Bug 1035358

Summary: oo-trap-user does not honor requested command when SSH_ORIGINAL_COMMAND is unset
Product: OpenShift Container Platform Reporter: Jordan Liggitt <jliggitt>
Component: ContainersAssignee: Brenton Leanhardt <bleanhar>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.0.0CC: jliggitt, libra-onpremise-devel, lmeyer, mlamouri, wjiang, xiama
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-openshift-origin-node-1.17.5-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1024102 Environment:
Last Closed: 2013-12-16 09:11:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1024102    
Bug Blocks:    

Description Jordan Liggitt 2013-11-27 15:50:14 UTC
+++ This bug was initially created as a clone of Bug #1024102 +++

Description of problem:

/usr/bin/oo-trap-user gets incorrect command when auth is not ssh authorized_keys entry.

Version-Release number of selected component (if applicable):


How reproducible:

Attempt git clone using Kerberos authentication


Steps to Reproduce:
1. create devenv
2. install and configure kerberos service (see attached script)
3. create local user u1 matching principal u1@<REALM> where REALM is the devenv hostname (console or rhc)
4. create an app and add the u1@<REALM> principal as an "ssh key" with type krb5-principal
5. switch user to u1 in /home/u1
6. attempt git clone as indicated in the output from app create

Actual results:

git clone attempt drops to rhcsh


Expected results:

git clone attempts creates local copy of app git repository

Additional info:

When oo-trap-user runs it expects the command to be in the SSH_ORIGINAL_COMMAND environment variable. This variable is only set when an SSH authorized key has a command= section which replaces the original command. When the SSH_ORIGINAL_COMMAND variable is unset, the command defaults to rhcsh rather than using the actual arguments (from python sys.argv).

When logging in with Kerberos or other non public-key mechanisms, SSH_ORIGINAL_COMMAND will not be set.

--- Additional comment from Mark Lamourine on 2013-10-28 16:01:41 EDT ---

Adding code to oo-trap-user to honor sys.argv when SSH_ORIGINAL_COMMAND is not set.

--- Additional comment from Jordan Liggitt on 2013-10-30 11:30:44 EDT ---



--- Additional comment from Mark Lamourine on 2013-11-14 08:29:50 EST ---

Pending PR https://github.com/openshift/origin-server/pull/4019

--- Additional comment from Jordan Liggitt on 2013-11-27 10:49:29 EST ---

Merged

Comment 2 Luke Meyer 2013-12-02 18:28:59 UTC
enterprise-server cherry-pick:

commit 508e10c039c267687608fa366d05145e19754421
Author: Mark Lamourine <markllama>
Date:   Mon Oct 28 17:13:21 2013 -0400

    allow oo-trap-user to run from non-public-key auth
    
    clarified command branching and debugging
    
    commented syslogs for debugging to minimize load
    
    commented one more line
    
    Prevent double-calling oo-trap-user twice
    
    lmeyer: cherry-picked cleanly from origin-server
    4b91a8ac92781f4a85e2d2327e4d60fd52f5f9fd #cherrypick

Comment 4 Ma xiaoqiang 2013-12-03 09:02:04 UTC
check on puddle [2.0/2013-11-27.2]
1.get the hostname of node
#host $public_ip
2.add node host principal on kerberos server
# kadmin.local -q "addprinc host/vm-167-59-4-10.ose.phx2.redhat.com"
3.add a user on kerberos server 
#kadmin.local -q "addprinc xiama"
4.add key for node host principal on kerberos server
#kadmin.local -q "ktadd host/vm-167-59-4-10.ose.phx2.redhat.com"
#kadmin.local -q "ktadd -k node.keytab host/vm-167-59-4-10.ose.phx2.redhat.com"
5.cp keytab from kerberos server to node, save as /etc/krb5.keytab
6.kinit on rhc client
#kinit xiama
7.kinit on node 
#kinit -kt /etc/krb5.keytab host/vm-167-59-4-10.ose.phx2.redhat.com
8.create app and delete all sshkey, then add krb key
# rhc sshkey add test --type krb5-principal --content xiama
9.rhc app ssh $app
10.rhc git-clone $app
11.do some changes, and git push
result:
8.cat login into the app
9.can git clone the app
10.git push successfully, add access successfully!