Mix of groups for ReportGeneratorHandler

[fstagni]

I have 2 distinct instances of https://lbcertifdirac70.cern.ch/ running in Chrome, one of them in private mode.
In one of them I have group "dirac_prod". In the other one I have group "dirac_admin". When I make a query to the Accounting (ReportGenerator Handler), independently from which window I do the query, in the log I see something similar to what is below:

2023-03-02 15:27:28 UTC Accounting/ReportGenerator/Authorization [139920823015168] DEBUG: Trying to authenticate DN=/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=fstagni/CN=693025/CN=Federico Stagni group=dirac_prod
2023-03-02 15:27:29 UTC Accounting/ReportGenerator [139920823015168] NOTICE: Executing action ([2001:1458:d00:14::16f]:39966)[dirac_prod:fstagni] RPC/listReports(<masked>)
2023-03-02 15:27:29 UTC Accounting/ReportGenerator [139920823015168] NOTICE: Returning response ([2001:1458:d00:14::16f]:39966)[dirac_prod:fstagni] (0.06 secs) OK
2023-03-02 15:27:41 UTC Accounting/ReportGenerator/Authorization [139920823015168] DEBUG: Trying to authenticate DN=/DC=ch/DC=cern/OU=computers/CN=lbcertifdirac70.cern.ch extraCredentials=('/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=fstagni/CN=693025/CN=Federico Stagni', 'dteam_admin')
2023-03-02 15:27:41 UTC Accounting/ReportGenerator/Authorization [139920823015168] DEBUG: Trying to authenticate DN=/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=fstagni/CN=693025/CN=Federico Stagni group=dteam_admin
2023-03-02 15:27:41 UTC Accounting/ReportGenerator [139920823015168] NOTICE: Executing action ([2001:1458:d00:14::16f]:39986)[dteam_admin:fstagni] FileTransfer/toClient(<masked>)
MainReporter.generate, reportRequest, credDict {'typeName': 'Job', 'reportName': 'Ouput sandbox', 'startTime': 1677684461, 'endTime': 1677770861, 'condDict': {'grouping': ['Grid']}, 'grouping': 'Grid', 'extraArgs': {'lastSeconds': 86400}, 'generatePlot': True} {'subject': '/DC=ch/DC=cern/OU=computers/CN=lbcertifdirac70.cern.ch', 'issuer': '/DC=ch/DC=cern/CN=CERN Grid Certification Authority', 'secondsLeft': 20330600, 'isProxy': False, 'isLimitedProxy': False, 'validDN': False, 'validGroup': False, 'DN': '/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=fstagni/CN=693025/CN=Federico Stagni', 'x509Chain': <X509Chain 3 certs [/DC=ch/DC=cern/OU=computers/CN=lbcertifdirac70.cern.ch][/DC=ch/DC=cern/CN=CERN Grid Certification Authority][/C=ch/O=CERN/CN=CERN Root Certification Authority 2]>, 'properties': ['NormalUser', 'CSAdministrator', 'Operator'], 'group': 'dteam_admin', 'username': 'fstagni'}

Note that above the group is initially "dirac_prod", and then "dteam_admin".

It seems it only affects ReportGenerator.

[chrisburr]

This commit feels fishy but I can't quite persuade myself what the problem is: DIRACGrid/WebAppDIRAC@5370787

Does it go away if you restart the webapp?

[fstagni]

Mmm:

