Bug 1301345
Summary: | Nested FreeIPA/LDAP groups breaks aaa LDAP and aaa LDAP SSO authentication | ||||||
---|---|---|---|---|---|---|---|
Product: | [oVirt] ovirt-engine | Reporter: | Dan Lavu <dlavu> | ||||
Component: | AAA | Assignee: | Martin Perina <mperina> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ondra Machacek <omachace> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 3.6.1.3 | CC: | bugs, dlavu, iheim, mgoldboi, mperina, omachace, oourfali, pkliczew, pstehlik | ||||
Target Milestone: | ovirt-3.6.3 | Flags: | rule-engine:
ovirt-3.6.z+
rule-engine: exception+ mgoldboi: planning_ack+ oourfali: devel_ack+ pstehlik: testing_ack+ |
||||
Target Release: | 3.6.3.3 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-03-11 07:24:30 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Dan Lavu
2016-01-24 11:55:29 UTC
Dan, this happens only on master? Sorry, no it's happening on 1.1.2-1 ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch ovirt-engine-extension-aaa-misc-1.0.0-1.el7.centos.noarch ovirt-engine-extension-aaa-jdbc-1.0.4-1.el7.noarch Just to be sure about versions: 1. ovirt-engine-extension-aaa-ldap is 1.1.2, right? 2. What is the exact version of ovirt-engine package? Master of 3.6? If 3.6, what is the exact version? Thanks ovirt-engine-jboss-as-7.1.1-1.el7.centos.x86_64 ovirt-vmconsole-host-1.0.0-1.el7.centos.noarch ovirt-engine-setup-3.6.1.3-1.el7.centos.noarch ovirt-engine-setup-plugin-allinone-3.6.1.3-1.el7.centos.noarch ovirt-image-uploader-3.6.0-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch ovirt-engine-wildfly-8.2.1-1.el7.x86_64 ovirt-engine-extensions-api-impl-3.6.1.3-1.el7.centos.noarch ebay-cors-filter-1.0.1-0.1.ovirt.el7.noarch ovirt-engine-webadmin-portal-3.6.1.3-1.el7.centos.noarch ovirt-engine-3.6.1.3-1.el7.centos.noarch ovirt-engine-reports-3.6.1.1-1.el7.centos.noarch ovirt-engine-setup-plugin-dockerc-3.6.1.3-1.el7.centos.noarch ovirt-engine-setup-base-3.6.1.3-1.el7.centos.noarch ovirt-engine-setup-plugin-websocket-proxy-3.6.1.3-1.el7.centos.noarch ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.1.3-1.el7.centos.noarch ovirt-engine-cli-3.6.0.2-1.el7.centos.noarch ovirt-engine-sdk-python-3.6.0.3-1.el7.centos.noarch ovirt-engine-dwh-3.6.1-1.el7.centos.noarch ovirt-engine-reports-setup-3.6.1.1-1.el7.centos.noarch ovirt-engine-lib-3.6.1.3-1.el7.centos.noarch ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch ovirt-vmconsole-1.0.0-1.el7.centos.noarch ovirt-engine-websocket-proxy-3.6.1.3-1.el7.centos.noarch ovirt-engine-dbscripts-3.6.1.3-1.el7.centos.noarch ovirt-engine-setup-plugin-ovirt-engine-3.6.1.3-1.el7.centos.noarch ovirt-iso-uploader-3.6.0-1.el7.centos.noarch ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch ovirt-engine-dwh-setup-3.6.1-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch ovirt-engine-userportal-3.6.1.3-1.el7.centos.noarch ovirt-engine-restapi-3.6.1.3-1.el7.centos.noarch ovirt-release36-002-2.noarch ovirt-engine-extension-aaa-misc-1.0.0-1.el7.centos.noarch ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch ovirt-engine-vmconsole-proxy-helper-3.6.1.3-1.el7.centos.noarch ovirt-host-deploy-offline-1.4.1-1.el7.centos.x86_64 ovirt-engine-extension-aaa-jdbc-1.0.4-1.el7.noarch ovirt-engine-setup-plugin-ovirt-engine-common-3.6.1.3-1.el7.centos.noarch ovirt-engine-tools-3.6.1.3-1.el7.centos.noarch ovirt-engine-backend-3.6.1.3-1.el7.centos.noarch ovirt-host-deploy-1.4.1-1.el7.centos.noarch I am 100% sure that I've tried it and it worked well. Can you please share with us: 1) IPA version 2) how the user membership look like? From what I understand from your post it look like this: user |-> group1 |-> group2 Then you assign group2 SuperUserRole. And try to login with user, right? 3) Also not sure what do you mean by SSO and kerberos. Based on properties you posted in description you don't use it at all. 1. IPA version. [root@auth:~]# rpm -qa | grep ipa ipa-python-4.2.0-15.el7_2.3.x86_64 ipa-server-trust-ad-4.2.0-15.el7_2.3.x86_64 ipa-server-4.2.0-15.el7_2.3.x86_64 sssd-ipa-1.13.0-40.el7_2.1.x86_64 ipa-admintools-4.2.0-15.el7_2.3.x86_64 python-iniparse-0.4-9.el7.noarch redhat-access-plugin-ipa-0.9.1-2.el7.noarch libipa_hbac-1.13.0-40.el7_2.1.x86_64 python-libipa_hbac-1.13.0-40.el7_2.1.x86_64 ipa-client-4.2.0-15.el7_2.3.x86_64 ipa-server-dns-4.2.0-15.el7_2.3.x86_64 2. Correct, actually I'm unable to log in at all, the web app breaks entirely, regular idm login do not work nor local logins. 