Kaltura Media Center kmc1 file

I have a brand new installation of kaltura all-in-one via the docker installation. Docker is running on Fedora 26 atomic, also new.

I have run the setup script, and it completed successfully when I told it to use http instead of https. The admin console seems to work fine as far as I can tell.

The KMC application, however, is blank. My browser (Firefox 54) complains of an error in the file kmc1. (no extension). It appears to be an html file where the php code was left in, and the php code is giving me errors in my browser. I cannot locate a file named “kmc1” (no extension). Are there any suggestions as to how I can debug this?

Hello @bryce_nordgren,

The most common reason for this is that you’ve logged into KMC using the Admin Console credentials [the ones provided during the installation process]. If that’s the case, please log out of KMC, go to Admin Console->Publishers->Add new Publisher. You will then get an email with a link to set the passwd for this new partner/publisher. Once that’s done, use that email to log into KMC. You can also log in directly from Admin Console by going to Publishers->your partner->Actions->Manage.

If that’s not your case, please open your browser’s dev tools, try to login and check for failing requests under the “Network” tab and for errors under the “Console” tab, in parallel, right before trying to login, from a root shell on the server, run:
# . /etc/profile.d/kaltura*base.sh
# kaltlog

And paste the output here for further analysis.

I think your assessment is accurate. The flow was as follows:

  • Open the main page
  • Click on link to “Admin your platform backend”, at which point I needed to log in as the admin user.
  • I made another user, because I was told to make another user. I have since determined that I probably should have made a “publisher”(?)
  • I went back to the tab with the main page and clicked on “Manage specific accounts”.
  • I think I was already logged in at this point, but the "Hi " didn’t have my name.
  • I switched back over to the admin tab and made a publisher, also set the password on the account.
  • Switching to the “Manage specific accounts” tab (the KMC), I discovered the Logout button didn’t work.
  • I killed the browser and logged directly in to the KMC as the “publisher”, (not the user).

So is there any way to have both the KMC and the admin portal open in different tabs at the same time?

Hi @bryce_nordgren,

I’m not sure I understand what the issue is.
What exactly happens when you have both Admin Console and KMC open in the same browser? It shouldn’t be an issue, I have them both open all the time.
The only important thing to note is that you shouldn’t log in to KMC with the Admin Console credentials but rather, use those of the partner/publisher that you created.
In Admin Console, you don’t need to create another ‘user’ [from the “Users” tab], you need to create a new publisher [from the “Publishers” tab] and use that to log in to KMC.

Hi @jess,

It seems that the failure mode, when one attempts to log into the KMC with an admin account, is to remove the option to log in and provide a non-functional logout button. To reset and try again, you need to quit the browser. A better failure mode may be to simply disallow the login.

I’m still positive I don’t understand the relationship between users and publishers. Initially, I thought users could log in both places. Then when it turned out not to be so, I was going with the belief that they were two completely separate/disjoint pools of accounts. Just now I tried to make someone a user and a publisher, but it wouldn’t let me set the publisher’s password because it contained her last name…which was not something that was in the publisher profile. So they must be linked somehow. Since I used the same email for both, maybe that’s it.

Is there a cheat sheet floating around somewhere? I’m wading through the kmc manual and will follow with the admin manual, but for something this basic it seems like I’m missing something obvious.

Hi @bryce_nordgren,

The relationship between partners [publishers] and users is a bit complex, I will explain how it works.
Before I do, one important note: Publisher and Partner are the same thing, in the Admin Console UI the term “publisher” is used but in the code and DB, the entity/object/table is called “partner”, I realise that’s a bit confusing, it’s for historical reasons and as we all know, escaping history is difficult:)

The Kaltura Server is an API driven system, all actions done by the management web I/Fs [Admin Console, KMC, KMS, etc] are accomplished by making API requests, same is true for batch operations [transcoding, email sending, asset deletion, etc].

Seeing how this is the case, I feel no explanation can be complete without going into the basics of how an API session is established. If this is more technical an explanation than you desire, you can try to skip ahead.

When making requests to the Kaltura API, the first step is to generate a Kaltura Session [KS]. That is done by calling the ‘session’ service with the ‘start’ action or by calling the ‘user’ service with the ‘loginByLoginId’ action. A session is specific to a given partner ID and two types are supported: USER and ADMIN. The Kaltura API follows the general principles of REST and is stateless, meaning that each and every call to privileged services must include a KS which will be used to determine whether the request should be allowed or not.

And so, when logging into Admin Console or KMC, a Kaltura Session is generated for the relevant partner ID.
There are internal/system partner IDs [for Admin Console, the template partner, the batch partner, etc] and there are “external” partners meant to be used by actual human beings, interacting with the system.

The internal partners are:

mysql> select id,partner_name from partner where id < 100;
+----+----------------------+
| id | partner_name         |
+----+----------------------+
| -6 | Play-Server          |
| -5 | Media                |
| -4 | Monitor              |
| -3 | Hosted Pages         |
| -2 | Admin Console        |
| -1 | Batch                |
|  0 | Global               |
| 99 | Template KMC account |
+----+----------------------+

Each partner can have many users associated with it. When you are prompted by the install script to input an email address and password, a user is created according to your input and is associated with the -2 partner ID, the one used for Admin Console operations.
When you login to Admin Console, a request is made to the user service’s loginByLoginId() action; if the inputs are correct, a KS is returned from that call and you are logged into the Admin Console web I/F.

While the same request in KMC will work, it will result in an empty view since the Admin Console partner [ID -2] is not meant to be used for creating and managing media content. I realise this is confusing and agree that an informative message in that case would certainly be in order. We’re currently working on a new KMC, one that does not require Flash and is built on top of Angular 2, we’ll give it more thought there.

When you submit the form from Admin Console->Users->Add Users, additional users for accessing Admin Console will be created. These users can have different roles, limiting the actions they will be allowed to do within the Admin Console application.

For the purpose of managing media content [upload media, play it, add metadata to it, etc, etc], additional non-system partners should be created. This is done by going to Admin Console->Publishers->Add New Publisher.
If the email address you input in that form does not exist, a new record in the kaltura.user_login_data table will be created.
Next, a new record in the kaltura.partner table will be created. Lastly, a new record in the kaltura.kuser table will be created.

Let’s illustrate with actual sample records from my own local DB:

When prompted by the postinst script with:
“Kaltura Admin user (email address)”
I inputted jess.portnoy@kaltura.com, which resulted in the following records being created:

mysql> select login_email, first_name , last_name, config_partner_id from user_login_data where login_email='jess.portnoy@kaltura.com';
+--------------------------+------------+---------------+-------------------+
| login_email              | first_name | last_name     | config_partner_id |
+--------------------------+------------+---------------+-------------------+
| jess.portnoy@kaltura.com | Kaltura    | Administrator |                -2 |
+--------------------------+------------+---------------+-------------------+
mysql> select screen_name, first_name, last_name, email, partner_id  from kuser where email='jess.portnoy@kaltura.com';
+--------------------------+------------+---------------+--------------------------+------------+
| screen_name              | first_name | last_name     | email                    | partner_id |
+--------------------------+------------+---------------+--------------------------+------------+
| jess.portnoy@kaltura.com | Kaltura    | Administrator | jess.portnoy@kaltura.com |         -2 |
+--------------------------+------------+---------------+--------------------------+------------+
mysql> select id,partner_name, description from partner where id=-2;
+----+---------------+------------------------+
| id | partner_name  | description            |
+----+---------------+------------------------+
| -2 | Admin Console | Administration Console |
+----+---------------+------------------------+

So, when trying to login with jess.portnoy@kaltura.com, my passwd will be checked against the sha1_password and salt stored in user_login_data and my privileges in relation to the partner in question [-2 in the Admin Console’s case] will be checked against the record in the kuser table.

Now, let’s say I created a new partner by submitting the form in Admin Console->Publishers->Add New Publisher [which will make a API request to partner->register() once submitted] with the email jess@kaltura.com.
A new partner record was created:

mysql> select id,partner_name, description from partner where id=101;
+-----+--------------+---------------+
| id  | partner_name | description   |
+-----+--------------+---------------+
| 101 | Jess Portnoy | My Partner    |
+-----+--------------+---------------+

A new user_login_data record was created:

mysql> select login_email, first_name , last_name, config_partner_id from user_login_data where login_email='jess@kaltura.com';
+------------------+------------+-----------+-------------------+
| login_email      | first_name | last_name | config_partner_id |
+------------------+------------+-----------+-------------------+
| jess@kaltura.com | Jess       | Portnoy   |               101 |
+------------------+------------+-----------+-------------------+

A new kuser record was created where partner ID is set to 101:

+------------------+------------+-----------+------------------+------------+
| screen_name      | first_name | last_name | email            | partner_id |
+------------------+------------+-----------+------------------+------------+
| jess@kaltura.com | Jess       | Portnoy   | jess@kaltura.com |        101 |
+------------------+------------+-----------+------------------+------------+

So, when I log into KMC with jess@kaltura.com, a Kaltura session for partner 101 with my user [jess@kaltura.com] will be generated.

If I submit the form in Admin Console->Publishers->Add New Publisher again, with the same email [jess@kaltura.com], an additional record in partner will be created, a new kuser record will also be created. In the upper navigation bar in KMC, the “Change Account” option will appear, allowing me to switch between the various partners my user has access to.

So, one user can be associated with multiple partners and each partner can have multiple users associated with it.
It is important to understand that while multiple kuser records can have the same email but different IDs in the partner_id column, the password for the user shall be the same and its sha1 hash and salt are stored in user_login_data.

To create additional users and grant them privileges on a certain partner, go to KMC->Administration.

Hope this helps clarify things, if you have additional questions, feel free to ask:)

1 Like

Thanks for the explanation. It seems to me that the notions of authentication and authorization are a bit conflated in the current version. If partners are “groups” or “tenants” or “projects”, it seems a bit off for them to be created in the name of one of the members…and then be allowed to contain other members.

I think a good thing to do in the new KMC you mention would be to explicitly separate these concerns. (…and once they’re separated, allowing different options for authentication would be very cool, like LDAP, Kerberos, or some form of Web-based SSO.)

But I’m just a greedy needy user. :slight_smile:
Bryce

1 Like

Hi @bryce_nordgren,

I’m the first to agree the user management mechanism can be a bit puzzling for new comers.
However, I’m afraid it’s not only relevant for KMC but to any piece of code that interacts with our API to perform a login operation and changing it at this point is not very sensible.

As for LDAP/SSO authentication, I do agree with you. Our KMS [Kaltura MediaSpace] does support it and we may implement it in the new KMC as well, though I can’t at present time commit to that:)