Time
S
Nick
Message
06:40 juancorr joined #dataverse
07:39 jri joined #dataverse
08:17 poikilotherm joined #dataverse
08:42 jri_ joined #dataverse
09:43 pdurbin
rigelk: thanks for posting about https://synalp.frama.io/olki/scifed/ at https://github.com/IQSS/dataverse/issues/5883#issuecomment-499243491 . When I get to work I'm planning on asking our metadata person to take a look.
09:45 pdurbin
rigelk: another thought is that you could reach a lot more people by either following up on https://groups.google.com/d/msg/dataverse-community/hekvbHfD-3w/nN5is0nDAQAJ or by starting a new thread ("SciFed, a standard for federation of scientific activities" or something).
09:55 rigelk
thanks pdurbin - I'll follow up on the subject for now
09:59 pdurbin
Sounds good. I would just suggest emphasizing the schema.org stuff, metadata stuff. People are attracted to Dataverse for the metadata support, for metadata standards support, if that makes sense.
10:11 rigelk
sure!
12:20 poikilotherm joined #dataverse
12:35 donsizemore joined #dataverse
12:35 donsizemore
@pdurbin knock knock?
12:36 pdurbin
donsizemore: good morning!
12:36 donsizemore
@pdurbin how are you sir =) i think my knocking can be cancelled, BTW
12:37 pdurbin
good, because I have a question for poikilotherm :)
12:37 poikilotherm
Morning guys :-)
12:37 poikilotherm
Go ahead
12:38 donsizemore
when is he taking us on a tour of historic german churches?
12:38 pdurbin
poikilotherm: I copied your list of issues with IRC into a Google doc and left a bunch of comments. Please take a look: https://docs.google.com/document/d/18-4MrbSHYhcxvuFs1alAz0Opm_JTkRK2E0bafAxAHSI/edit?usp=sharing
12:38 pdurbin
I'll make a proper comment on the issue you opened but I wanted to start to organize some thoughts.
12:39 pdurbin
donsizemore: are you cool with me merging https://github.com/IQSS/dataverse-jenkins/pull/6 ?
12:40 donsizemore
@pdurbin almost certainly, and will look at those next. got hit with a missing "return to author" button this morning
12:41 pdurbin
yikes
12:41 pdurbin
I hope it comes back. :)
12:41 pdurbin
No rush. I need to bike to work anyway. Thank goodness for fenders.
12:44 poikilotherm
pdurbin ring a bell when you are at work, ready for chat :-)
12:44 donsizemore
@pdurbin merged =)
12:45 poikilotherm
I'll be around for some time, but need to help in getting things sorted out when WissKom conference ends in about 1 hour
12:46 poikilotherm
And I would love to chatter about a possible OpenID Connect option for Dataverse. We *might* need this trying to avoid SAML.
12:47 poikilotherm
(But maybe this is sth. for tomorrow)
13:22 pdurbin
OpenID Connect is how login with OAuth2 works. It's part of it.
13:22 pdurbin
donsizemore: thanks!
13:26 pdurbin
donsizemore: my dev2 box is sick and I'm thinking about just spinning up a fresh one. I'd have to re-point the DNS though.
13:27 donsizemore
@pdurbin i'm all in favor of fresh installs
13:27 pdurbin
yeah
13:27 pdurbin
I hear immutable infra is a thing.
13:28 donsizemore
get off my lawn
13:28 pdurbin
actually
13:28 pdurbin
maybe I can just use my paraya 5 box
13:28 pdurbin
I'm wondering about the SVG thing Jamie wrote about.
13:29 pdurbin
donsizemore: but I should keep pushing on the API test thing. Do you have an updated config.xml you were trying to get to work? If so, do you want to push it to a branh or email it to me?
13:29 donsizemore
we wanted to put a small old well logo in our top-left space and the custom typeface bit made it extremely painful
13:30 donsizemore
i think the config.xml in the repo is current, i'll check
13:31 pdurbin
Thanks. I don't see any docker-aio in there.
13:33 donsizemore
oh, i've just been doing that outside-of-band. wanted to see it succeed before bringing the rain
13:33 pdurbin
Sure, want to email it to me?
