Any time I whose account is an admin and has all rights granted within the configuration menu try to save a concept set a popup appears telling me an error has occured.
Looking into the error using chromes developer tools:
Not sure what the error refers too, the permissions on the database seem to be set correctly as to allow the proper user access. If there is a different place that things are being saved to I can look into the permissions there.
I had something similar when the resources on the WebAPI postgres instance were limited. Check to see that your webapi PG instance is running smoothly.
Right, the 500 is an internal server error, so the information you get to the client isn’t too helpful (to protect the innocent) but if you check your WebAPI logs, you should see a very detailed exception about the root cause of the error.
Thank you for the reply and the tip.
I checked the catalin.out log and have found the following error:
2022-02-04 10:45:24.802 ERROR https-jsse-nio-8443-exec-3 org.ohdsi.webapi.security.listener.EntityInsertEventListener - - java.lang.RuntimeException: Role doesn’t exist
java.util.concurrent.ExecutionException: java.lang.RuntimeException: Role doesn’t exist
It seems to be the correct one as appeared right after I tried to save the concept_set.
Does this mean the role I am logging into ATLAS with? or the role that connects to the db tables?
I am logged in using the AD/LDAP and the username is the same as the one in the sec_user and sec_user_role tables that define what my user can do but not sure if I need to add more info or not.
The ohdsi_admin and ohdsi_app_user roles have access to the webapi schema and the concept_set table.
I’m hoping you have another step I could take to rectify this error.
So, I’m afraid I don’t have a lot of expertise on the security configuration front. I do know that there are some default roles that come pre-packaged with WebAPI (admin, public) so I am not sure which role it is reporting does not exist. It would be a good enhancement to WebAPI to find where that error is reported, and add the role to the message that it is trying to locate. Other members of the community with experience in configuring security may have seen this message, so hopefully they can chime in with any additional ideas.
Same problem here. The weird thing is that I have a couple of users that have the same roles assigned to them. And some of them can save a concept set, and some of them can not. Any tips would be greatly appreciated.
I also checked the database webapi tables to see what permissions etc. are assigned to users who are able to save the concept sets as opposed to the ones who cannot. The DB query returned the same set of permissions for both groups. Was anybody able to resolve the issue?
Unfortunately, despite trying different configurations, I haven’t found a solution. To compare our situations, here’s the error message that pops up in ATLAS, is this the same for your case:
I have tried using all the default roles, creating custom ones with full permissions, and also creating roles with only the permissions related to concept sets and others.
Could you confirm which version of WebAPI and ATLAS you’re using? My versions are:
This was a problem on the instance on which I have access to the web API logs. I printed out the Role name in this line of the getRoleByName method in PermissionManager.java and found out that it was looking for the same role as the user’s email.
Please note that in my case, the user gets authenticated by their email address.
The line now is throw new RuntimeException("Role doesn't exist: " + roleName);. I am not sure why it was looking for this role, and it would be helpful to find out.
I checked this as well, and you’re right. In my case, it seems to be looking for the email/username. However, I tried inserting a role with the role name equal to my email, and it doesn’t seem to work.
From your side using the email as rolename works?
i see that the function look for system_role = false, so i set up the role in sec_role with false as system_role, now it seams to find the role with name equal to the username/email used.
But it still not work, from catalina.out:
2025-02-18 09:39:14.078 INFO SimpleAsyncTaskExecutor-1 org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl - - HHH000010: On release of batch it still contained JDBC statements
2025-02-18 09:39:14.079 ERROR SimpleAsyncTaskExecutor-1 org.hibernate.engine.jdbc.batch.internal.BatchingBatch - - HHH000315: Exception executing batch [java.sql.BatchUpdateException: Batch entry 0 insert into webapi.SEC_PERMISSION (DESCRIPTION, VALUE, ID) values (‘view conceptset definition with id 21’, ‘conceptset:21:get’, 727) was aborted: ERROR: duplicate key value violates unique constraint “pk_sec_permission”
Detail: Key (id)=(727) already exists. Call getNextException to see other errors in the batch.], SQL: insert into webapi.SEC_PERMISSION (DESCRIPTION, VALUE, ID) values (?, ?, ?)