3. Sorry I was trying to simplify the config. Here is the relevant krb configuration. [root@groot:/etc/ovirt-engine/extensions.d]# cat idm-krb-authz.properties ovirt.engine.extension.name = idm-krb-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = ../aaa/idm.properties #config.globals.bindFormat.simple_bindFormat = realm [root@groot:/etc/ovirt-engine/extensions.d]# cat idm-krb-http-authn.properties ovirt.engine.extension.name = idm-krb-http-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = idm-krb-http ovirt.engine.aaa.authn.authz.plugin = idm-krb-authz ovirt.engine.aaa.authn.mapping.plugin = idm-krb-http-mapping config.artifact.name = HEADER config.artifact.arg = X-Remote-User [root@groot:/etc/ovirt-engine/extensions.d]# cat idm-krb-http-mapping.properties ovirt.engine.extension.name = idm-krb-http-mapping ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapAuthRecord.type = regex config.mapAuthRecord.regex.mustMatch = true config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$ config.mapAuthRecord.regex.replacement = ${user}${at}${suffix} [root@groot:/etc/ovirt-engine/extensions.d]# cat /etc/httpd/conf.d/ovirt-sso.conf # # 1. make sure /etc/krb5.keytab is available and valid. # 2. update KrbAuthRealms # 3. symlink into /etc/httpd/conf.d # <LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s # AuthType Kerberos # AuthName "Kerberos Login" # Krb5Keytab /etc/ovirt.keytab # KrbAuthRealms LAB.RUNLEVELONE.LAN # KrbMethodK5Passwd off # Require valid-user AuthType GSSAPI GssapiLocalName off AuthName "Login" GssapiBasicAuth on GssapiCredStore keytab:/etc/ovirt.keytab Require valid-user </LocationMatch> When attempting to access the manager, the following is displayed. Internal Server Error From the apache logs. [Thu Jan 28 00:20:32.694096 2016] [proxy:error] [pid 16069] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 5s [Thu Jan 28 00:20:32.694107 2016] [proxy_ajp:error] [pid 16069] [client 192.168.71.16:54636] AH00896: failed to make connection to backend: 127.0.0.1, referer: https://ovirt.lab.runlevelone.lan/ovirt-engine/webadmin/?locale=en_US Thank you for information. One last question. Can you please send output of the following command(on engine)? $ ovirt-engine-extensions-tool --log-level=FINEST aaa search --extension-name=idm-krb-authz --authz-flag=resolve-groups-recursive --authz-flag=resolve-groups --entity-name=problematic_user Martin, shall we target that to 3.6.3? Ondra has provided a patch [1]. If he confirms that it solves this issue, we should get this into 3.6.3, because AFAIU this issue could happen on any LDAP server with "nested group cycle (A is a member of B and B is a member of A). Ondro? [1] https://gerrit.ovirt.org/#/c/52860/ Created attachment 1119515 [details]
ovirt-engine-extensions-tool log
Log attached.
Restoring needinfo Martin, Just for clarification, it's just a nested group, Group A is a member of group B, it does not loop. Group admins is nested beneath ovirt Admins [root@auth:~]# ipa group-find Group name: ovirt_admins Description: oVirt Administrators Member users: user1, user2, user3, dlavu **sanitized** Member groups: admins << Removing this membership, fixes the problem. Group name: admins Description: Administrators GID: 100000 Member users: admin, dlavu Member of groups: idm_admins, ovirt_admins Member of Sudo rule: root_users Member of HBAC rule: allow_all Indirect Member of role: helpdesk, IT Security Specialist, IT Specialist, Security Architect, User Administrator With following setup I couldn't reproduce(should be same as you have): [root@brq-ipa-4 ~]# ipa group-find Group name: admins Member users: admin, my_test1 Member of groups: ovirt_admins, idm_admins Group name: idm_admins Member users: my_test1 Member groups: admins Indirect Member users: admin Group name: ovirt_admins Member users: my_test1 Member groups: admins Indirect Member users: admin I've assigned SuperUser role to 'ovirt_admins ' group and I was able to log-in as 'my_test1' user. The only way I was able to reproduce was to create a recursion between groups. Once I've added to 'admin' group 'ovirt_admins' group, then I got issue you had. I was able to reproduce also on latest 3.5. Master fix will be a bit different and ready next week, but we need this to get into last 3.6.3 build I've successfully logged in with user with nested groups and which has group recursion loop. Dan, can you please try if it works for you as well? Thanks. Ondra, Is it up on Fedora or do I need to get it from the nightly builds? but certainly I will test. |