DataSHIELD installation on Ubuntu - login into Opal fails

For the installation I followed the instructions in the documentation:

https://opaldoc.obiba.org/en/latest/admin/installation.html

The software requirements are met:

openjdk version “1.8.0_312”

mysql Ver 15.1 Distrib 10.3.32-MariaDB

MongoDB shell version v3.6.8

R version 3.6.3

As the VM is a Ubuntu-20.04 distribution I simply installed the debian packages for agate, mica2, rock and opal:

apt-get install opal

apt-get install opal-python-client

apt-get install rock

apt-get install mica2

apt-get install mica-python-client

In R I installed the opalr package:

install.packages("opalr")

The configuration file I left unchanged, because this VM is currently only accessible internally via IP, not a public domain:

https://opaldoc.obiba.org/en/latest/admin/configuration.html

All services, agate, mica2, rock, mariadb, mongod and opal are running; at least according to their statis with:

systemctl status

From within R I can connect to the Rock-server and execute the example on Using R — Opal documentation, successfully.

There is one major problem: I can’t connect to OPAL via the web interface, though. The login page, http://192.168.100.94:8080/ui/index.html, always denies the authentication.

/var/log/opal/rest.log showed only “unknown” for user. Otherwise there is little insight from the logs:

{"@timestamp":“2022-01-11T19:47:09.791+01:00”,"@version":“1”,“message”:"/auth/sessions",“logger_name”:“org.obiba.opal.web.security.AuditInterceptor”,“thread_name”:“qtp1522875398-31”,“level”:“WARN”,“level_value”:30000,“method”:“POST”,“ip”:“10.0.8.4”,“username”:“Unknown”,“status”:“403”}

I thought the default credentials are “administrator/password”. I tried to update the password with

dkpg-reconfigure opal

But any password entered there didn’t change the SHA256 entry in /etc/opal/shiro.ini. I then used

shiro-hasher -p password

to create the hash for “password” which pasted into /etc/opal/shiro.ini:

administrator=$shiro1$SHA-256$500000$TIBDu25yk3IYyUKgRJf2hQ==$Sd/ChI2QCqf4diT5iSVTbSZTt2V6XbNy6/xEiv8NC2k=,admin

I then restarted agate, mica2 and opal. As far as I understand authentication is down by agate, and shiro.ini is part of its configuration.

I still only got. when trying to log in. Capital “A” or not, i.e. “a” (“administrator”) didn’t make any difference either:

[image]

As far as I know, the data, and also user data is held in the mongodb database, right? /var/log/mongodb/mongodb.log didn’t show any connection attempts, though.

I connected on to the mongo shell on the console:

mongo --port 27017

There are no users or roles in the “agate” database defined:

use agate switched to db agate db.getRoles() [ ]

During what part of the installation are the user credentials in agate created? Doing dpkg-reconfigure agate allows to set a password for “administrator”. But there are still now users or roles in the agate database:

use agate; switched to db agate db.getUsers() [ ]

db.getRoles() [ ]

And login in the web interface also still fails.

Hi,

Do you have CSRF errors reported in the application log files (opal.log, mica.log, agate.log)?

By the way, your R version is really old: 3.6, then almost 2 years old, this can be a problem for some R packages. We also recommend also running Rock from a docker image (we provide some and you can build your own), it is much easier to maintain in a production environment.

Regards
Yannick

I found information about creating a CSRF exception in the browser for a site; I configured that in the client’s Chrome browser.

Also, I called the server’s login page with the internal host name, “opal.intern:8080”, instead of the 192.168.100.94, corresponding to the exception I defined in the Chrome.

This made no difference, though. The CSRF error still occurs in the log:

==> /var/log/opal/opal.log <== 2022-01-21 18:56:48,053 [qtp1522875398-34] WARN org.obiba.opal.web.security.CSRFInterceptor - CSRF detection: Host=opal.intern:8080, Referer=http://opal.intern:8080/ui/index.html

/var/log/opal/rest.log

{"@timestamp":"2022-01-21T18:56:48.053+01:00","@version":"1","message":"/auth/sessions","logger_name":"org.obiba.opal.web.security.AuditInterceptor","thread_name":"qtp1522875398-34","level":"WARN","level_value":30000,"method":"POST","ip":"10.0.8.4","username":"Unknown","status":"403"}

I see these CSFR errors in /var/log/opal/opal.log:

2022-01-21 18:40:53,418 [Timer-2] INFO  org.obiba.opal.r.service.RServerManagerService - R server 'rserver' added to cluster: default
2022-01-21 18:41:03,277 [qtp1280512370-27] WARN  org.obiba.opal.web.security.CSRFInterceptor - CSRF detection: Host=192.168.100.94:8080, Referer=http://192.168.100.94:8080/ui/index.html
2022-01-21 18:41:03,292 [qtp1280512370-27] WARN  org.obiba.opal.web.security.CSRFInterceptor - CSRF detection: Host=192.168.100.94:8080, Referer=http://192.168.100.94:8080/ui/index.html
2022-01-21 18:41:08,843 [qtp1280512370-118] WARN  org.obiba.opal.web.security.CSRFInterceptor - CSRF detection: Host=192.168.100.94:8080, Referer=http://192.168.100.94:8080/ui/index.html

The minimum requirements on Installation — Opal documentation require R version 3.6.3. Especially R is known to have packages that run only on certain versions of R (often minor updates break compatibility). Certain packages for the major 3.6 version have never been ported to the 4.x version.

In bioinformatics I had many bad experiences with that, we have to provide several R versions on the cluster.

If there are packages that require version 4.x, then I think it should be listed as the minimum required version in the requirements of the installation.

I can of course install another version of R, but I have to know which is the correct one.

The real problem is that the installation of the “opal”-Debian packages seem not to create a sufficient configuration for a complete environment, if there is no “administrator” user created in the MongoDB.

Opal version 4.3 was released, I upgraded to that by reinstalling the packages: apt-get update apt-get reinstall agate mica2 opal opal-python-client

That seems to have installed agate 2.53, mica2 4.6.5 and opal version 4.3.1. I then restarted the services:

systemctl restart agate; systemctl restart mica2; systemctl restart rock; systemctl restart opal

But the authentication problem persists, and also the CSRF errors. How can I fix those?

Hi,

CSRF protection was added recently and is a bit strict for now (and for sure would need some configuration for a more relaxed usage). You must access Opal through https (default port is 8443 for opal) when not using host with name localhost.

Regarding R, yes R 3.x is minimum but R 4.x is recommended. The limitation that I mentioned with R 3.x is not because of Opal, it is because of the R analysis that you might execute in the R server: it is up to you to anticipate your R needs. To help, we do provide ready-to-use R server images based on the latest R version (and related packages).

Regards
Yannick

Hi Yannick,

thank your for your quick response - after approval of my forum post. (In today’s video drop-in session I was told that this is a minor annoyance - it doesn’t slow me down, the demonstration project is not that urgent.)

Using the https-URL and port on the internal test server does allow me to log in. opal.intern:8443

And there is no more error message in the logs either.

I see about the R version. We are part of the “COMMITMENT”-project in Germany. We want to provide CAD and genomics data.

I don’t know, yet, what analyses and R scripts scientist want to execute on the data. I am working on the technical side providing the infrastructure.

On Ubuntu-20.04 I could update R to version 4.1 through the package manager. I have some familiarity with Docker, but I am struggling with persistency of data in Docker environments. So, I don’t feel like using it in a production environment.

Also, the OPAL-provided dockerfile seemed not to be up to date. There were problems connecting to the rock-server. Thus, we were advised by Hank Cao (Han.Cao@zi-mannheim.de) to use an installation on a classical VM.

Thank you for your help. I will report the progress to the scientists who will start using the installation with a sample project and importing data.

The next step will be to use a public domain and deploy it on our web server. As far as I understood, I have to make the appropriate adjustments in /etc/opal/opal-config.properties for that.

I hope that want be a problem, but as with all IT endeavours, I have feeling that I will post the odd question on this forum.

Thanks for providing that great support!

Best wishes,

Sven

Hi,

Yes, using https is mandatory when not accessing localhost, otherwise your username/password will travel in clear on the network.

You do not need to have opal in docker, just having the R server in docker is (much) more convenient (and you can have several different R servers on the same host, used by the same opal server). There is no data to be persisted in the R server, it is just a pure computation service, so it is perfectly fine to be flexible with these: opal is able to discover the R services at runtime.

As you will work on genetics, with ML apparently, you should consider having the R server(s) running on a separate host, for scalability. Also depending on the nature of the data, you will probably need to design appropriate resources.

The opal docker image is always up-to-date. Make sure your docker engine grabs the latest image for the tag you have chosen.

There is not much to be done in the opal-config.properties file to go live. Your efforts should concentrate on setting up a reverse proxy instead, with the appropriate security settings (and this is not opal specific).

For more advanced support (infrastructure design, data integration), please contact me for a commercial offer.

Regards
Yannick

1 Like