Bug 1019980

Summary:	SSH keys are not added or removed to applications in a domain on membership change
Product:	OpenShift Online	Reporter:	Clayton Coleman <ccoleman>
Component:	oc	Assignee:	Clayton Coleman <ccoleman>
Status:	CLOSED CURRENTRELEASE	QA Contact:	libra bugs <libra-bugs>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	2.x	CC:	wsun, xtian
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-10-17 13:36:03 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Clayton Coleman 2013-10-16 17:49:29 UTC

Adding users to a domain does not correctly propagate their keys to the applications in a domain.  Removing a user does not remove their keys from their domain.

Reproduce scenario
1) On two separate linux user sessions, run rhc setup with two separate sets of SSH keys
2) Create a domain and application as user 1
3) Add user 2 to the domain as an editor or admin
4) Attempt to ssh to the application as user 2 - permission denied
5) Remove user 2 from the domain
6) Remove job does not execute a parallel key distribute, thus keys would not be removed

Needs to go to stage.

Comment 1 Clayton Coleman 2013-10-16 18:56:13 UTC

Fixed for stage in https://github.com/openshift/origin-server/pull/3908, fixed for master in https://github.com/openshift/origin-server/pull/39

Comment 2 openshift-github-bot 2013-10-16 21:07:10 UTC

Commit pushed to master at https://github.com/openshift/rhc

https://github.com/openshift/rhc/commit/9ceeafee17c9383bceb26ad0bfe2c654510046e8
Bug 1019980 - Add test cases for SSH access across multiple users

Comment 3 openshift-github-bot 2013-10-16 21:07:11 UTC

Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/494907d78b23c34f3029ba912e8dac160e59c5c6
Bug 1019980 - SSH keys not distributed on membership changes

Comment 5 Wei Sun 2013-10-17 07:31:24 UTC

Verified on devenv_3907,rhc build from devenv_3907.

Step:
1.On two separate linux user sessions, run rhc setup with two separate sets of SSH keys
2.Create a domain and application as user 1(wsun)
3.Add user 2(wsun+1) to the domain as an editor
4.Check if user2(wsun+1)'s key is added in  $app/.ssh/authorized_keys
5.Attempt to ssh to the application as user 2(wsun+1)
6.Remove user 2 from the domain
7.Attempt to ssh to the application as user2(wsun+1)
8.Check if user2(wsun+1)'s key is removed in  $app/.ssh/authorized_keys

Result:
4.User2's key is added in  $app/.ssh/authorized_keys

5.Could ssh to app as user 2(wsun+1)
[wsun@dhcp-8-229 ~]$ rhc ssh r8s -n wsunjbt3907 -l wsun+1 -p x
Connecting to 525f7e24c9083ac6970000af.rhcloud.com ...

 
    Welcome to OpenShift shell

    This shell will assist you in managing OpenShift applications.

    !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!
    Shell access is quite powerful and it is possible for you to
    accidentally damage your application.  Proceed with care!
    If worse comes to worst, destroy your application with "rhc app delete"
    and recreate it
    !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!

    Type "help" for more info.

7.Could not ssh to app as user2(wsun+1)
[wsun@dhcp-8-229 ~]$ rhc ssh r8s -n wsunjbt3907 -l wsun+1 -p x
Domain 'wsunjbt3907' not found.

8.User2's key is removed from  $app/.ssh/authorized_keys