Bug 1301345

Summary:

Nested FreeIPA/LDAP groups breaks aaa LDAP and aaa LDAP SSO authentication

Product:

[oVirt] ovirt-engine

Reporter:

Dan Lavu <dlavu>

Component:

AAA

Assignee:

Martin Perina <mperina>

Status:

CLOSED CURRENTRELEASE

QA Contact:

Ondra Machacek <omachace>

Severity:

medium

Docs Contact:

Priority:

unspecified

Version:

3.6.1.3

CC:

bugs, dlavu, iheim, mgoldboi, mperina, omachace, oourfali, pkliczew, pstehlik

Target Milestone:

ovirt-3.6.3

Flags:

rule-engine: ovirt-3.6.z+
rule-engine: exception+
mgoldboi: planning_ack+
oourfali: devel_ack+
pstehlik: testing_ack+

Target Release:

3.6.3.3

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2016-03-11 07:24:30 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

Infra

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
ovirt-engine-extensions-tool log	none

Description Dan Lavu 2016-01-24 11:55:29 UTC

Description of problem:
After configuring aaa LDAP authentication and/or kerberos aaa authentication, authentication fails if the group contains groups as members (aka nested groups). 

---
2016-01-24 06:37:01,051 ERROR [io.undertow.servlet] (default task-238) Exception while dispatching incoming RPC call: com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract org.ovirt.engine.core.common.action.VdcReturnValueBase org.ovirt.engine.ui.frontend.gwtservices.GenericApiGWTService.login(java.lang.String,java.lang.String,java.lang.String,org.ovirt.engine.core.common.action.VdcActionType)' threw an unexpected exception: javax.ejb.EJBException: JBAS014580: Unexpected Error
	at com.google.gwt.rpc.server.RPC.invokeAndStreamResponse(RPC.java:219) [gwt-servlet.jar:]
	at com.google.gwt.rpc.server.RpcServlet.processCall(RpcServlet.java:172) [gwt-servlet.jar:]
	at com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:233) [gwt-servlet.jar:]
	at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) [gwt-servlet.jar:]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.utils.servlet.HeaderFilter.doFilter(HeaderFilter.java:94) [utils.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.ui.frontend.server.gwt.GwtCachingFilter.doFilter(GwtCachingFilter.java:132) [frontend.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73) [branding.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:65) [utils.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.aaa.filters.SessionMgmtFilter.doFilter(SessionMgmtFilter.java:31) [aaa.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.aaa.filters.LoginFilter.doFilter(LoginFilter.java:75) [aaa.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.aaa.filters.NegotiationFilter.doFilter(NegotiationFilter.java:132) [aaa.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:90) [aaa.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.aaa.filters.SessionValidationFilter.doFilter(SessionValidationFilter.java:77) [aaa.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:248) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:77) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:167) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:761) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_65]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_65]
	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_65]
Caused by: javax.ejb.EJBException: JBAS014580: Unexpected Error
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInNoTx(CMTTxInterceptor.java:213) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:262) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:399) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:243) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:43) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:95) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
	at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448)
	at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
	at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
	at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
	at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73)
	at org.ovirt.engine.core.common.interfaces.BackendLocal$$$view2.login(Unknown Source)
	at org.ovirt.engine.ui.frontend.server.gwt.GenericApiGWTServiceImpl.login(GenericApiGWTServiceImpl.java:189) [frontend.jar:]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_65]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_65]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_65]
	at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_65]
	at com.google.gwt.rpc.server.RPC.invokeAndStreamResponse(RPC.java:196) [gwt-servlet.jar:]
	... 62 more
Caused by: java.lang.StackOverflowError
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
---

Version-Release number of selected component (if applicable):


How reproducible:
Always. 


Steps to Reproduce:
1. Authenticate oVirt against LDAP/FreeIPA.
2. Add FreeIPA group to SuperUser role in oVirt. 
3. Add a nested group in IdM/LDAP, to the group that that has a role in oVirt. 