13:33 donsizemore
i've been running it manually in a clone of develop
13:34 pdurbin
Ah, so I could just ssh into my Jenkins server (once I spin it up again) and try running the docker-aio tests. That's what you're doing?
13:34 donsizemore
yes. i was trying it on the same VM , then would just drop the job in place in jenkins
13:35 pdurbin
Ok, my VM is an EC2 instance but same same.
13:37 pdurbin
donsizemore: also, 0 contributors on metrics. :( I'd like to dig into that at some point.
13:38 pdurbin
https://dataversemetrics.odum.unc.edu/dataverse-metrics/cache/contributors/github.com/IQSS/dataverse/contributors.json is {} :(
13:38 donsizemore
hey, i made a pull request!
13:38 pdurbin
oh?
13:39 pdurbin
You make a lot of pull requests. Which one? Sorry, I'm all over the place, jumping around. In my helmet I can hear, "Stay on target. Stay on target."
13:40 donsizemore
ah, i was back on jenkins
13:40 pdurbin
I just spun up my Jenkins and I'm installing it now. Spun up an EC2 instance I mean.
13:41 pdurbin
Should I run the docker-aio tests as the jenkins user?
13:41 donsizemore
any user is fine
13:41 pdurbin
ok
13:41 pdurbin
I guess I need to install docker.
13:42 pdurbin
I don't think I've installed docker on anything but a Mac.
13:42 pdurbin
yum install docker?
13:43 * pdurbin
tries it
13:45 pdurbin
huh, `su - jenkins` doesn't work the way I expect, doesn't work like `su - centos`
13:45 pdurbin
maybe I'll just run the tests as "centos"
13:47 poikilotherm joined #dataverse
13:51 pdurbin
donsizemore: I might need a hand with this. I'm getting this error: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
13:51 donsizemore
are you in the 'docker' group?
13:53 poikilotherm
Please install Docker from the Docker repo
13:54 poikilotherm
The CentOS provided are IIRC fairly outdated
13:54 donsizemore
oh. yes. you need to install docker
13:54 poikilotherm
https://docs.docker.com/install/linux/docker-ce/centos/
13:54 pdurbin
I did `yum install docker` from base centos. Help!
13:54 poikilotherm
That is pretty good docs :-)
13:54 poikilotherm
It also tells you how to remove those :-D
13:57 poikilotherm
pdurbin you're good or need more help before I start talking about other things?
13:57 pdurbin
I am not good. :)
13:58 poikilotherm
How may I help you?
13:58 pdurbin
I've never installed Docker on Linux before. Only Mac.
13:58 pdurbin
I now have docker-ce-18.09.6-3.el7.x86_64
13:59 poikilotherm
That sounds like a recent CE version from the repos
13:59 pdurbin
Now I need to chkconfig it on and start it?
13:59 poikilotherm
Dude, you are on CentOS 7 :-D
13:59 poikilotherm
Try systemctl :-D
14:00 poikilotherm
systemctl start docker
14:00 poikilotherm
And of course enable it, when you want autostart: systemctl enable docker
14:00 poikilotherm
When you want to run docker commands as non-root, you can follow https://docs.docker.com/install/linux/linux-postinstall/
14:00 pdurbin
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
14:00 pdurbin
This all great stuff. Thanks!
14:00 poikilotherm
Perfect
14:01 pdurbin
Ok, I'm running ./conf/docker-aio/prep_it.bash
14:01 poikilotherm
That message is just perfect - this is how systemd organizes its "runlevels"
14:01 pdurbin
So I have a little time. :)
14:01 pdurbin
poikilotherm: did you see what I said above about OAuth2?
14:01 poikilotherm
Hehehe. Should be about 3-4 minutes, I guess
14:02 poikilotherm
Yeah
14:02 poikilotherm
Oauth2 is a part of OCID
14:02 pdurbin
well, sort of
14:02 poikilotherm
Alright, OCID extends OAuth2
14:03 poikilotherm
The flow you can have with OAuth2 is standardized with OCID
14:03 pdurbin
My understanding is that when people say "we support OAuth2" they mean a collectio of standards including OpenID Connect.
14:03 poikilotherm
Nope, that would be very misleading
14:03 pdurbin
Let me see if I wrote about this in the guides.
