Bug 1484831

Summary: oadm groups prune does not find groups when using whitelist
Product: OpenShift Container Platform Reporter: Bruno Andrade <bandrade>
Component: apiserver-authAssignee: Mo <mkhan>
Status: CLOSED ERRATA QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.4.0CC: aos-bugs, chuyu, hgomes, mkhan, wsun
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The LDAP sync/prune command did not take into account the use of groupUIDNameMapping with a whitelist. Consequence: The sync/prune command would fail with "group not found" errors because it would query for the wrong group name. Fix: The command was updated to take groupUIDNameMapping into account when using a whitelist. Result: The command queries for the correct group name when groupUIDNameMapping and a whitelist are used together.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 22:08:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bruno Andrade 2017-08-24 11:43:05 UTC 
Description of problem:


It seems that Openshift tries to find the group by name instead of search by openshift.io/ldap.uid when pruning


Version-Release number of selected component (if applicable):
3.4.0

How reproducible:

I'm using the following scenario to reproduce it:

http://tcms-openshift.rhcloud.com/case/4060/

aad_config.yaml

kind: LDAPSyncConfig
apiVersion: v1
url: ldap://192.168.1.111:389
insecure: true
groupUIDNameMapping:
  cn=group1,ou=groups,ou=adextended,dc=example,dc=com: tc509127group1
  cn=group2,ou=groups,ou=adextended,dc=example,dc=com: tc509127group2
  cn=group3,ou=groups,ou=adextended,dc=example,dc=com: tc509127group3
augmentedActiveDirectory:
    usersQuery:
        baseDN: "ou=people,ou=adextended,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=inetOrgPerson)
    groupMembershipAttributes: [ testMemberOf ]
    userNameAttributes: [ mail ]
    groupsQuery:
        baseDN: "ou=groups,ou=adextended,dc=example,dc=com"
        scope: sub
        derefAliases: never
    groupUIDAttribute: dn
    groupNameAttributes: [ cn ]


- whitelist
cn=group1,ou=groups,ou=adextended,dc=example,dc=com

$ oadm groups sync --sync-config=aad_config.yaml --whitelist=whitelist --confirm
group/tc509127group1

$ oc describe group/tc509127group1
Name:		tc509127group1
Namespace:	<none>
Created:	4 minutes ago
Labels:		openshift.io/ldap.host=192.168.1.111
Annotations:	openshift.io/ldap.sync-time=2017-08-23T18:24:48-0400
		openshift.io/ldap.uid=cn=group1,ou=groups,ou=adextended,dc=example,dc=com
		openshift.io/ldap.url=192.168.1.111:389
Users:		person1smith
           	person2smith
           	person3smith
           	person4smith
           	person5smith

$ oadm groups prune --sync-config=aad_config.yaml --whitelist=whitelist 
groups "cn=group1,ou=groups,ou=adextended,dc=example,dc=com" not found

It seems that Openshift tries to find the group by name instead of search by openshift.io/ldap.uid

Therefore the command runs successfully without the whitelist param

$ oadm groups prune --sync-config=aad_config.yaml --loglevel=4
I0823 18:28:13.891783   44961 grouppruner.go:45] LDAPGroupPruner listing groups to prune with &{map[] 0xc4202c4090 192.168.1.111:389 map[]}
I0823 18:28:13.893489   44961 grouppruner.go:51] LDAPGroupPruner will attempt to prune ldapGroupUIDs [cn=group1,ou=groups,ou=adextended,dc=example,dc=com]
I0823 18:28:13.893510   44961 grouppruner.go:54] Checking LDAP group cn=group1,ou=groups,ou=adextended,dc=example,dc=com
I0823 18:28:13.894145   44961 query.go:228] searching LDAP server with config {Scheme: ldap Host: 192.168.1.111:389 BindDN:  len(BbindPassword): 0 Insecure: true} with dn="cn=group1,ou=groups,ou=adextended,dc=example,dc=com" and scope 0 for (objectClass=*) requesting [cn dn]
I0823 18:28:13.894904   44961 query.go:245] found dn="cn=group1,ou=groups,ou=adextended,dc=example,dc=com" 
I0823 18:28:13.894937   44961 query.go:198] found dn="cn=group1,ou=groups,ou=adextended,dc=example,dc=com" for (objectClass=*)
I0823 18:28:13.895574   44961 query.go:228] searching LDAP server with config {Scheme: ldap Host: 192.168.1.111:389 BindDN:  len(BbindPassword): 0 Insecure: true} with dn="ou=people,ou=adextended,dc=example,dc=com" and scope 2 for (&((objectclass=inetOrgPerson))(testMemberOf=cn=group1,ou=groups,ou=adextended,dc=example,dc=com)) requesting [mail testMemberOf]
I0823 18:28:13.897036   44961 query.go:245] found dn="cn=Person1,ou=people,ou=adextended,dc=example,dc=com" 
I0823 18:28:13.897063   44961 query.go:245] found dn="cn=Person2,ou=people,ou=adextended,dc=example,dc=com" 
I0823 18:28:13.897072   44961 query.go:245] found dn="cn=Person3,ou=people,ou=adextended,dc=example,dc=com" 
I0823 18:28:13.897079   44961 query.go:245] found dn="cn=Person4,ou=people,ou=adextended,dc=example,dc=com" 
I0823 18:28:13.897087   44961 query.go:245] found dn="cn=Person5,ou=people,ou=adextended,dc=example,dc=com"

In order to confirm that the prune is trying to search the group by name, I did the following:

$ oc delete groups --all
group "tc509127group1" deleted

aad_config.yaml - commented groupUIDNameMapping group1 and changed groupNameAttributes to "dn"

kind: LDAPSyncConfig
apiVersion: v1
url: ldap://192.168.1.111:389
insecure: true
groupUIDNameMapping:
#  cn=group1,ou=groups,ou=adextended,dc=example,dc=com: tc509127group1
  cn=group2,ou=groups,ou=adextended,dc=example,dc=com: tc509127group2
  cn=group3,ou=groups,ou=adextended,dc=example,dc=com: tc509127group3
augmentedActiveDirectory:
    usersQuery:
        baseDN: "ou=people,ou=adextended,dc=example,dc=com"
        scope: sub
        derefAliases: never
        filter: (objectclass=inetOrgPerson)
    groupMembershipAttributes: [ testMemberOf ]
    userNameAttributes: [ mail ]
    groupsQuery:
        baseDN: "ou=groups,ou=adextended,dc=example,dc=com"
        scope: sub
        derefAliases: never
    groupUIDAttribute: dn
    groupNameAttributes: [ dn ]


$oadm groups sync --sync-config=aad_config.yaml --whitelist=whitelist --confirm
group/cn=group1,ou=groups,ou=adextended,dc=example,dc=com

Then the prune runs without problems:

$oadm groups prune --sync-config=aad_config.yaml --whitelist=whitelist --confirm --loglevel=4

I0823 18:45:34.902337   46543 grouppruner.go:45] LDAPGroupPruner listing groups to prune with &{[cn=group1,ou=groups,ou=adextended,dc=example,dc=com] map[] 0xc42069c0a0 192.168.1.111:389 map[]}
I0823 18:45:34.903940   46543 grouppruner.go:51] LDAPGroupPruner will attempt to prune ldapGroupUIDs [cn=group1,ou=groups,ou=adextended,dc=example,dc=com]
I0823 18:45:34.903960   46543 grouppruner.go:54] Checking LDAP group cn=group1,ou=groups,ou=adextended,dc=example,dc=com
I0823 18:45:34.904671   46543 query.go:228] searching LDAP server with config {Scheme: ldap Host: 192.168.1.111:389 BindDN:  len(BbindPassword): 0 Insecure: true} with dn="cn=group1,ou=groups,ou=adextended,dc=example,dc=com" and scope 0 for (objectClass=*) requesting [dn]
I0823 18:45:34.905556   46543 query.go:245] found dn="cn=group1,ou=groups,ou=adextended,dc=example,dc=com" 
I0823 18:45:34.905593   46543 query.go:198] found dn="cn=group1,ou=groups,ou=adextended,dc=example,dc=com" for (objectClass=*)
I0823 18:45:34.906253   46543 query.go:228] searching LDAP server with config {Scheme: ldap Host: 192.168.1.111:389 BindDN:  len(BbindPassword): 0 Insecure: true} with dn="ou=people,ou=adextended,dc=example,dc=com" and scope 2 for (&((objectclass=inetOrgPerson))(testMemberOf=cn=group1,ou=groups,ou=adextended,dc=example,dc=com)) requesting [mail testMemberOf]
I0823 18:45:34.907548   46543 query.go:245] found dn="cn=Person1,ou=people,ou=adextended,dc=example,dc=com" 
I0823 18:45:34.907570   46543 query.go:245] found dn="cn=Person2,ou=people,ou=adextended,dc=example,dc=com" 
I0823 18:45:34.907576   46543 query.go:245] found dn="cn=Person3,ou=people,ou=adextended,dc=example,dc=com" 
I0823 18:45:34.907580   46543 query.go:245] found dn="cn=Person4,ou=people,ou=adextended,dc=example,dc=com" 
I0823 18:45:34.907585   46543 query.go:245] found dn="cn=Person5,ou=people,ou=adextended,dc=example,dc=com" 


Actual results:

groups "cn=group1,ou=groups,ou=adextended,dc=example,dc=com" not found


Expected results:

Search the group correctly and run the prune command withou problems
Comment 1 Jordan Liggitt 2017-08-24 17:07:14 UTC 
looks like the whitelist needs to run through the mapping transformation if present
Comment 2 Mo 2017-09-06 23:47:05 UTC 
As a temporary workaround, the customer could create a second whitelist with the mapped values:

tc509127group1
tc509127group2
tc509127group3

This would allow for normal use of the prune command.
Comment 3 Simo Sorce 2017-09-11 14:27:18 UTC 
moving to Mo, only because he has a PR almost ready to go, can be moved to others as necessary
Comment 4 Mo 2017-09-12 20:03:08 UTC 
https://github.com/openshift/origin/pull/16071
Comment 5 Mo 2017-09-13 22:11:06 UTC 
The PR is merged into 3.7 master.
Comment 6 Chuan Yu 2017-09-18 08:00:54 UTC 
Verified with lastest 3.7 build, search the group correctly and run the prune command withou problems.

# openshift version
openshift v3.7.0-0.126.4
kubernetes v1.7.0+80709908fd
etcd 3.2.1
Comment 9 errata-xmlrpc 2017-11-28 22:08:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188