Actual results:
LDAP/KRB auth hangs and times out. 

Caused by: java.lang.StackOverflowError
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]


Expected results:
User in both the parent and nested group are able to log in to oVirt. 


Additional info:

LDAP AAA configuration 


[root@groot:/etc/ovirt-engine/aaa]# cat idm.properties
include = <ipa.properties>

vars.server1 = auth.lab.runlevelone.lan
vars.server2 = idm.lab.runlevelone.lan

vars.user = uid=ovirtauth,cn=sysaccounts,cn=etc,dc=lab,dc=runlevelone,dc=lan
vars.password = someverylongpassphrasethatisbetterthana12characterpassword

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.serverset.type = round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}


[root@groot:/etc/ovirt-engine/extensions.d]# cat idm-authn.properties
ovirt.engine.extension.name = idm-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = idm
ovirt.engine.aaa.authn.authz.plugin = idm-authz
config.profile.file.1 = ../aaa/idm.properties


[root@groot:/etc/ovirt-engine/extensions.d]# cat idm-authz.properties
ovirt.engine.extension.name = idm-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/idm.properties

Comment 1 Oved Ourfali 2016-01-24 16:45:38 UTC

Dan, this happens only on master?

Comment 2 Dan Lavu 2016-01-24 20:21:50 UTC

Sorry, no it's happening on 1.1.2-1 


ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch
ovirt-engine-extension-aaa-misc-1.0.0-1.el7.centos.noarch
ovirt-engine-extension-aaa-jdbc-1.0.4-1.el7.noarch

Comment 4 Martin Perina 2016-01-25 07:56:23 UTC

Just to be sure about versions:

1. ovirt-engine-extension-aaa-ldap is 1.1.2, right?
2. What is the exact version of ovirt-engine package? Master of 3.6? If 3.6, what is the exact version?

Thanks

Comment 5 Dan Lavu 2016-01-25 11:55:23 UTC

ovirt-engine-jboss-as-7.1.1-1.el7.centos.x86_64
ovirt-vmconsole-host-1.0.0-1.el7.centos.noarch
ovirt-engine-setup-3.6.1.3-1.el7.centos.noarch
ovirt-engine-setup-plugin-allinone-3.6.1.3-1.el7.centos.noarch
ovirt-image-uploader-3.6.0-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch
ovirt-engine-wildfly-8.2.1-1.el7.x86_64
ovirt-engine-extensions-api-impl-3.6.1.3-1.el7.centos.noarch
ebay-cors-filter-1.0.1-0.1.ovirt.el7.noarch
ovirt-engine-webadmin-portal-3.6.1.3-1.el7.centos.noarch
ovirt-engine-3.6.1.3-1.el7.centos.noarch
ovirt-engine-reports-3.6.1.1-1.el7.centos.noarch
ovirt-engine-setup-plugin-dockerc-3.6.1.3-1.el7.centos.noarch
ovirt-engine-setup-base-3.6.1.3-1.el7.centos.noarch
ovirt-engine-setup-plugin-websocket-proxy-3.6.1.3-1.el7.centos.noarch
ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.1.3-1.el7.centos.noarch
ovirt-engine-cli-3.6.0.2-1.el7.centos.noarch
ovirt-engine-sdk-python-3.6.0.3-1.el7.centos.noarch
ovirt-engine-dwh-3.6.1-1.el7.centos.noarch
ovirt-engine-reports-setup-3.6.1.1-1.el7.centos.noarch
ovirt-engine-lib-3.6.1.3-1.el7.centos.noarch
ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch
ovirt-vmconsole-1.0.0-1.el7.centos.noarch
ovirt-engine-websocket-proxy-3.6.1.3-1.el7.centos.noarch
ovirt-engine-dbscripts-3.6.1.3-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-3.6.1.3-1.el7.centos.noarch
ovirt-iso-uploader-3.6.0-1.el7.centos.noarch
ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch
ovirt-engine-dwh-setup-3.6.1-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch
ovirt-engine-userportal-3.6.1.3-1.el7.centos.noarch
ovirt-engine-restapi-3.6.1.3-1.el7.centos.noarch
ovirt-release36-002-2.noarch
ovirt-engine-extension-aaa-misc-1.0.0-1.el7.centos.noarch
ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch
ovirt-engine-vmconsole-proxy-helper-3.6.1.3-1.el7.centos.noarch
ovirt-host-deploy-offline-1.4.1-1.el7.centos.x86_64
ovirt-engine-extension-aaa-jdbc-1.0.4-1.el7.noarch
ovirt-engine-setup-plugin-ovirt-engine-common-3.6.1.3-1.el7.centos.noarch
ovirt-engine-tools-3.6.1.3-1.el7.centos.noarch
ovirt-engine-backend-3.6.1.3-1.el7.centos.noarch
ovirt-host-deploy-1.4.1-1.el7.centos.noarch

Comment 6 Ondra Machacek 2016-01-27 14:01:38 UTC

I am 100% sure that I've tried it and it worked well.

Can you please share with us:
1) IPA version

2) how the user membership look like?
     From what I understand from your post it look like this:
     user
        |-> group1
                    |-> group2

     Then you assign group2 SuperUserRole. And try to login with user, right?

3) Also not sure what do you mean by SSO and kerberos. Based on properties you posted in description you don't use it at all.

Comment 7 Dan Lavu 2016-01-28 05:18:41 UTC

1. IPA version.

[root@auth:~]# rpm -qa | grep ipa
ipa-python-4.2.0-15.el7_2.3.x86_64
ipa-server-trust-ad-4.2.0-15.el7_2.3.x86_64
ipa-server-4.2.0-15.el7_2.3.x86_64
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-admintools-4.2.0-15.el7_2.3.x86_64
python-iniparse-0.4-9.el7.noarch
redhat-access-plugin-ipa-0.9.1-2.el7.noarch
libipa_hbac-1.13.0-40.el7_2.1.x86_64
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
ipa-client-4.2.0-15.el7_2.3.x86_64
ipa-server-dns-4.2.0-15.el7_2.3.x86_64


2. Correct, actually I'm unable to log in at all, the web app breaks entirely, regular idm login do not work nor local logins. 

3. Sorry I was trying to simplify the config. Here is the relevant krb configuration. 

[root@groot:/etc/ovirt-engine/extensions.d]# cat idm-krb-authz.properties 
ovirt.engine.extension.name = idm-krb-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/idm.properties
#config.globals.bindFormat.simple_bindFormat = realm

[root@groot:/etc/ovirt-engine/extensions.d]# cat idm-krb-http-authn.properties 
ovirt.engine.extension.name = idm-krb-http-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = idm-krb-http
ovirt.engine.aaa.authn.authz.plugin = idm-krb-authz
ovirt.engine.aaa.authn.mapping.plugin = idm-krb-http-mapping
config.artifact.name = HEADER
config.artifact.arg = X-Remote-User

[root@groot:/etc/ovirt-engine/extensions.d]# cat idm-krb-http-mapping.properties 
ovirt.engine.extension.name = idm-krb-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = true
config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}

[root@groot:/etc/ovirt-engine/extensions.d]# cat /etc/httpd/conf.d/ovirt-sso.conf 
#
# 1. make sure /etc/krb5.keytab is available and valid.
# 2. update KrbAuthRealms
# 3. symlink into /etc/httpd/conf.d
#
<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>
	RewriteEngine on
	RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
	RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
	RequestHeader set X-Remote-User %{REMOTE_USER}s

#	AuthType Kerberos
#	AuthName "Kerberos Login"
#	Krb5Keytab /etc/ovirt.keytab
#	KrbAuthRealms LAB.RUNLEVELONE.LAN 

#	KrbMethodK5Passwd off 
#	Require valid-user
        AuthType GSSAPI
        GssapiLocalName off 
        AuthName "Login"
        GssapiBasicAuth on 
        GssapiCredStore keytab:/etc/ovirt.keytab
        Require valid-user
</LocationMatch>

Comment 8 Dan Lavu 2016-01-28 05:22:56 UTC

When attempting to access the manager, the following is displayed. 