14:03 poikilotherm
OCID is a standard using OAuth2
14:04 poikilotherm
https://openid.net/connect/
14:04 pdurbin
When you are saying OCID are you talking about ORCID with a mispelling or OpenID Connect?
14:05 poikilotherm
OpenID Connect
14:05 pdurbin
It looks like I didn't write anything about OpenID Connect at http://guides.dataverse.org/en/4.14/installation/oauth2.html which is good because I probably would have gotten it wrong. :)
14:05 poikilotherm
I misspelled anyway
14:05 pdurbin
Shouldn't it be OIDC instead of OCID? Am I being OCD?
14:05 poikilotherm
The abbrev is OIDC
14:06 pdurbin
ok
14:06 pdurbin
let me go read again what you wrote
14:07 pdurbin
Ok, I think we're on the same page. Do you want to keep going with this or can I show you and donsizemore all the docker errors I'm seeing?
14:07 poikilotherm
Go aheas
14:07 poikilotherm
-s+d
14:08 pdurbin
ERRO[0000] failed to dial gRPC: cannot connect to the Docker daemon. Is 'docker daemon' running on this host?: dial unix /var/run/docker.sock: connect: permission denied
14:08 pdurbin
context canceled
14:08 pdurbin
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Delete http://%2Fvar%2Frun%2Fdocker.sock/v1.39/containers/dv?force=1: dial unix /var/run/docker.sock: connect: permission denied
14:08 poikilotherm
Sudo or no sudo, that's the question :-D
14:08 pdurbin
I'm the "centos" user and I'm not using sudo. I'm on EC2.
14:09 poikilotherm
Yeah, did you follow the linux post install tasks then?
14:09 pdurbin
On my Mac I don't have to use sudo with Docker.
14:09 pdurbin
No, I didn't.
14:09 poikilotherm
[16:00] <poikilotherm> When you want to run docker commands as non-root, you can follow https://docs.docker.com/install/linux/linux-postinstall/
14:09 poikilotherm
;-)
14:10 pdurbin
I have to do all this stuff?
14:10 poikilotherm
You already did parts of it
14:10 pdurbin
groupadd: group 'docker' already exists
14:10 poikilotherm
LIke the enable
14:11 poikilotherm
Great
14:11 poikilotherm
Then just add centos to docker group
14:11 poikilotherm
And remember to either logout, start a new shell or do crazy stuff
14:11 poikilotherm
Otherwise current process is not running in group docker
14:11 poikilotherm
(process = shell here)
14:11 pdurbin
ok, I'll log out and ssh back in
14:11 poikilotherm
Perfect
14:12 poikilotherm
Hacky way: exec su -l centos
14:12 poikilotherm
;-)
14:12 pdurbin
I'm fine adding centos to the group.
14:13 poikilotherm
Err that would have to be done AFTER adding centos to the grou
14:13 poikilotherm
You can use the command from the docs or use your own way :-)
14:15 pdurbin
I'm confused but don't worry about it. :)
14:17 pdurbin
This is called "reproducible builds", right? :)
14:19 poikilotherm
Ehm you are just installing things... Things go crazy later :-D
14:26 pdurbin
I'm getting some surprising errors: ./glassfish-setup.sh: line 285: pushd: /usr/local/glassfish4/bin: No such file or directory
14:26 pdurbin
again, this is from ./conf/docker-aio/prep_it.bash
14:27 pdurbin
larsks: the JOSS patch didn't help, I hear: https://github.com/IQSS/dataverse/issues/5910#issuecomment-499513949
14:29 pdurbin
hmm, this isn't a good sign: Error processing tar file(exit status 1): write /opt/dv/testdata/scripts/installer/dvinstall.zip: no space left on device
14:29 poikilotherm
Sounds like your VM was a bit small :-D
14:29 pdurbin
t2.large
14:30 pdurbin
1.3G avail
14:33 pdurbin
I just created https://github.com/IQSS/dataverse-jenkins/pull/7 if you or donsizemore would like to take a look.
14:35 pdurbin
I terminated my EC2 instance and I'm spinning up a fresh one.
14:36 pdurbin
poikilotherm: we can talk about your stuff if you want. OIDC or chat or whatever.
14:36 pdurbin
Thanks to both of you for getting me unblocked.
14:36 poikilotherm
Let's talk about OIDC first then
14:36 poikilotherm
Some background
14:36 poikilotherm
I would really appreciate skipping setup of Shibboleth
14:37 poikilotherm
Talked with dataverse friends at Göttingen
14:37 poikilotherm
Shibboleth is taking ages (5 minutes) to load the federation
14:38 poikilotherm
As it needs to be deployed with the proxying http server, that's totally a no-go
14:38 poikilotherm
(IMHO)
14:38 poikilotherm
So I've been thinking
14:38 poikilotherm
As far as I understood things, you guys already have OAuth2 for ORCID, Github and Google
14:38 donsizemore
@poikilotherm are you using the "light" feed?
14:39 poikilotherm
They have been using the edugain feed. Dunno if this is light or not
14:39 donsizemore
(and by "light" I meant IDP-only)
14:39 donsizemore
<MetadataProvider type="XML " url="http://md.incommon.org/InCommon/InCommon-metadata-idp-only.xml " backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600">
14:39 poikilotherm
No InCommon here!
14:39 donsizemore
ah
14:40 donsizemore
for us it's a much smaller feed without all the SPs
14:40 donsizemore
thought that counts
14:40 poikilotherm
I can ask Doro from Stuttgart which one they had.
14:40 poikilotherm
Anyway, there will be issues
14:41 poikilotherm
From what we have seen with GitLab, a lot of IdPs will not send email attribute
14:41 donsizemore
correct
14:41 poikilotherm
In Gitlab this means no login possible
14:42 poikilotherm
IIRC in Dataverse its the same
14:42 donsizemore
ePPN
14:42 poikilotherm
Not sure everybody sends that
14:42 donsizemore
which is not e-mail but typically maps
14:42 donsizemore
a lot of ID MGMT groups won't
14:42 poikilotherm
SAML is a total nightmare :-(
14:43 poikilotherm
As long as you control both ends, SP + IdP, it will be working just fine
14:43 pdurbin
As I told Peter here, I'd like to make email optional in Dataverse's Shibboleth implementation some day: https://groups.google.com/d/msg/dataverse-community/7FwrzfIQZfY/4p5A3VFIBgAJ
14:43 poikilotherm
Yeah
14:43 pdurbin
just like Dataverse's OAuth2 implementation
14:44 poikilotherm
REcently Shibboleth introduced support for OAuth 2.0
14:44 pdurbin
Huh, interesting.
14:44 poikilotherm
Our Shib instance does not support this yet
14:44 poikilotherm
And this is widely untested
14:44 poikilotherm
Anyway, SAML has a few other drawbacks here
14:44 poikilotherm
Like the complicated setup
14:45 poikilotherm
OAuth is much more lightweight here
14:45 poikilotherm
And the UI implementation in Dataverse is much better
14:45 poikilotherm
Younger :_D
14:45 pdurbin
newer
14:45 pdurbin
we learned some lessons :)
14:45 pdurbin
shib was first, oauth2 second :)
14:45 poikilotherm
So I was wondering if it might be a plan, to use sth. like Keycloak to setup our own OAuth provider or reuse our Gitlab
14:46 poikilotherm
I could hook Keycloak to our Active Directory
14:46 pdurbin
Create users in GitLab and use those accounts to log into Dataverse?
14:46 poikilotherm
Yeah
14:46 poikilotherm
All of this is possible
14:46 poikilotherm
BUT
14:46 poikilotherm
big but
14:46 pdurbin
What if you created a GitLab OAuth provider?
14:47 poikilotherm
OAuth2 can be used with this only with specific providers
14:47 poikilotherm
That's because auf OAuth has been designed for authorization flows
14:47 poikilotherm
Not authentication flows
14:47 poikilotherm
You can use it, but it might differ from provider to provider
14:47 poikilotherm
As you can see with ORCID, Github and Google
14:48 poikilotherm
That's why I would try to go for OIDC
14:48 poikilotherm
Which itself builds on OAuth2, but is a standard
14:48 poikilotherm
So (at least in theory) should be interoperable between different providers without a need for multiple client implementations
14:50 poikilotherm
Gitlab is offering this, too, in addition to OAuth2 flow
14:50 pdurbin
So you're thinking of using GitLab or Active Directory as your identity provider. Is that right?
14:50 poikilotherm
For using AD as provider, you will need something translating between LDAP and OIDC
14:50 poikilotherm
(Like keycloak or other OIDC providers)
14:51 poikilotherm
But yes
14:51 poikilotherm
This would be a good addition to using ORCID
14:51 poikilotherm
Some people refuse to use ORCID
14:52 poikilotherm
On the other hand, there could be collaborateurs not being part of eduGain
14:52 poikilotherm
Using something more flexible would be cool here ;-)
14:52 pdurbin
pameyer was able to allow Active Directory users to log into Dataverse and documented it here: http://guides.dataverse.org/en/4.14/installation/shibboleth.html#shibboleth-and-adfs
14:52 poikilotherm
At least we can reliably offer local accounts for our employees
14:53 poikilotherm
Yeah. I am aware of this. We already have an IdP in place, using our AD
14:53 pdurbin
ok
14:53 poikilotherm
But that would involve setting up and using Shibboleth
14:53 poikilotherm
Which I would like to avoid
14:53 pdurbin
Have you seen this comment by knikolla at https://github.com/IQSS/dataverse/issues/4383#issuecomment-363191809 ? There are chat logs I can link you to as well.
14:54 poikilotherm
Nice. He is already mentioning OIDC
14:55 pdurbin
Here's the chat with him: http://irclog.iq.harvard.edu/dataverse/2018-02-05#i_63021
14:55 poikilotherm
Having direct support in Dataverse for OIDC might be a good idea
14:55 juancorr joined #dataverse
14:56 poikilotherm
But of course, maybe a general auth provider using env vars is a good idea
14:56 pdurbin
That seemed to be his idea. env vars.
14:56 poikilotherm
Adding flexibility to use http headers instead of env vars would be a good idea
14:57 poikilotherm
So you get unbound from AJO
14:57 poikilotherm
AJP
14:57 poikilotherm
Support for remoteip headers should be added, too ;-=
14:57 poikilotherm
So IP groups work
14:58 poikilotherm
Not on K8S anyway :-D
14:58 pdurbin
:)
14:59 poikilotherm
(K8s proxies things and has no support for X-Forwarded-For yet)
15:00 poikilotherm
(One could try with ingress-nginx)
15:00 poikilotherm
Anyway
15:00 poikilotherm
I am not sure what would be a better approach
15:01 poikilotherm
Maybe the header stuff. Could be beneficial for Shib tpp
15:01 poikilotherm
too
15:01 pdurbin
Could be. How do you feel about my idea of adding a 4th OAuth2 provider? GitLab! :)
15:02 poikilotherm
Bad. Sry, but adding another non-standard flow...
15:02 poikilotherm
GitLab supports Open ID Connect
15:02 poikilotherm
(as a provider)
15:05 poikilotherm
I really like standards
15:05 poikilotherm
You could easily use Gitlab then
15:06 pdurbin
Huh. It would be the same as adding and OAuth2 provider for Twitter or Facebook, right?
15:06 pdurbin
Is that a bad idea too?
15:07 poikilotherm
Well, you are adding a lot of code duplication with that.
15:07 poikilotherm
All those implementations need to be maintained
15:07 poikilotherm
With Open ID Connect you should be able to have ONE implementation
15:07 pdurbin
True. It's an imperfect world. :)
15:08 poikilotherm
That's why I am all into standards
15:08 pdurbin
I think I'm failing to understand you. I think we're already using OpenID Connect. You seem to be saying we aren't.
15:08 poikilotherm
You aren't
15:08 pdurbin
bummer
15:08 poikilotherm
YOu are using OAuth2
15:09 poikilotherm
https://www.gluu.org/blog/oauth-vs-openid-whats-the-difference/
15:10 poikilotherm
Literally everyone uses OAuth2 in a different way to do authentication
15:11 poikilotherm
That's why using OpenID Connect is important. It is a profile for OAuth2, but when everybody talks it, standards are very powerfull ;-)
15:11 pdurbin
I can tell you that ORCID is XML and Google and GitHub is JSON .
