Bug 1488505
| Summary: | OpenID extra parameters not being added to the authorization token request when openshift_master_identity_providers ansible variable is set | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | David Caldwell <dcaldwel> | ||||
| Component: | Installer | Assignee: | Steve Milner <smilner> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Gaoyun Pei <gpei> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 3.5.0 | CC: | aos-bugs, boliveir, erich, jokerman, jpazdziora, mkhan, mmccomas, sdodson | ||||
| Target Milestone: | --- | ||||||
| Target Release: | 3.7.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
Cause:
Input for include_granted_scopes, which was expected to become a single quoted bool string, was instead being interpreted and written to file incorrectly.
Consequence:
The resulting configuration file could have the wrong value for include_granted_scopes.
Fix:
Removal of a code block which attempted to interpret the input for include_granted_scopes.
Result:
Input that is expected to land via include_granted_scopes passes to the master-config.yml as expected.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-11-28 22:09:17 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
I believe this was already fixed here https://github.com/openshift/openshift-ansible/pull/2896 Created attachment 1322402 [details]
Patch for include_granted_scopes
> OCP to recognize true (without double quotes) as a proper value for the include_granted_scopes variable This is not possible as it would require a breaking API change, and in general is incorrect (it is a map of string to string with no meaning to OpenShift, and thus OpenShift should not try to interpret it in any way and must simply pass it along). I am surprised that it does not raise an error such as "unrecognized type: string" though (this is what you get if you try to put a bool in a string field). https://github.com/openshift/openshift-ansible/pull/2896 needs to be updated to fix the ansible error. (In reply to Mo from comment #4) > > https://github.com/openshift/openshift-ansible/pull/2896 needs to be updated > to fix the ansible error. Not sure which ansible error you have in mind but I gave it a try with https://github.com/openshift/openshift-ansible/pull/5350 now. I do not understand why ansible needs to do anything special here at all. The value is a string, so why are we parsing it and then turning it back into a string? Why not simply pass it through? The patch doesn't apply to master. I'll rebase it and open a new PR. There is an alternate PR at https://github.com/openshift/openshift-ansible/pull/5350 We're running with https://github.com/openshift/openshift-ansible/pull/5350 as the PR of choice. The PR was merged but I'm not happy with the result -- please see https://github.com/openshift/openshift-ansible/issues/2454#issuecomment-329101226 and subsequent comments. Third PR option opened: https://github.com/openshift/openshift-ansible/pull/5427 Verify this bug with openshift-ansible-3.7.0-0.128.0.git.0.89dcad2.el7.noarch.rpm
With the following option set in ansible inventory file:
openshift_master_identity_providers=[{"name": "companyokta", "login": "true", "challenge": "false", "mappingMethod": "claim", "kind": "OpenIDIdentityProvider", "client_id": "xxx", "client_secret": "xxx", "extraAuthorizeParameters" : {"include_granted_scopes": "true"}, "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://test.com/oauth2/v1/authorize", "token": "https://test.com/oauth2/v1/token", "userInfo": "https://test.com/oauth2/v1/userinfo"} }]
After installation, check master config file:
oauthConfig:
...
extraAuthorizeParameters:
include_granted_scopes: 'true'
When installing env with an early version - openshift-ansible-3.7.0-0.126.0.git.0.33d254a.el7.noarch.rpm, it's configured as:
oauthConfig:
...
extraAuthorizeParameters:
include_granted_scopes: true
And master service failed to start due to "Invalid MasterConfig /etc/origin/master/master-config.yaml".
So move this bug to verified.
Added doc text Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188 |
Description of problem: When setting OpenID with extra parameters (include_granted_scopes: "true") within the ansible inventory file (using variable openshift_master_identity_providers), the "true" value is taken as true (without quotes) as outcome. This causes Openshift does not retrieve all the sub fields for the users. As a test, when you set it manually within the master-config.yaml with the proper format (include_granted_scopes: "true", enclosed between double quotes), it works: ############################################### identityProviders: - challenge: false login: true mappingMethod: claim name: companyokta provider: apiVersion: v1 claims: email: - email id: - sub name: - name preferredUsername: - preferred_username clientID: xxx clientSecret: xxx extraAuthorizeParameters: include_granted_scopes: "true" kind: OpenIDIdentityProvider urls: authorize: https://<url>.com/oauth2/v1/authorize token: https://<url>.com/oauth2/v1/token userInfo: https://<url>.com/oauth2/v1/userinfo ############################################### Version-Release number of the following components: rpm -q openshift-ansible rpm -q ansible ansible --version How reproducible: 100% Steps to Reproduce: 1. Set openshift_master_identity_providers as follows: ############################################### openshift_master_identity_providers=[{"name": "companyokta", "login": "true", "challenge": "false", "mappingMethod": "claim", "kind": "OpenIDIdentityProvider", "client_id": "xxx", "client_secret": "xxx", "extraAuthorizeParameters" : {"include_granted_scopes": "true"}, "claims": {"id": ["sub"], "preferredUsername": ["preferred_username"], "name": ["name"], "email": ["email"]}, "urls": {"authorize": "https://<url>.com/oauth2/v1/authorize", "token": "https://<url>.com/oauth2/v1/token", "userInfo": "https://<url>.com/oauth2/v1/userinfo"} }] ############################################### 2. Run the installer Actual results: ➜ ~ oc get identities NAME IDP NAME IDP USER NAME USER NAME USER UID companyokta:00u11e13mwxxxxxx companyokta 00u11e13mwNM1xxxxxx myemailaddress.uk 4380c342-7603-11e7-bb8b-xxxxxx companyokta:00u14da2xxxxxxxx companyokta 00u14da2dbitr4xxxxxx 00u14da2xxxxxxx43TR0i7 8999013b-8e30-11e7-a0e2-xxxxx On the first line, under USER NAME, you see the email of the user authenticated for the first time while openshift had the right configuration ("true" with quotes). On the second line you see instead another user authenticated using the configuration provisioned by ansible (true without quotes). Expected results: OCP to recognize true (without double quotes) as a proper value for the include_granted_scopes variable. Additional info: https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master_facts/filter_plugins/openshift_master.py#L383-L386