Re: [thredds] GRIB Collection Trigger

To: thredds@xxxxxxxxxxxxxxxx
Subject: Re: [thredds] GRIB Collection Trigger
From: Kevin Manross <manross@xxxxxxxx>
Date: Mon, 05 Aug 2013 16:10:18 -0600


[SOLVED]

I have my TDS running on a Tomcat 6 server which is also serving otherwebapps (like Geoportal). I needed to restrict access to my data (viaMySQL user database), but not require the same restriction to the otherwebapps on the server. To do this, I placed my tomcat realm(DatasourceRealm) in the context of the THREDDS webapp(META-INF/context.xml).

However, the UserDatabaseRealm (which references the tomcat-users.xmlfile) was still a global level resource that wasn't being seen byTHREDDS since TDS authentication was being granted at the context leveland therefore ignoring the global level resources. (assuming I know whatthe hell I'm talking about)

I used a CombinedRealm within the THREDDS context (as well as placingthe UserDatabaseRealm Resource) in the context.xml. See


http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm

and now THREDDS is picking up my changes to my tomcat-users.xml file andthe triggering works!


Hope this is useful to anyone else who stumbles into this.

-kevin.


So my thredds/META-INF/context.xml now looks like:


    <Realm className="org.apache.catalina.realm.CombinedRealm" >
       <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>

<Realm className="edu.ucar.rda.RDARealms.RDA_DataSourceRealm"debug="9"

               dataSourceName="jdbc/dsslogin"
               userCredCol="password" userNameCol="email" userTable="ruser"
               allRolesMode="authOnly"
               localDataSource="true"
     />
    </Realm>


    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />

  <!--
       Note, testOnBorrow="true" and validationQuery="/* ping */ SELECT 1"

were added on 20130730 viahttp://tomcat.10.x6.nabble.com/DataSourceRealm-failed-to-retrieve-password-after-tomcat-server-being-idle-overnight-td2159311.html

       in an attempt to stop the issue of requiring multiple logins after
       server was idle for a while

See also:http://www.mail-archive.com/users@xxxxxxxxxxxxxxxxx/msg101157.html

       ==KLM 20130730==
  -->

<Resource name="jdbc/dsslogin" auth="Container"type="javax.sql.DataSource"

               maxActive="100" maxIdle="30" maxWait="10000"

username="****" password="****"driverClassName="com.mysql.jdbc.Driver"

               url="jdbc:mysql://mysqlserver:port/db"
               testOnBorrow="true"
               validationQuery="/* ping */ SELECT 1"
  />





On 8/5/13 2:10 PM, Kevin Manross wrote:

Yeah - I think I'm somehow shutting out theUserDatabaseRealm/MemoryRealm with the "contextual" configuration ofmy DSR. I'll keep playing with it.

Yep - restarted the server numerous times while playing with theroles/passwords in the tomcat-users.xml file.


Thanks!

-kevin.


On 8/5/13 2:00 PM, John Caron wrote:

HI Kevin:

I think DataResourceRealm uses a database, and is an alteranative toUserDatabaseRealm and MemoryRealm, which uses tomcat-users.xml. So imnot sure exactly what you are doing. google Tomcat Realms, if youcant clear it up send me server.xml offline.


John

PS also, to ask the obvious, did you restart tomcat server?



On 8/5/2013 11:21 AM, Kevin Manross wrote:

Sorry, I should have said that I tried this with the tdsConfig userbut got denied. Please note the discrepancy between the roles shownin my "showSecurity" output and the tomcat-users.xml. Would thiscause the problem? I've restarted tomcat numerous times and I don'tsee the tdsTrigger role showing up in the "showSecurity" page.

FWIW - I have my data access restricted via context (usingDataResourceRealm) however I have the default UserDatabaseRealm inmy server.xml.


-kevin.


