3 27 2023 Tech Team Report - QualitativeDataRepository/TechnicalTeam GitHub Wiki

3-27-2023

Logged Tasks

                            Date             Task Hours (Main) Hours (EOLS) Hours (PII) Hours (QDAS)
20-Mar-2023 Report, meeting, continue trying to connect from docker to mysql, switch to running maria container, set up local volume, rebuild realm and client, test, test restarts, try changing provider in DV to connect account, coord re: DataCite script 7
21-Mar-2023 Merge dev with PermaLinks and AuthFilter changes, investigate using old AuthFilter for passive login 6
22-Mar-2023 Merge open PRs, try auth filter generating passive prompt:none request to Keycloak, investigate errors, try ~sso 5
23-Mar-2023 Match scopes between drupal/dv, test passive DV login, try synchronized for errors, change to maxAge -1, investigate using qdr_sso, try w.o shib_auth, create new qdr_oidc_sso module instead 5
24-Mar-2023 Finish initial qdr_oidc_sso module, update drupal on dev/stage to 9.5.6 then 9.5.7, update keycloak module/merge with our edits, investigate new stage, add php ext-curl for composer, install drush, explore ldap password issue, explore/locally fix a11y link issue on stage 5
25-Mar-2022 Coord re: ldap config on stage, test 1

SSO

  • Figured out a way to run keycloak with a persistent database. I initially tried trying to connect to our existing mysql instance (used for Drupal), but switched to running MariaDB in a second container with a persistent volume. (This solves the immediate issue. We can revisit later - perhaps moving our existing drupal and mysql db into containers or moving keycloak out, etc.)
  • Rebuilt the realm and client configs, tested persistence, updated client secrets and verified direct login from Drupal and Dataverse
  • Merged with the IQSS develop branch to incorporate the latest, including PermaLinks/PID provider refactoring, and refactoring of the API authentication mechanism.
  • Adapted the old unused AuthFilter to attempt a passive OIDC login, ~mirroring what we do for Shibboleth with a Javascript. Not sure yet if the filter is a better approach, but it was quicker to develop since I could reuse the existing OIDC to generate the required call. (FWIW: We may be able to simplify by always logging into Drupal and then having a passive login at Dataverse, versus our current approach where initial login can happen in either component and both have to support passive login.) After initial failures, added the 'profile' scope to Drupal's request so that login there matched the scopes used in Dataverse
  • Limited the filter to only run for main page requests and uses a synchronized (thread-safe) section to avoid log errors
  • Dropping Shibboleth in Drupal meant disabling our qdr_sso and other modules that coordinate links between DV and Drupal and handle logout. I investigated how to remove the Shibboleth-dependent aspects of our modules and decided to start creating a new qdr_oidc_sso module stripping out the obsolete code.
  • Merged the new beta8 version of the keycloak module with our custom changes - the update reduced the amount of custom code needed.

Drupal

  • Update to 9.5.6 and then 9.5.7 on dev/stage

Dataverse

Operations

  • Investigate new stage machine, install php ext-curl module, install drush, patch google-analytics module for php 8.x, explore/locally fix link accessibility issue, coord re: setting the ldap admin password, test.

Discussion

  • By default, links on stage are now underlined. This leaves some still w/o underline: Dataverse facets, some of the Drupal contents managed by the theme. From here , I can either add underlines for those, leave things as is, or remove underlines in more places that don't have the accessibility issue
  • In the meeting with DataCite, we came to a consensus that their current script is primarily targeting very simple repositories and that supporting Dataverse well would take some work on their part or ours. The next step is a meeting with their developer to convey more details about our use cases and how they might adapt their current script and API to help.

Plans

  • SSO - continue to explore/build OIDC options
    • Continue to investigate SSO options, particularly handling logout and restoring cross-links between DV and Drupal
    • Investigate Keycloak to LDAP connection for new users, ability to handle registration, replace LDAP, etc.
    • Investigate ways to simplify user interface (multiple clicks to get through Keycloak)
  • Matomo - help with transition from Google
  • AnnoRep - explore round-trip
  • Dataverse
    • Make PRs for SHA512/non-MD5 support in direct upload
    • Make PR for accessibility fix (once finalized)
    • Make PR for guestbook adding datasetversion fix, deploy to stage
    • Continue towards guestbook at request based on ADA's original work
    • Popup info accessibility - IQSS likes the recommendations from the source I linked to, so this can be implemented along those lines.
  • Drupal - v10 - review compatibility and start updates.
  • QDAS Previewer
    • Updates per request
    • Investigate writing aux file/previewing lower-sensitivity version and/or other write options
  • TBD: FRDR Security