2023-03-02 16:52:30 UTC Framework [140045277136704] DEBUG: dirac.cfg should be at /opt/dirac/etc/dirac.cfg
2023-03-02 16:52:30 UTC Framework [140045277136704] DEBUG: CFG merged
2023-03-02 16:52:30 UTC Framework [140045277136704] DEBUG: Updating configuration internals
2023-03-02 16:52:30 UTC Framework [140045277136704] DEBUG: Updating configuration internals
2023-03-02 16:52:30 UTC Framework [140045101033216] DEBUG: Refreshing configuration...
2023-03-02 16:52:30 UTC Framework [140045101033216] DEBUG: Refreshing from list ['https://lbcertifdirac70.cern.ch:9135/Configuration/Server']
2023-03-02 16:52:30 UTC Framework [140045101033216] DEBUG: Randomized server list is https://lbcertifdirac70.cern.ch:9135/Configuration/Server
2023-03-02 16:52:30 UTC Framework [140045101033216] DEBUG:  Trying to refresh from https://lbcertifdirac70.cern.ch:9135/Configuration/Server
2023-03-02 16:52:30 UTC Framework/DIRAC.Core.Tornado.Client.ClientSelector [140045101033216] DEBUG: Trying to autodetect client for https://lbcertifdirac70.cern.ch:9135/Configuration/Server
2023-03-02 16:52:30 UTC Framework/DIRAC.Core.Tornado.Client.ClientSelector [140045101033216] DEBUG: Using HTTPS for service https://lbcertifdirac70.cern.ch:9135/Configuration/Server
2023-03-02 16:52:30 UTC Framework [140045101033216] DEBUG: Already given a valid url https://lbcertifdirac70.cern.ch:9135/Configuration/Server
2023-03-02 16:52:30 UTC Framework [140045101033216] DEBUG: Already given a valid url https://lbcertifdirac70.cern.ch:9135/Configuration/Server
2023-03-02 16:52:30 UTC Framework [140045101033216] ERROR: No proxy found
2023-03-02 16:52:30 UTC Framework [140045101033216] WARN: Can't update from server Error while updating from https://lbcertifdirac70.cern.ch:9135/Configuration/Server: No proxy found
2023-03-02 16:52:30 UTC Framework [140045101033216] ERROR: Error while updating the configuration Reason(s):
	No proxy found
Traceback (most recent call last):
  File "/opt/dirac/versions/v8.1.0a10-1677745063/Linux-x86_64/bin/dirac-webapp-run", line 5, in <module>
    from WebAppDIRAC.scripts.dirac_webapp_run import main
  File "/opt/dirac/versions/v8.1.0a10-1677745063/Linux-x86_64/lib/python3.9/site-packages/WebAppDIRAC/scripts/dirac_webapp_run.py", line 17, in <module>
    from WebAppDIRAC.Core.App import App
  File "/opt/dirac/versions/v8.1.0a10-1677745063/Linux-x86_64/lib/python3.9/site-packages/WebAppDIRAC/Core/App.py", line 11, in <module>
    from WebAppDIRAC.Core.HandlerMgr import HandlerMgr
  File "/opt/dirac/versions/v8.1.0a10-1677745063/Linux-x86_64/lib/python3.9/site-packages/WebAppDIRAC/Core/HandlerMgr.py", line 13, in <module>
    from WebAppDIRAC.Lib.WebHandler import WebHandler
  File "/opt/dirac/versions/v8.1.0a10-1677745063/Linux-x86_64/lib/python3.9/site-packages/WebAppDIRAC/Lib/WebHandler.py", line 20, in <module>
    from DIRAC.Core.Tornado.Server.TornadoREST import TornadoREST, TornadoResponse
ImportError: cannot import name 'TornadoResponse' from 'DIRAC.Core.Tornado.Server.TornadoREST' (/opt/dirac/versions/v8.1.0a10-1677745063/Linux-x86_64/lib/python3.9/site-packages/DIRAC/Core/Tornado/Server/TornadoREST.py)

who's hotfixing?

[fstagni]

Restoring TornadoREST as in the release (before the hotifx) cleared the error above.
Also, after WebApp restart I don't see anymore the mentioned error.

[atsareg]

Making explicit imports in TornadoREST resulted in the above error as WebHandler was relying on TornadoResponse import in TornadoREST. This PR DIRACGrid/WebAppDIRAC#731 fixes the issue.

[fstagni]

Making explicit imports in TornadoREST resulted in the above error as WebHandler was relying on TornadoResponse import in TornadoREST. This PR DIRACGrid/WebAppDIRAC#731 fixes the issue.

OK thank. But the original error reported in this issue stands.

[chaen]

That has been observed today in production in LHCb.
Edit: to be precise, I did not have 2 tabs opened. I had a single web app open, but when talking to the ReportGenerator, I was identified as an entirely different user

[fstagni]

Just for completeness, not to forget:

• up to now this impersonation has only been affecting the Accounting (ReportGenerator).
• the ReportGeneratorHandler is one of those services that we have not yet migrated to https (running with DIPS also in DIRAC certif setup)