2025-02-18 09:39:14.080 WARN SimpleAsyncTaskExecutor-1 org.hibernate.engine.jdbc.spi.SqlExceptionHelper - - SQL Error: 0, SQLState: 23505
2025-02-18 09:39:14.080 ERROR SimpleAsyncTaskExecutor-1 org.hibernate.engine.jdbc.spi.SqlExceptionHelper - - Batch entry 0 insert into webapi.SEC_PERMISSION (DESCRIPTION, VALUE, ID) values (‘view conceptset definition with id 21’, ‘conceptset:21:get’, 727) was aborted: ERROR: duplicate key value violates unique constraint “pk_sec_permission”
Detail: Key (id)=(727) already exists. Call getNextException to see other errors in the batch.
2025-02-18 09:39:14.080 ERROR SimpleAsyncTaskExecutor-1 org.hibernate.engine.jdbc.spi.SqlExceptionHelper - - ERROR: duplicate key value violates unique constraint “pk_sec_permission”
Detail: Key (id)=(727) already exists.
2025-02-18 09:39:14.096 ERROR http-nio-8080-exec-7 org.ohdsi.webapi.security.listener.EntityInsertEventListener - - javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute batch
the error seams to be related to an insertion on sec_permission
In my case, adding the user’s email address as a role resolved the issue.
These roles with email addresses should be created automatically when a new user is created. I don’t understand why this occurred for some users but not for others.
Did you assign the role with the user’s email address to the user ?
I think you would need to investigate your permissions. You might need to clean them up or, if possible, revert to the default permissions.
It would be valuable to hear from the web API developers regarding this issue.
I’m going to post to our teams channel for devs familiar with that subsystem to chime in.
From my understanding, when a new user authenticates for the first time, it should create a role to that user that follows their user name (which can be their email address if that’s how the authentication mechanism works in this case). This user-role is used to contain user-level security assignments such as which assets they have read/write access too. It might make sense that when you tried to create a new concept set it attempted to find the user-role that contains the entity permissions, but it couldn’t find the one for the user to assign the concept set permissions to, and it failed.
Which makes the solution (create the user’s role manually) make sense that it fixed, but doesn’t explain why the user’s role wasn’t created in the first place. Maybe you could do a test on your local enviornment to have a new person log into the system, and check the SEC_ROLE table for a new role created for the new user?
That’s how(using my local installation and adding a new user) I discovered that the user was missing a role named after their email address. Adding this role resolved the error, but the sec_role_permission table for this role does not have any entries. I’d appreciate it if you could explain how this is all intended to work. Is there any documentation on how to add a new user and assign the necessary permissions to the newly created user?
Is this a required first step for a user to authenticate? And only after successful authentication can roles and permissions be added to the user?
SEC_USER: contains list of users
SEC_ROLE: identifies Roles. Roles are simply a container to group permissions that have been granted. if role A has Permsions P1 and P2, any person assigned the role A will have permissions P1 and P2.
SEC_PERMISSION: identifies the permissions. The value of the permisson represents a path to a REST endpoint. In Atlas 3.0, we will be simplfying this permission mechanism so that you don’t need to know REST endpints to understand security.
SEC_ROLE_USER: associates users to roles. When a new user logs in, they should get a new record in SEC_USER, a new role (same name as user) for the user should automatically be created in SEC_PERMISSION, and then the user is associated to this role in SEC_ROLE_USER.
SEC_ROLE_PERMISSION: Associates permissions to roles, as in role A has permission P1, P2 and P3.
Hope that clarifies the tables in use. It would be great if you could replicate the issue where a user’s role is not created by default. By default, a user should be put into the ‘Atlas User’ role, as well as the user-specific role that is created for the user.
From mi local installation if i try to access with a new user it doesn’t create any new role called as the username.
For the installation and all passages i follow the Basic-Security-Configuration.md and the other .md file in the same folder of the webapi.wiki github.
Also from my configuration manually adding the username as role works.
That sounds like a bug: new users should get the role created for them to assign their permissions. I’ll have to investigate this with the broader developer team.