15:11 pdurbin
So I believe you that everyone does things differently.
15:12 poikilotherm
You can also see this at https://oauth.net/articles/authentication/
15:13 poikilotherm
"OAuth 2.0 is not an authentication protocol."
15:13 poikilotherm
:-D
15:13 pdurbin
I'm still reading the gluu article.
15:13 poikilotherm
Auth on Auth means Authorization :-D
15:13 poikilotherm
s/Auth/OAuth/
15:13 pdurbin
authz
15:14 poikilotherm
Yeah
15:14 poikilotherm
Authn and Authz
15:14 poikilotherm
:-)
15:14 poikilotherm
Good ol' Apache
15:14 pdurbin
this gluu article repeats itself and is kind of a mess
15:15 poikilotherm
That OAuth article might be more helpfull
15:15 poikilotherm
Much more into detail
15:15 poikilotherm
Guys, I gotta go
15:15 poikilotherm
Read you tomorrow
15:15 pdurbin
yeah, I'm on that one now
15:15 pdurbin
thanks
16:02 pdurbin
rigelk: I just showed our metadata guy your comment at https://github.com/IQSS/dataverse/issues/5883#issuecomment-499243491 and https://synalp.frama.io/olki/scifed/ and asked him to keep an eye our for your email to the google group.
16:20 rigelk
pdurbin Thanks for relaying! I have just created a Google account for the occasion - it won't be the same email adress but I'll make the link between the two clear.
16:33 pdurbin
sounds good, thanks
16:34 pdurbin
The think he and I were wondering about is if the Dataverse community has much interest in ActivityPub. Michael is clearly interested but he's a geek like us. Time will tell if real users find it compelling. :)
17:27 rigelk
If we frame the feature as a dissemination improvement, users won't see the difference (unless there is a gap with OAI-PMH… which is possible, I don't really know what the limitations you feel with OAI-PMH are)
17:29 rigelk
often users see the obvious interactivity gain when commenting from one platform to the other, but since Dataverse doesn't have comment feeds for instance… I don't know :/
17:51 pdurbin
Right. Dataverse has a "Contact" button on datasets that you can use to fill in a form that sends an email to the dataset author. Not very sophisticated.
20:27 sivoais joined #dataverse
21:13 poikilotherm joined #dataverse
21:47 pdurbin_m joined #dataverse
21:59 poikilotherm
Hey pdurbin_m, couldn't you tweet with @dataverseorg that you are looking for someone with JSF experience?
21:59 poikilotherm
Maybe some of dataverse friends have a dev at hands
21:59 poikilotherm
Who knows - bunch of people out there
22:00 poikilotherm
Follower power!
22:00 pdurbin_m
I don't control that account.
22:01 poikilotherm
But you could ask, right?
22:01 pdurbin_m
I'd probably just ask Kito Mann.
22:02 pdurbin_m
or techni
22:03 poikilotherm
Sure. Volunteering to help talking to people when you need help. Just ask :-)
22:04 pdurbin_m
Kito cam to Mike's JSF talk at JavaOne. And we had beers.
22:05 poikilotherm
Sounds promising
22:08 pdurbin_m
techni is phillipross on GitHub. pretty active in payara land
22:10 poikilotherm
Yeah, I know. We had some loose contact
22:10 pdurbin_m
poikilotherm: did you see my feedback on your chat issue? this: https://docs.google.com/document/d/18-4MrbSHYhcxvuFs1alAz0Opm_JTkRK2E0bafAxAHSI/edit?usp=sharing
22:10 poikilotherm
Yeah.
22:10 poikilotherm
But no more talking on this for today. It is 00:10 over here
22:11 poikilotherm
Looking into OIDC as a bed time story
22:11 pdurbin_m
heh, ok
22:12 poikilotherm
Looks like a lot of stuff from OAuth providers can be reused
22:12 poikilotherm
Should be fairly easy to implement
22:13 pdurbin_m
cool
22:18 pdurbin_m
Kito was into web components the last time I talked to him.
22:18 pdurbin_m
polymer
22:18 pdurbin_m
stuff I don't keep up with
22:39 poikilotherm joined #dataverse