On 8/2/13 5:03 PM, John Caron wrote:

Hi Kevin:

since your trig user has only tdsTrigger role, you cant log in, you need 
tdsConfig role for that.

the trig user can only hit the URL to trigger an update. The URL for the actual 
trigger is

https://server:port/thredds/admin/collection/trigger?collection=<name>, where 
name is the collection name

let me know if that works.

John

On 8/2/2013 2:10 PM, Kevin Manross wrote:

I have been trying to get the trigger feature to work with my GRIB
collection.

My catalog has the following:

     </gribConfig>
     <update startup="true" rescan="0 0 0 * * ? *" trigger="allow"/>
   </featureCollection>


My tomcat-users.xml file is set to:

<role rolename="tdsTrigger"/>
<role rolename="tdsConfig"/>
<role rolename="tdsMonitor"/>
<user name="trig" password="****" roles="tdsTrigger"/>
<user name="conf" password="****" roles="tdsConfig,tdsTrigger"/>
<user name="mon" password="****"
roles="manager,tdsTrigger,tdsConfig,tdsMonitor"/>

I'm seeing no errors in my thredds/logs files.

fc.ds083.2.log shows

updateConfig =UpdateConfig{startup=true, recheckAfter='null', rescan='0
0 0 * * ? *', triggerOk=true, deleteAfter=null}

I am unable to log in with my trig user.  When I log in with the conf
user, I get the following

https://castle.ucar.edu:8443/thredds/admin/debug?General/showSecurity

Debug Actions

Cmd= General/showSecurity
Security Info
   req.getRemoteUser(): tdsConfig
   req.getUserPrincipal(): GenericPrincipal[tdsConfig(tdsConfig,)]
   req.isUserInRole(admin):false
   ------------------

Likewise, with the mon user, I get:

Debug Actions

Cmd= General/showSecurity
Security Info
   req.getRemoteUser(): tdsMonitor
   req.getUserPrincipal():
GenericPrincipal[tdsMonitor(manager,tdsConfig,tdsMonitor,)]
   req.isUserInRole(admin):false
   ------------------

It seem as if THREDDS isn't getting the tomcat-users.xml information
properly.

I just updated to 4.1.18 today.

-kevin.


--
Kevin Manross
NCAR/CISL/Data Support Section
Phone: (303)-497-1218
Email:manross@xxxxxxxx  <mailto:manross@xxxxxxxx>
Web:http://rda.ucar.edu


_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe,  
visit:http://www.unidata.ucar.edu/mailing_lists/

_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx

For list information or to unsubscribe, visit:http://www.unidata.ucar.edu/mailing_lists/


--
Kevin Manross
NCAR/CISL/Data Support Section
Phone: (303)-497-1218
Email:manross@xxxxxxxx <mailto:manross@xxxxxxxx>
Web:http://rda.ucar.edu


_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx

For list information or to unsubscribe, visit:http://www.unidata.ucar.edu/mailing_lists/




_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx

For list information or to unsubscribe, visit:http://www.unidata.ucar.edu/mailing_lists/


--
Kevin Manross
NCAR/CISL/Data Support Section
Phone: (303)-497-1218
Email:manross@xxxxxxxx <mailto:manross@xxxxxxxx>
Web:http://rda.ucar.edu


_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe,  visit: 
http://www.unidata.ucar.edu/mailing_lists/


--
Kevin Manross
NCAR/CISL/Data Support Section
Phone: (303)-497-1218
Email:manross@xxxxxxxx <mailto:manross@xxxxxxxx>
Web:http://rda.ucar.edu

References:
- [thredds] GRIB Collection Trigger
  - From: Kevin Manross
- Re: [thredds] GRIB Collection Trigger
  - From: John Caron
- Re: [thredds] GRIB Collection Trigger
  - From: Kevin Manross
- Re: [thredds] GRIB Collection Trigger
  - From: John Caron
- Re: [thredds] GRIB Collection Trigger
  - From: Kevin Manross

2013 messages navigation, sorted by:
1. Thread
2. Subject
3. Author
4. Date
5. ↑ Table Of Contents
Search the thredds archives: