ShinyProxy not able to start with SAML settings
templary opened this issue · 4 comments
Hello,
When implementing the ShinyProxy oprator we encountered a problem, even if I use the original unmodified version of shinyproxy it does not work if I put it in the settings to auth mode: SAML
The application runs in a kubernetes cluster on Gcloud
.yaml config file
apiVersion: openanalytics.eu/v1
kind: ShinyProxy
metadata:
name: shinyproxy
namespace: shinyproxy
spec:
server:
secureCookies: true
frameOptions: sameorigin
forward-headers-strategy: native
spring:
session:
store-type: redis
redis:
configure-action: none
redis:
host: redis
password: ${REDIS_PASSWORD}
proxy:
operator:
force-transfer: true
title: ShinyProxy_222
logoUrl: ""
landingPage: /
containerBackend: kubernetes
kubernetes:
namespace: shinyproxy
internal-networking: true
image-pull-policy: Always
authentication: saml
saml:
idp-metadata-url: https://XXXXX.eu.auth0.com/samlp/metadata/XXXXXX
app-entity-id: urn:XXXX
app-base-url: http://localhost:8080
name-attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
roles-attribute: http://schemas.auth0.com/roles
logout-url: https://XXXXX/v2/logout?client_id=XXXXXX&returnTo=http://localhost:8080
nameidentifier-attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
email-verified-attribute: http://schemas.auth0.com/email_verified
created-at-attribute: http://schemas.auth0.com/created_at
admin-groups: scientists
users:
- name: jack
password: password
groups: scientists
- name: jeff
password: password
groups: mathematicians
specs:
- id: 01_hello
display-name: Hello Application
description: Application which demonstrates the basics of a Shiny app
container-cmd: [ "R", "-e", "shinyproxy::run_01_hello()" ]
container-image: openanalytics/shinyproxy-demo
access-groups: [ scientists, mathematicians ]
- id: 06_tabsets
container-cmd: [ "R", "-e", "shinyproxy::run_06_tabsets()" ]
container-image: openanalytics/shinyproxy-demo
access-groups: scientists
- id: rstudio
displayName: RStudio
description: RStudio
containerImage: openanalytics/shinyproxy-rstudio-ide-demo:1.4.1106__4.0.4
port: 8787
container-env:
DISABLE_AUTH: true
WWW_ROOT_PATH: "#{proxySpec.containerSpecs[0].env.get('SHINYPROXY_PUBLIC_PATH')}"
kubernetesPodTemplateSpecPatches: |
- op: add
path: /spec/containers/0/env/-
value:
name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: redis-password
key: password
- op: add
path: /spec/containers/0/resources
value:
limits:
cpu: 1
requests:
cpu: 0.5
- op: add
path: /spec/serviceAccountName
value: shinyproxy-sa
- op: replace
path: /spec/containers/0/startupProbe
value:
httpGet:
path: /actuator/health/liveness
port: 9090
scheme: HTTP
timeoutSeconds: 3
periodSeconds: 5
successThreshold: 1
failureThreshold: 6
initialDelaySeconds: 60
image: openanalytics/shinyproxy:2.6.0
imagePullPolicy: Always
fqdn: shinyproxy-demo.local
Thank you a lot for your time
Hi
Can you explain a bit more what does not work? Is the pod with ShinyProxy not deployed? Or does it not start up? Or does SAML simply not work? Can you provide some logs of the operator and ShinyProxy.
Thanks
BTW it seems that the proxy.saml. app-base-url
is wrong. You have configured it as http://localhost:8080
but that probably won't work in a k8s cluster. It should be the URL that your users see in the browser when you access the ShinyProxy environment. This is similar to what you configured in the proxy.fqdn
property.
Hi,
I can create a new pod of shinyproxy, the operator also works as it should but I can't find any way to be able to run an application with a modified config file. The application stops at the moment -> see log and then restarts continuously.
Yes, localhost:8080 doesn't make sensehere, but if I understand correctly, the application should be able to start despite this configuration mistake. Am I right?
LOG from shinyproxy pod
:: Spring Boot :: (v2.3.12.RELEASE)
2021-12-12 17:33:38.355 INFO 1 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Multiple Spring Data modules found, entering strict repository configuration mode!
2021-12-12 17:33:38.361 INFO 1 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data Redis repositories in DEFAULT mode.
2021-12-12 17:33:38.678 INFO 1 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 216ms. Found 0 Redis repository interfaces.
2021-12-12 17:33:49.255 INFO 1 --- [ main] e.o.c.service.IdentifierService : ShinyProxy runtimeId: whdc
2021-12-12 17:33:50.455 INFO 1 --- [ main] e.o.c.service.IdentifierService : ShinyProxy instanceID (hash of config): c056db7b293c8828a1cdd4fd27211821cde4a0f5
2021-12-12 17:33:50.456 INFO 1 --- [ main] e.o.c.service.IdentifierService : ShinyProxy realmId: shinyproxy
2021-12-12 17:33:56.872 WARN 1 --- [ main] io.undertow.websockets.jsr : UT026010: Buffer pool was not set on WebSocketDeploymentInfo, the default pool will be used
2021-12-12 17:33:57.183 INFO 1 --- [ main] io.undertow.servlet : Initializing Spring embedded WebApplicationContext
2021-12-12 17:33:57.184 INFO 1 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 29612 ms
Operator log
17:30:26.478 [0.103.128.1/...] DEBUG eu.op.sh.co.ReplicaSetFactory - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Component/ReplicaSet] Created sp-shinyproxy-rs-c056db7b293c8828a1cdd4fd27211821cde4a0f5
17:30:26.479 [0.103.128.1/...] DEBUG eu.op.sh.co.ResourceListener - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Event/Add component] [Component/ReplicaSet]
17:30:26.485 [0.103.128.1/...] INFO eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 0/6: Ok] ReconcileSingleShinyProxy
17:30:26.486 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 1/6: Ok] [Component/ConfigMap]
17:30:26.486 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 2/6: Ok] [Component/ReplicaSet]
17:30:26.486 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 3/6: Waiting] [Component/ReplicaSet] ReplicaSet not ready
17:30:26.487 [0.103.128.1/...] DEBUG eu.op.sh.co.ResourceListener - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Event/Update component] [Component/ReplicaSet]
17:30:26.492 [0.103.128.1/...] INFO eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 0/6: Ok] ReconcileSingleShinyProxy
17:30:26.492 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 1/6: Ok] [Component/ConfigMap]
17:30:26.492 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 2/6: Ok] [Component/ReplicaSet]
17:30:26.493 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 3/6: Waiting] [Component/ReplicaSet] ReplicaSet not ready
17:30:26.494 [0.103.128.1/...] DEBUG eu.op.sh.co.ResourceListener - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Event/Update component] [Component/ReplicaSet]
17:30:26.499 [0.103.128.1/...] INFO eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 0/6: Ok] ReconcileSingleShinyProxy
17:30:26.500 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 1/6: Ok] [Component/ConfigMap]
17:30:26.500 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 2/6: Ok] [Component/ReplicaSet]
17:30:26.500 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 3/6: Waiting] [Component/ReplicaSet] ReplicaSet not ready
17:30:27.033 [atcher-worker-2] INFO eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/3b29815c5e7c7091b6c3bf82f567caea6196a340] ShinyProxyInstance has no running apps and is not the latest version => removing this instance
17:30:27.034 [atcher-worker-2] INFO eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/3b29815c5e7c7091b6c3bf82f567caea6196a340] DeleteSingleShinyProxyInstance [Step 1/3]: Update status
17:30:27.034 [atcher-worker-2] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/global] Trying to update status (attempt 1/5)
17:30:27.054 [0.103.128.1/...] DEBUG eu.op.sh.co.ShinyProxyListener - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Event/Update]
17:30:27.054 [atcher-worker-2] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/global] Status successfully updated
17:30:27.055 [atcher-worker-2] INFO eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/3b29815c5e7c7091b6c3bf82f567caea6196a340] DeleteSingleShinyProxyInstance [Step 2/3]: Update Ingress
17:30:27.099 [atcher-worker-2] INFO eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 0/6: Ok] ReconcileSingleShinyProxy
17:30:27.100 [atcher-worker-2] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 1/6: Ok] [Component/ConfigMap]
17:30:27.100 [atcher-worker-2] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 2/6: Ok] [Component/ReplicaSet]
17:30:27.100 [atcher-worker-2] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 3/6: Waiting] [Component/ReplicaSet] ReplicaSet not ready
17:30:57.058 [atcher-worker-2] INFO eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/3b29815c5e7c7091b6c3bf82f567caea6196a340] DeleteSingleShinyProxyInstance [Step 3/3]: Delete resources
17:30:57.071 [0.103.128.1/...] WARN eu.op.sh.co.ResourceListener - [ReplicaSet] [shinyproxy/sp-shinyproxy-rs-3b29815c5e7c7091b6c3bf82f567caea6196a340] Cannot find hash of instance for this resource - probably the resource is being deleted
17:30:57.078 [0.103.128.1/...] WARN eu.op.sh.co.ResourceListener - [ConfigMap] [shinyproxy/sp-shinyproxy-cm-3b29815c5e7c7091b6c3bf82f567caea6196a340] Cannot find hash of instance for this resource - probably the resource is being deleted
17:37:09.459 [pool-3-thread-1] DEBUG eu.op.sh.co.ShinyProxyListener - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Event/Update]
17:37:09.482 [pool-3-thread-1] INFO eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 0/6: Ok] ReconcileSingleShinyProxy
17:37:09.483 [pool-3-thread-1] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 1/6: Ok] [Component/ConfigMap]
17:37:09.483 [pool-3-thread-1] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 2/6: Ok] [Component/ReplicaSet]
17:37:09.483 [pool-3-thread-1] DEBUG eu.op.sh.co.ShinyProxyController - [shinyproxy/shinyproxy/c056db7b293c8828a1cdd4fd27211821cde4a0f5] [Step 3/6: Waiting] [Component/ReplicaSet] ReplicaSet not ready
Hi
I think there may be an misunderstanding how the operator woks. You mention:
but I can't find any way to be able to run an application with a modified config file. The application stops at the moment -> see log and then restarts continuously.
If you update the shinyproxy resource, the operator will launch a new ShinyProxy pod with the updated configuration file. If nobody is using the old ShinyProxy server, it will cleanup (i.e. remove) the old ShinyProxy server. This is expected behavior. As a user, you should not notice this and it should feel like you are using only one ShinyProxy server.
Does this helps? If not, can you try to more clearly explain what is going on? Can you show the k8s events added to the ShinyProxy pod as well (e.g. using kubectl describe pod/...
?