Re: [thredds] GRIB Collection Trigger


[SOLVED]

I have my TDS running on a Tomcat 6 server which is also serving other webapps (like Geoportal). I needed to restrict access to my data (via MySQL user database), but not require the same restriction to the other webapps on the server. To do this, I placed my tomcat realm (DatasourceRealm) in the context of the THREDDS webapp (META-INF/context.xml).

However, the UserDatabaseRealm (which references the tomcat-users.xml file) was still a global level resource that wasn't being seen by THREDDS since TDS authentication was being granted at the context level and therefore ignoring the global level resources. (assuming I know what the hell I'm talking about)

I used a CombinedRealm within the THREDDS context (as well as placing the UserDatabaseRealm Resource) in the context.xml. See

http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm

and now THREDDS is picking up my changes to my tomcat-users.xml file and the triggering works!

Hope this is useful to anyone else who stumbles into this.

-kevin.


So my thredds/META-INF/context.xml now looks like:

<!-- edu.ucar.rda.RDARealms.RDA_DataSourceRealm is extended custom DataSourceRealm -->

    <Realm className="org.apache.catalina.realm.CombinedRealm" >
       <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>
<Realm className="edu.ucar.rda.RDARealms.RDA_DataSourceRealm" debug="9"
               dataSourceName="jdbc/dsslogin"
               userCredCol="password" userNameCol="email" userTable="ruser"
               allRolesMode="authOnly"
               localDataSource="true"
     />
    </Realm>


    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />

  <!--
       Note, testOnBorrow="true" and validationQuery="/* ping */ SELECT 1"
were added on 20130730 via http://tomcat.10.x6.nabble.com/DataSourceRealm-failed-to-retrieve-password-after-tomcat-server-being-idle-overnight-td2159311.html
       in an attempt to stop the issue of requiring multiple logins after
       server was idle for a while
See also: http://www.mail-archive.com/users@xxxxxxxxxxxxxxxxx/msg101157.html
       ==KLM 20130730==
  -->
<Resource name="jdbc/dsslogin" auth="Container" type="javax.sql.DataSource"
               maxActive="100" maxIdle="30" maxWait="10000"
username="****" password="****" driverClassName="com.mysql.jdbc.Driver"
               url="jdbc:mysql://mysqlserver:port/db"
               testOnBorrow="true"
               validationQuery="/* ping */ SELECT 1"
  />





On 8/5/13 2:10 PM, Kevin Manross wrote:

Yeah - I think I'm somehow shutting out the UserDatabaseRealm/MemoryRealm with the "contextual" configuration of my DSR. I'll keep playing with it.

Yep - restarted the server numerous times while playing with the roles/passwords in the tomcat-users.xml file.

Thanks!

-kevin.


On 8/5/13 2:00 PM, John Caron wrote:
HI Kevin:

I think DataResourceRealm uses a database, and is an alteranative to UserDatabaseRealm and MemoryRealm, which uses tomcat-users.xml. So im not sure exactly what you are doing. google Tomcat Realms, if you cant clear it up send me server.xml offline.

John

PS also, to ask the obvious, did you restart tomcat server?



On 8/5/2013 11:21 AM, Kevin Manross wrote:

Sorry, I should have said that I tried this with the tdsConfig user but got denied. Please note the discrepancy between the roles shown in my "showSecurity" output and the tomcat-users.xml. Would this cause the problem? I've restarted tomcat numerous times and I don't see the tdsTrigger role showing up in the "showSecurity" page.

FWIW - I have my data access restricted via context (using DataResourceRealm) however I have the default UserDatabaseRealm in my server.xml.

-kevin.


On 8/2/13 5:03 PM, John Caron wrote:
Hi Kevin:

since your trig user has only tdsTrigger role, you cant log in, you need 
tdsConfig role for that.

the trig user can only hit the URL to trigger an update. The URL for the actual 
trigger is

https://server:port/thredds/admin/collection/trigger?collection=<name>, where 
name is the collection name

let me know if that works.

John

On 8/2/2013 2:10 PM, Kevin Manross wrote:
I have been trying to get the trigger feature to work with my GRIB
collection.

My catalog has the following:

     </gribConfig>
     <update startup="true" rescan="0 0 0 * * ? *" trigger="allow"/>
   </featureCollection>


My tomcat-users.xml file is set to:

<role rolename="tdsTrigger"/>
<role rolename="tdsConfig"/>
<role rolename="tdsMonitor"/>
<user name="trig" password="****" roles="tdsTrigger"/>
<user name="conf" password="****" roles="tdsConfig,tdsTrigger"/>
<user name="mon" password="****"
roles="manager,tdsTrigger,tdsConfig,tdsMonitor"/>

I'm seeing no errors in my thredds/logs files.

fc.ds083.2.log shows

updateConfig =UpdateConfig{startup=true, recheckAfter='null', rescan='0
0 0 * * ? *', triggerOk=true, deleteAfter=null}

I am unable to log in with my trig user.  When I log in with the conf
user, I get the following

https://castle.ucar.edu:8443/thredds/admin/debug?General/showSecurity

Debug Actions

Cmd= General/showSecurity
Security Info
   req.getRemoteUser(): tdsConfig
   req.getUserPrincipal(): GenericPrincipal[tdsConfig(tdsConfig,)]
   req.isUserInRole(admin):false
   ------------------

Likewise, with the mon user, I get:

Debug Actions

Cmd= General/showSecurity
Security Info
   req.getRemoteUser(): tdsMonitor
   req.getUserPrincipal():
GenericPrincipal[tdsMonitor(manager,tdsConfig,tdsMonitor,)]
   req.isUserInRole(admin):false
   ------------------

It seem as if THREDDS isn't getting the tomcat-users.xml information
properly.

I just updated to 4.1.18 today.

-kevin.


--
Kevin Manross
NCAR/CISL/Data Support Section
Phone: (303)-497-1218
Email:manross@xxxxxxxx  <mailto:manross@xxxxxxxx>
Web:http://rda.ucar.edu


_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe,  
visit:http://www.unidata.ucar.edu/mailing_lists/

_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe, visit:http://www.unidata.ucar.edu/mailing_lists/

--
Kevin Manross
NCAR/CISL/Data Support Section
Phone: (303)-497-1218
Email:manross@xxxxxxxx <mailto:manross@xxxxxxxx>
Web:http://rda.ucar.edu


_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe, visit:http://www.unidata.ucar.edu/mailing_lists/



_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe, visit:http://www.unidata.ucar.edu/mailing_lists/

--
Kevin Manross
NCAR/CISL/Data Support Section
Phone: (303)-497-1218
Email:manross@xxxxxxxx <mailto:manross@xxxxxxxx>
Web:http://rda.ucar.edu


_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx
For list information or to unsubscribe,  visit: 
http://www.unidata.ucar.edu/mailing_lists/

--
Kevin Manross
NCAR/CISL/Data Support Section
Phone: (303)-497-1218
Email:manross@xxxxxxxx <mailto:manross@xxxxxxxx>
Web:http://rda.ucar.edu
  • 2013 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: