Bug 1148797

Summary: [AAA] Support some special characters in users/groups/domains search query
Product: [oVirt] ovirt-engine Reporter: Ondra Machacek <omachace>
Component: Search-BackendAssignee: Eli Mesika <emesika>
Status: CLOSED CURRENTRELEASE QA Contact: Ondra Machacek <omachace>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.3CC: adevolder, alonbl, anande, bugs, ecohen, emesika, gklein, iheim, lpeer, lsurette, omachace, oourfali, rbalakri, Rhev-m-bugs, yeylon
Target Milestone: ovirt-3.6.0-rcKeywords: Reopened
Target Release: 3.6.0Flags: rule-engine: ovirt-3.6.0+
ylavi: planning_ack+
rule-engine: devel_ack+
rule-engine: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: unsupported characters in user search Consequence: Search with a space or special character in object name gives no results Fix: Support the following: space - supported only for the namespace(namingContext) * - can be searched by ** & - Not supported ! - Not supported ^ - Not supported & - Not supported ) - Not supported = - Not supported ' - Not supported " - Not supported < - Not supported > - Not supported Not all ldap providers support these special characters in users/group name. All other special characters except that listed are supported by search engine. Result: You can use now space and the special characters as described above
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-04 13:35:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1076964, 1096175, 1186039, 1267232    
Attachments:
Description Flags
webadmin users none

Description Ondra Machacek 2014-10-02 11:53:29 UTC 
Description of problem:
currenty when there is backslash in name of any object it's not found.

Version-Release number of selected component (if applicable):
rhevm-backend-3.5.0-0.13.beta.el6ev.noarch

How reproducible:
always

Steps to Reproduce:
1. Add user with backslash in username like AD-domain\userx@authz
2. Search for this user in UI or in REST
UI: Users: usrname=AD-domain\userx@authz
REST = /api/users?search=usrname%3DAD-domain%5Cuserx%40authz

Actual results:
no results returned

Expected results:
user is returned

Additional info:
Comment 1 Alon Bar-Lev 2014-10-05 11:21:10 UTC 
(In reply to Ondra Machacek from comment #0)
> Description of problem:
> currenty when there is backslash in name of any object it's not found.
> 
> Version-Release number of selected component (if applicable):
> rhevm-backend-3.5.0-0.13.beta.el6ev.noarch
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> 1. Add user with backslash in username like AD-domain\userx@authz
> 2. Search for this user in UI or in REST
> UI: Users: usrname=AD-domain\userx@authz
> REST = /api/users?search=usrname%3DAD-domain%5Cuserx%40authz
> 
> Actual results:
> no results returned
> 
> Expected results:
> user is returned
> 
> Additional info:

new implementation supports only upn style, so backslashes will not appear any more.

but wroth checking with other special characters, now it is '@'.
Comment 2 Alon Bar-Lev 2014-10-05 17:12:49 UTC 
please retest with latest implementations if that is at high priority.
yair has more import tasks for now.
thanks!
Comment 3 Ondra Machacek 2014-10-20 18:29:22 UTC 
It's working for /api/users, but it doesn't work for /api/domains/id/users.
Comment 4 Alon Bar-Lev 2014-10-20 18:31:20 UTC 
(In reply to Ondra Machacek from comment #3)
> It's working for /api/users, but it doesn't work for /api/domains/id/users.

can you please provide user and exact query (I prefer curl), so I can test.
Comment 5 Ondra Machacek 2014-10-21 12:26:23 UTC 
Please note that different usernames I use below are due to bug 1147900.

1)
curl -k -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Filter: False"
    -u $U $URL/users?search=usrname%3Du1%40qa.qumranet.com%40ldap-authz-test_digest_ad

2)
curl -k -X GET -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Filter: False"
    -u $U $URL/domains/6c646170-2d61-7574-687a-2d746573745f/users?search=usrname%3Duser1+testgrp%40ldap-authz-test_digest_ad

First command return user. Second command return empty <users/> tag.

in api/domains is:
<user href="/api/domains/6c646170-2d61-7574-687a-2d746573745f/users/6E616A6E452B5973506B366D4F5645465737616571513D3D" id="6E616A6E452B5973506B366D4F5645465737616571513D3D"><name>user1</name><domain href="/api/domains/6c646170-2d61-7574-687a-2d746573745f" id="6c646170-2d61-7574-687a-2d746573745f"/><namespace>DC=qa,DC=lab,DC=tlv,DC=redhat,DC=com</namespace><last_name>testgrp</last_name><user_name>user1 testgrp@ldap-authz-test_digest_ad</user_name><principal>u1.com</principal><groups/></user>

in api/users is:
<user href="/api/users/44939603-b9a4-411a-a32e-8ed509f423a0" id="44939603-b9a4-411a-a32e-8ed509f423a0"><name>user1</name><link href="/api/users/44939603-b9a4-411a-a32e-8ed509f423a0/permissions" rel="permissions"/><link href="/api/users/44939603-b9a4-411a-a32e-8ed509f423a0/roles" rel="roles"/><link href="/api/users/44939603-b9a4-411a-a32e-8ed509f423a0/tags" rel="tags"/><domain href="/api/domains/6c646170-2d61-7574-687a-2d746573745f" id="6c646170-2d61-7574-687a-2d746573745f"/><domain_entry_id>6E616A6E452B5973506B366D4F5645465737616571513D3D</domain_entry_id><namespace>DC=qa,DC=lab,DC=tlv,DC=redhat,DC=com</namespace><last_name>testgrp</last_name><user_name>u1.com@ldap-authz-test_digest_ad</user_name><principal>u1.com</principal></user>
Comment 6 Yair Zaslavsky 2014-10-21 13:37:26 UTC 
Bare in mind in engine code /api/users and /api/domains/xxxx/users get translated to SQL queries, and LDAP queries.
The fact "Users" are used both for engine (db) users and authz providers principals is misleading.
Comment 7 Alon Bar-Lev 2014-10-21 20:05:52 UTC 
Please notice that the additions of @authz should not be included in search term as they are added for output only due to backward compatibility. We need user, actual user, with special characters, not sure such available.

My findings:

For:
---
    <user href="/ovirt-engine/api/domains/6c646170-2d61-7574-687a-2d61645f6164/users/312B7454613546726F6B572B364C71784A42457957773D3D" id="312B7454613546726F6B572B364C71784A42457957773D3D">
        <name>user3FirstName</name>
        <domain href="/ovirt-engine/api/domains/6c646170-2d61-7574-687a-2d61645f6164" id="6c646170-2d61-7574-687a-2d61645f6164"/>
        <namespace>DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com</namespace>
        <last_name>user3LastName</last_name>
        <user_name>user3FirstName user3LastName@ldap-authz-ad_ad-w2k12r2</user_name>
        <principal>user3.lab.eng.brq.redhat.com</principal>
        <groups/>
    </user>
---

Working: (search for "username=user3FirstName*")
$ curl -k -X GET -H "Content-Type: application/xml" "http://admin%40internal:engine@localhost:8080/ovirt-engine/api/domains/6c646170-2d61-7574-687a-2d61645f6164/users?search=username%3Duser3FirstName%2A"

Not working: (search for "username=user3FirstName *")
$ curl -k -X GET -H "Content-Type: application/xml" "http://admin%40internal:engine@localhost:8080/ovirt-engine/api/domains/6c646170-2d61-7574-687a-2d61645f6164/users?search=username%3Duser3FirstName%20%2A"

So there is a problem with at least space when specifying search.
Comment 9 Eli Mesika 2015-06-22 13:31:21 UTC 
see 1096175 for documentation which special characters are supported

*** This bug has been marked as a duplicate of bug 1096175 ***
Comment 10 Ondra Machacek 2015-09-11 12:54:51 UTC 
I cannot search for user with * in name. I used ** for search. (within kerbldap, RHDS)
2015-09-11 14:53:50,530 DEBUG [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp-/127.0.0.1:8702-7) [] find() : LDAP filter='(&(&(objectClass=person))(|(givenname=special**)(sn=special**)(uid=special**)(uid=special**)))', baseDN='', explicitBaseDN='null', domain='brq-ldap.rhev.lab.eng.brq.redhat.com'



I cannot search for user with space in name. Used just a space for search (within AAA, ADw2k12)
2015-09-11 14:45:50,711 INFO  [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-1) [] ResourceManager::searchBusinessObjects - erroneous search text - ''ADUSER: allnames=with space''

Am I doing anything wrong? If yes, please tell me and change doc text.
Comment 11 Ondra Machacek 2015-09-14 17:58:39 UTC 
I failed to add group with spaces in name. So moving back to assigned, but please read also comment 10 , thanks.

Command:

$ curl -k -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" \
     -d "<group><name>Group with space</name><domain><name>ad-w2k12r2.rhev.lab.eng.brq.redhat.com-authz</name></domain></group>" \
     -u $U $URL/groups

=============================================================
Output:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<fault>
    <reason>Operation Failed</reason>
    <detail>Entity not found: ADGROUP.lab.eng.brq.redhat.com-authz:: name=Group with space</detail>
</fault>

=============================================================
Log:

2015-09-14 19:57:30,890 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (ajp-/127.0.0.1:8702-2) [] Operation Failed: Entity not found: ADGROUP.lab.eng.brq.redhat.com-authz:: name=Group with space
Comment 12 Alon Bar-Lev 2015-09-14 18:05:20 UTC 
As we discussed before, to make this happen, we must escape all special characters when provided with a query and unescape these at backend when parsing. It won't work any other way, as '=', ' ' and might be other characters have dual meaning when parsing. URIEncode/URIDecode will be fine, having done for each component.
Comment 13 Oved Ourfali 2015-09-21 04:49:27 UTC 
Sitting with Eli it seems like it won't be a small change to escape everything.
Looking at the customer tickets on that, I saw that the only ones open are ones in which there is a "#" in the username, and " " in the domain.
As far as I understand, both these use-cases were covered as part of Eli's fix.

Ondra - can you verify those use-cases are now working properly?
Anand - can you confirm these are the only cases you know of?

If that's the case, we will move it to 4.0 (we consider re-writing the search mechanism anyway, so it will be one of the requirements there).
Comment 14 Ondra Machacek 2015-09-21 11:19:36 UTC 
Created attachment 1075472 [details]
webadmin users

Works fine with AAA
Comment 15 Ondra Machacek 2015-09-21 12:32:02 UTC 
Here is a list of special characters that can't be searched for(tested with new generic ldap nad RHDS):

!, ^, &, ), =, ', ", <, >, space
Comment 16 Oved Ourfali 2015-09-21 12:35:19 UTC 
Anand - that means that if using the generic LDAP provider, you can add domains with spaces.
Also, generally, you'll be able to search for users and groups with "#".

Would that be enough for the pending tickets?
If so, we'll open another bug on the general use-case.
Comment 17 Oved Ourfali 2015-09-24 11:10:14 UTC 
Verified with Anand that it is enough.

Eli/Ondra - please verify also the doc-text provided here, and correct it to suit what we support, if needed.
Comment 18 Eli Mesika 2015-09-24 13:21:46 UTC 
(In reply to Oved Ourfali from comment #17)
> Verified with Anand that it is enough.
> 
> Eli/Ondra - please verify also the doc-text provided here, and correct it to
> suit what we support, if needed.

Verified
Comment 19 Ondra Machacek 2015-09-29 08:26:12 UTC 
Just few notes to doc text.

1) "Cause: unsupported characters in AD search." -> It's not related only to AD search

2) "space - supported only for the domain name" -> It's actually supported for namespace in context of oVirt and new generic ldap. In context of ldap it's namingContext.

same applies to bug 1096175
Comment 20 Sandro Bonazzola 2015-11-04 13:35:52 UTC 
oVirt 3.6.0 has been released on November 4th, 2015 and should fix this issue.
If problems still persist, please open a new BZ and reference this one.