Admin cannot handle other users deployments #1653
Comments
|
How are you configuring the IM to set the admin user? |
|
Hi @micafer, |
|
The im_cfg_admin_user should follow this format: https://github.com/grycap/im/blob/master/etc/im.cfg#L46C1-L47C93 |
|
Ok we had set that variable with the proper format, but that endpoint is not pointing to a proper page of the issuer we are using (error 404, not found). What does the im expect to achieve by contacting that endpoint? |
|
The IM will no try to contact this endpoint, but it is the expected format used internally. |
|
We are using the INDIGO IAM service, then https://iam.cloud.infn.it/admin_sub could be correct? We are already using it |
|
Is it possible to have multiple admin users? |
|
I made some tests and there is a bug in case of using an OIDC user as admin. |
|
I found the problem, the format of the admin config is like this: {
"password": "{{ im_cfg_admin_user }}",
"token": "",
"username": "__OPENID__{{admin_user_preferred_username}}"
} |
|
Hi, thank you for the update! Regarding our problem, we also have another question: "What is the IM admin user used for?" We need to know this because we have multiple admin users and we would like to give them the possibility to also operate as IM admins (for example to delete deployments or read logs). Can we specify multiple IM users? |
You can try the solution now.
The admin user is able to manage all the deployments made in the IM instance (it also require the cloud credentials to manage the actual resources).
Currently multiple admin users is not supported. |
|
Thank you for clarifying our doubts. We would appreciate if you can add support for this feature because in our cases it would be helpful |
|
New version 1.18.0 add support for list of admin users. |
In our IM installation in INFN-CLOUD, being authenticated as "admin" in all connected groups, we tried to perform some operations (view log, delete) on other users' VMs but IM returns a 403 code for access not allowed.
Here a cut from the orchestrator log
2025-02-06 14:03:43.813 ERROR req-0fa3a251-2d63-4680-99c9-b1b8f7ea97fe 11efe491-c486-e438-9d14-005056c00001 26148 --- [ XNIO-2 task-48] .s.d.p.AbstractDeploymentProviderService :
Error while retrieving infrastructure log for deployment 11efe491-c486-e438-9d14-005056c00001
it.reply.orchestrator.exception.service.DeploymentException: Error executing request to IM
Error 403: Error Getting Inf. prop: Access to this infrastructure not granted.; nested exception is es.upv.i3m.grycap.im.exceptions.ImClientErrorException
at it.reply.orchestrator.service.deployment.providers.ImServiceImpl.handleImClientException(ImServiceImpl.java:1129)
at it.reply.orchestrator.service.deployment.providers.ImServiceImpl.getDeploymentLogInternal(ImServiceImpl.java:657)
at it.reply.orchestrator.service.deployment.providers.AbstractDeploymentProviderService.getDeploymentLog(AbstractDeploymentProviderService.java:111)
at it.reply.orchestrator.service.DeploymentServiceImpl.getDeploymentLog(DeploymentServiceImpl.java:547)
at it.reply.orchestrator.service.DeploymentServiceImpl$$FastClassBySpringCGLIB$$66a695a.invoke()
Caused by: es.upv.i3m.grycap.im.exceptions.ImClientErrorException: null
at es.upv.i3m.grycap.im.rest.client.ImClient.get(ImClient.java:153)
at es.upv.i3m.grycap.im.InfrastructureManager.getInfrastructureContMsg(InfrastructureManager.java:227)
at it.reply.orchestrator.service.deployment.providers.ImServiceImpl.lambda$11(ImServiceImpl.java:652)
at it.reply.orchestrator.service.deployment.providers.ImServiceImpl.lambda$0(ImServiceImpl.java:167)
at it.reply.orchestrator.service.security.OAuth2TokenService.executeWithClientForResult(OAuth2TokenService.java:250)
at it.reply.orchestrator.service.deployment.providers.ImServiceImpl.executeWithClientForResult(ImServiceImpl.java:166)
at it.reply.orchestrator.service.deployment.providers.ImServiceImpl.getDeploymentLogInternal(ImServiceImpl.java:651)
... 124 common frames omitted
The text was updated successfully, but these errors were encountered: