Editing style requires authentication

[NyakudyaA]

Problem

When running GeoNode in a Kubernetes cluster and trying to update the style you encounter the following

This is due to the checkpoint URLs which are being written to the${GEOSERVER_DATA_DIR}/security/role/geonode REST role service/config.xml as http://geonode:80/api/o/v4/tokeninfo/

Solution

• Update set_geoserver_auth.sh to the following

 # Setting new substituted value
    case $i in
        proxyBaseUrl )
            if [ ${GEONODE_LB_HOST_IP} ]
            then
                echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$SUBSTITUTION_URL'"
                newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$SUBSTITUTION_URL@"`
            else
                echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$NGINX_BASE_URL'"
                newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$NGINX_BASE_URL@"`
            fi;;
        accessTokenUri |  baseUrl )
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$NGINX_BASE_URL'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$NGINX_BASE_URL@"`;;
        checkTokenEndpointUrl |userAuthorizationUri | redirectUri | logoutUri )
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$SUBSTITUTION_URL'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$SUBSTITUTION_URL@"`;;
        *) echo -n "an unknown variable has been found";;
    esac

This will allow the checkpoint URL to be https://${GEONODE_LB_HOST_IP}/api/o/v4/tokeninfo/

This also works for docker-compose versions as this changes the checkpoint URL to communicate over the external IP / domain

[AlexGacon]

Hello. I managed to have it working on K8s by simply setting the SUBSTITUTION_URL variable to a suitable value.

[mwallschlaeger]

hey are you using genode-k8s on this? i run into the same issue there, maybe we can add it to the kis deployment

[ridoo]

This is due to the checkpoint URLs which are being written to the${GEOSERVER_DATA_DIR}/security/role/geonode REST role service/config.xml as http://geonode:80/api/o/v4/tokeninfo/

Solution

• Update set_geoserver_auth.sh to the following

 # Setting new substituted value
    case $i in
        proxyBaseUrl )
            if [ ${GEONODE_LB_HOST_IP} ]
            then
                echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$SUBSTITUTION_URL'"
                newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$SUBSTITUTION_URL@"`
            else
                echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$NGINX_BASE_URL'"
                newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$NGINX_BASE_URL@"`
            fi;;
        accessTokenUri |  baseUrl )
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$NGINX_BASE_URL'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$NGINX_BASE_URL@"`;;
        checkTokenEndpointUrl |userAuthorizationUri | redirectUri | logoutUri )
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$SUBSTITUTION_URL'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@http://localhost(:8.*0)@$SUBSTITUTION_URL@"`;;
        *) echo -n "an unknown variable has been found";;
    esac

I guess you refer to the set_geoserver_auth.sh part of the latest GeoServer version used by GeoNode v4.3.1. (As far as I know, the GeoServer image used here had been built from the GeoNode project repository).

Seems to be outdated (at least compared with master). SUBSTITUTION_URL seems not being used anymore:

case $i in
        authApiKey)
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$OAUTH2_API_KEY'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@.*@$OAUTH2_API_KEY@"`;;
        cliendId)
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$OAUTH2_CLIENT_ID'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@.*@$OAUTH2_CLIENT_ID@"`;;
        clientSecret)
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$OAUTH2_CLIENT_SECRET'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@.*@$OAUTH2_CLIENT_SECRET@"`;;
        proxyBaseUrl | redirectUri | userAuthorizationUri | logoutUri )
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$GEOSERVER_LOCATION'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@^(https?://[^/]+)@${GEOSERVER_LOCATION%/}@"`;;
        baseUrl | accessTokenUri | checkTokenEndpointUrl )
            echo "DEBUG: Editing '$auth_conf_source' for tagname <$i> and replacing its value with '$GEONODE_LOCATION'"
            newvalue=`echo -ne "$tagvalue" | sed -re "s@^(https?://[^/]+)@${GEONODE_LOCATION%/}@"`;;
        *) echo -n "an unknown variable has been found";;
    esac

Note: Some refactoring had been done recently, based on a (longer) discussion to carve out Docker components to a dedicated repository (for transparency and maintenance reasons). In general, all such discussion are also related to the question, how to improve to upgrade GeoNode to newer versions.

[SimonAnnetts]

I'm seeing this issue on 4.1.3 final running on docker on Ubuntu 22.04LTS. I pulled the 4.1.x branch from github up to tag 4.1.3.
I can't seem to find the set_geoserver_auth.sh file in this repo. Any idea how I can fix this as it's impossible now to edit styles?

[mwallschlaeger]

hey @SimonAnnetts I figured it out for the kubernetes deployment, see my PR on zalf-rdm/geonode-k8s#104 . I would you guide to check the geonode admin interface -> Django OAuth Toolkit -> Applications -> GeoServer and check that the clientID and clientSecret are set. Same thing on geoserver side, login as admin into geoserver click yourself to security -> authentication and click on the geonode-oauth2 Authentication Filter. Check if the clientID and clientSecret is the same as in geonode. Further check if the urls are configured properly.

[SimonAnnetts]

@mwallschlaeger thanks for that. Checked and all good now.

[syldor]

When deploying with docker, from a configuration that I thought would work, from another server, I had the same problem of edit style requiring login. I had the client id and keys right, but the URL for Access Token and Check Token endpoint were my URL (example.com), but they should be http://geonode:80.

Like this it works.

[giohappy]

@syldor it's a matter of environmental variables and rendered configurations for Geoserver (which normally happens the first time you deploy the containers).

The exact env variables to check depend on the GeoNode version. Starting from GeoNode 4.2.0 they are expected to be these