"auth_provider"=>nil, "client_id"=>"arvados-server", "redirect_uri"=>"https://13.53.137.27/auth/joshid/callback?return_to=%2Chttps%3A%2F%2F13.53.137.27%3A8443%2Fusers%2Fwelcome%3Freturn_to%3D%252F", "response_type"=>"code", "state"=>"632a9ba16ba5127c896e049e8ee8a3214476481c77be2a9e"}
Redirected to https://13.53.137.27/auth/joshid/callback?return_to=%2Chttps%3A%2F%2F13.53.137.27%3A8443%2Fusers%2Fwelcome%3Freturn_to%3D%252F&code=1fb82d5263bdce054e20793db2b31877&response_type=code&state=632a9ba16ba5127c896e049e8ee8a3214476481c77be2a9e
Completed 302 Found in 34.7ms (ActiveRecord: 5.0ms)

/var/www/arvados-api/current/log/production.log

app/middlewares/arvados_api_token.rb:66:in `call'
[req-1wgu0gxfia4n76i7qa13] "Path not found."
[req-1wgu0gxfia4n76i7qa13] Error 1594135560+099680d6: 404
{"method":"GET","path":"/","format":"*/*","controller":"StaticController","action":"home","status":404,"duration":1.36,"view":0.49,"db":0.0,"request_id":"req-1wgu0gxfia4n76i7qa13","client_ipaddr":"192.241.227.7","client_auth":null,"params":{},"@timestamp":"2020-07-07T15:26:00.739482126Z","@version":"1","message":"[404] GET / (StaticController#home)"}
{"method":"GET","path":"/login","format":"html","controller":"UserSessionsController","action":"login","status":302,"duration":1.01,"view":0.0,"db":0.0,"location":"http://localhost:8004/auth/joshid","request_id":"req-1h3xjg0w6m9pr1hzezht","client_ipaddr":"127.0.0.1","client_auth":null,"params":{"return_to":"https://13.53.137.27:8443/users/welcome?return_to=%2F"},"@timestamp":"2020-07-07T15:42:57.156517748Z","@version":"1","message":"[302] GET /login (UserSessionsController#login)"}

Faraday::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)):

app/middlewares/arvados_api_token.rb:66:in `call'
#7

I agree, the login flow looks like it is working, based on the SSO logs. Have you tried logging out in the SSO server (or even just clearning cookies), and then going through the flow from the start, at workbench?

The SSL error in the API server logs is a bit concerning. Are you using self-signed certificates? If so, do you have

TLS:
  Insecure: true

set in your config.yml?

#8

Oh it worked like a charm! I had only set the certificate in the nginx’s .conf files (to be fair only this was specified in the guides). Thanks a lot @cure, that is what was needed.

#9

Great, thanks for confirming it works now! With regard to the SSO server, that documentation is indeed a bit lacking. The SSO server is being phased out. From the next Arvados release, all authentication will be handled by arvados-controller. If you use google as an authentication source, you can already use arvados-controller and skip SSO server in the current Arvados stable release, 2.0.