Internal Server Error

From the apache logs.

[Thu Jan 28 00:20:32.694096 2016] [proxy:error] [pid 16069] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 5s
[Thu Jan 28 00:20:32.694107 2016] [proxy_ajp:error] [pid 16069] [client 192.168.71.16:54636] AH00896: failed to make connection to backend: 127.0.0.1, referer: https://ovirt.lab.runlevelone.lan/ovirt-engine/webadmin/?locale=en_US

Comment 9 Ondra Machacek 2016-01-29 08:42:53 UTC

Thank you for information. One last question. Can you please send output of the following command(on engine)?

$ ovirt-engine-extensions-tool --log-level=FINEST aaa search --extension-name=idm-krb-authz --authz-flag=resolve-groups-recursive --authz-flag=resolve-groups --entity-name=problematic_user

Comment 10 Oved Ourfali 2016-01-29 16:56:43 UTC

Martin, shall we target that to 3.6.3?

Comment 11 Martin Perina 2016-01-29 17:07:07 UTC

Ondra has provided a patch [1]. If he confirms that it solves this issue, we should get this into 3.6.3, because AFAIU this issue could happen on any LDAP server with "nested group cycle (A is a member of B and B is a member of A).
Ondro?

[1] https://gerrit.ovirt.org/#/c/52860/

Comment 12 Dan Lavu 2016-01-29 20:13:02 UTC

Created attachment 1119515 [details]
ovirt-engine-extensions-tool log

Log attached.

Comment 13 Oved Ourfali 2016-01-31 17:22:23 UTC

Restoring needinfo

Comment 14 Dan Lavu 2016-01-31 17:37:36 UTC

Martin, 

Just for clarification, it's just a nested group, Group A is a member of group B, it does not loop. 

Group admins is nested beneath ovirt Admins

[root@auth:~]# ipa group-find

  Group name: ovirt_admins
  Description: oVirt Administrators
  Member users: user1, user2, user3, dlavu **sanitized**
  Member groups: admins  << Removing this membership, fixes the problem.


  Group name: admins
  Description: Administrators
  GID: 100000
  Member users: admin, dlavu
  Member of groups: idm_admins, ovirt_admins
  Member of Sudo rule: root_users
  Member of HBAC rule: allow_all
  Indirect Member of role: helpdesk, IT Security Specialist, IT Specialist, Security Architect, User Administrator

Comment 15 Ondra Machacek 2016-02-01 18:07:43 UTC

With following setup I couldn't reproduce(should be same as you have):
[root@brq-ipa-4 ~]# ipa group-find
  Group name: admins
  Member users: admin, my_test1
  Member of groups: ovirt_admins, idm_admins

  Group name: idm_admins
  Member users: my_test1
  Member groups: admins
  Indirect Member users: admin

  Group name: ovirt_admins
  Member users: my_test1
  Member groups: admins
  Indirect Member users: admin

I've assigned SuperUser role to 'ovirt_admins ' group and I was able to log-in as 'my_test1' user.

The only way I was able to reproduce was to create a recursion between groups.
Once I've added to 'admin' group 'ovirt_admins' group, then I got issue you had.

Comment 16 Ondra Machacek 2016-02-18 12:40:38 UTC

I was able to reproduce also on latest 3.5.

Comment 17 Martin Perina 2016-02-19 11:11:03 UTC

Master fix will be a bit different and ready next week, but we need this to get into last 3.6.3 build

Comment 18 Ondra Machacek 2016-02-25 11:11:46 UTC

I've successfully logged in with user with nested groups and which has group recursion loop.

Dan, can you please try if it works for you as well? Thanks.

Comment 19 Dan Lavu 2016-02-25 11:38:57 UTC

Ondra, 


Is it up on Fedora or do I need to get it from the nightly builds? but certainly I will test.