log

docs/fence_shibboleth.md

@@ -7,7 +7,7 @@ Shibboleth Single Sign-On and Federating Software is a standards based, open sou
 
 Shibboleth is part of the InCommon Trusted Access Platform, an IAM software suite that is packaged for easy installation and configuration. InCommon operates the identity management federation for U.S. research and education, and their sponsored partners. InCommon uses SAML-based authentication and authorization systems (such as Shibboleth) to enable scalable, trusted collaborations among its community of participants.
 
-To enable InCommon login, Shibboleth must be set up in a multi-tenant Fence instance, which lets us log in through InCommon by specifying the `shib_idp` parameter (as of Fence release 4.7.0 and Fence-shib release 2.7.2). If no `shib_idp` is specified (or if using an earlier Fence version), users will be redirected to the NIH login page by default.
+To enable InCommon login, Shibboleth must be set up in a multi-tenant Fence instance, which lets us log in through InCommon by specifying the `shib_idp` parameter (as of Fence release 4.7.0 and Fenceshib release 2.7.2). If no `shib_idp` is specified (or if using an earlier Fence version), users will be redirected to the NIH login page by default.
 
 Note that in Fence, we use the terms "Shibboleth" and "InCommon" interchangeably.
 
@@ -26,7 +26,7 @@ After the user logs in and is redirected to `/login/shib/login`, we get the `epp
 Notes about the NIH login implementation:
 - NIH login is used as the default when the `idp` is fence and no `shib_idp` is specified (for backwards compatibility).
 - NIH login requires special handling because it uses slightly different login endpoints than other InCommon providers.
-- When a user logs into NIH with an eRA commons ID, only the `persistent-id` is returned. For other NIH logins, both `eppn` and `persistent-id` are returned. This is why when a user logs in through NIH, we use the `persistent-id` as the username even when the `eppn` is provided (for backwards compatibility).
+- When a user logs into NIH with an eRA commons ID, only the `persistent-id` is returned. For other NIH logins, both `eppn` and `persistent-id` are returned. When a user logs in through NIH, we use the `persistent-id` as the username even when the `eppn` is provided for backwards compatibility.
 
 ## Configuration
 
@@ -54,7 +54,7 @@ The Shibboleth configuration can be checked inside the Fenceshib pod under `/etc
 
 ### In the Commons which is set up with InCommon login
 
-Register an OIDC client using [this `fence-create` command](https://github.com/uc-cdis/fence#register-internal-oauth-client), the redirect url should be `<COMMONS_URL>/user/login/fence/login`.
+You will need to register this Fence as an OIDC client to the multi-tenant Fence using [this `fence-create` command](https://github.com/uc-cdis/fence#register-internal-oauth-client), the redirect url should be `<COMMONS_URL>/user/login/fence/login`.
 
 The Fence configuration enables the `fence` provider (multi-tenant Fence setup) with the `shibboleth` provider (provider to be used by the multi-tenant Fence instance):
 ```

fence/sync/sync_users.py

@@ -664,7 +664,7 @@ def sync_to_db_and_storage_backend(self, user_project, user_info, sess):
             for ua in sess.query(AccessPrivilege).all()
         }
 
-        # we need to compare db -> whitelist case-insensitively for username
+        # we need to compare db -> whitelist case-insensitively for username.
         # db stores case-sensitively, but we need to query case-insensitively
         user_project_lowercase = {}
         syncing_user_project_list = set()
@@ -1000,6 +1000,7 @@ def _sync(self, sess):
         user_projects, user_info = self._parse_csv(
             dict(list(zip(dbgap_file_list, permissions))), encrypted=True, sess=sess
         )
+        self.logger.info("user_projects 1:\n{}".format(user_projects))
         try:
             shutil.rmtree(tmpdir)
         except OSError as e:
@@ -1033,10 +1034,13 @@ def _sync(self, sess):
             key.lower(): value for key, value in user_projects_csv.items()
         }
         user_projects = {key.lower(): value for key, value in user_projects.items()}
+        self.logger.info("user_projects 2:\n{}".format(user_projects))
         user_yaml.projects = {
             key.lower(): value for key, value in user_yaml.projects.items()
         }
 
+        self.logger.info("user_projects 3 (user_yaml.projects):\n{}".format(user_yaml.projects))
+
         # merge all user info dicts into "user_info".
         # the user info (such as email) in the user.yaml files
         # overrides the user info from the CSV files.
@@ -1048,12 +1052,15 @@ def _sync(self, sess):
         # ["read"] and the CSV file access is ["read-storage"], the
         # resulting access is ["read", "read-storage"].
         self.sync_two_phsids_dict(user_projects_csv, user_projects)
+        self.logger.info("user_projects 4:\n{}".format(user_projects))
         self.sync_two_phsids_dict(user_yaml.projects, user_projects)
+        self.logger.info("user_projects 5:\n{}".format(user_projects))
 
         if self.parse_consent_code:
             self._grant_all_consents_to_c999_users(
                 user_projects, user_yaml.project_to_resource
             )
+        self.logger.info("user_projects 6:\n{}".format(user_projects))
 
         # update the Fence DB
         if user_projects:
@@ -1285,7 +1292,7 @@ def _update_authz_in_arborist(self, session, user_projects, user_yaml=None):
         if not healthy:
             return False
 
-        self.logger.debug("user_projects: {}".format(user_projects))
+        self.logger.debug("user_projects 7:\n{}".format(user_projects))
 
         if user_yaml:
             self.logger.debug("useryaml abac: {}".format(user_yaml.user_abac))
@@ -1319,6 +1326,7 @@ def _update_authz_in_arborist(self, session, user_projects, user_yaml=None):
 
         # update the project info with users from arborist
         self.sync_two_phsids_dict(arborist_user_projects, user_projects)
+        self.logger.info("user_projects 8:\n{}".format(user_projects))
 
         for username, user_project_info in user_projects.items():
             self.logger.info("processing user `{}`".format(username))