Bug 1517333

Summary: 'pcs cluster auth' fails if an empty nodelist is configured in corosync
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Jelinek <tojeline>
Component: pcsAssignee: Tomas Jelinek <tojeline>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: low Docs Contact:
Priority: low    
Version: 7.5CC: cfeist, cluster-maint, idevat, omular, rsteiger, tojeline
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcs-0.9.165-1.el7 Doc Type: Bug Fix
Doc Text:
Cause: The user runs 'pcs cluster auth' in a situation when corosync.conf exists but does not list any nodes due to it being edited by other means than pcs. Consequence: Pcs reports success, however nodes are not authenticated. Fix: If no nodes are defined in corosync.conf, save auth tokens on the local node only. Do not send them to an empty list of nodes. Result: 'pcs cluster auth' works.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 08:05:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposed fix none

Description Tomas Jelinek 2017-11-24 15:41:02 UTC 
Description of problem:
* [nodeA]# pcs cluster auth nodeB nodeC
* pcs connects to nodes and authenticates without an issue
* if corosync is not configured on nodeA, pcs saves tokens to a file
* if corosync is configured on nodeA, pcs gets its nodelist and sends token to nodes in the nodelist
* if the nodelist is empty, tokens are discarded, which means nodes are not authenticated -> bug


How reproducible:
always, easily


Steps to Reproduce:
1. setup corosync with an empty nodelist
2. pcs cluster auth


Actual results:
nodes not authenticated


Expected results:
nodes or at least the local node authenticated
Comment 1 Tomas Jelinek 2017-12-13 14:24:15 UTC 
Created attachment 1367416 [details]
proposed fix

Pcs always populates nodelist in corosync.conf so usually there should not be any issue. However, corrupted or manually edited corosync.conf should not cause that 'pcs cluster auth' does not work.

Test:
1. Remove or empty nodelist in /etc/corosync/corosync.conf on all nodes you want to authenticate (rh74-node1 rh74-node2).
2. Remove auth tokens on all nodes: pcs pcsd clear-auth
3. Authenticate the nodes: pcs cluster auth rh74-node1 rh74-node2
4. Check nodes status: pcs status pcsd rh74-node1 rh74-node2

Before fix:
# pcs status pcsd rh74-node1 rh74-node2                               
  rh74-node2: Unable to authenticate
  rh74-node1: Unable to authenticate
Nodes not authenticated even though 'pcs cluster auth' reported otherwise.

After fix:
# pcs status pcsd rh74-node1 rh74-node2
  rh74-node1: Online
  rh74-node2: Online
Comment 3 Ivan Devat 2018-06-22 12:15:24 UTC 
After Fix:

[ant ~] $ rpm -q pcs pcs-snmp
pcs-0.9.165-1.el7.x86_64
pcs-snmp-0.9.165-1.el7.x86_64


[ant ~] $ cat /etc/corosync/corosync.conf|grep nodelist
[ant ~] $ pcs pcsd clear-auth
[ant ~] $ pcs cluster auth ant bee
Username: hacluster
Password:
ant: Authorized
bee: Authorized
[ant ~] $ pcs status pcsd ant bee
  ant: Online
  bee: Online
Comment 7 errata-xmlrpc 2018-10-30 08:05:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3066