Bug 1531626
| Summary: | Auth MIQLDAP AD - SSUI - Trouble logging into SSUI with group that has Accent Marks in group name. | |||
|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Matt Pusateri <mpusater> | |
| Component: | UI - Service | Assignee: | Ohad Levy <ohadlevy> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Matt Pusateri <mpusater> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 5.9.0 | CC: | awight, bascar, cpelland, dclarizi, gtanzill, lavenel, mpusater, obarenbo, yrudman | |
| Target Milestone: | GA | Keywords: | Regression, TestOnly | |
| Target Release: | 5.10.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | auth:miqldap:ad:openldap | |||
| Fixed In Version: | 5.10.0.0 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1536047 (view as bug list) | Environment: | ||
| Last Closed: | 2018-06-21 20:45:40 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1536047 | |||
I did reproduce the issue without MiqLdap by creating groups with accent in CF and assigning a user to these groups. OPS UI works, SUI fails Matt Loic, anyone have a machine ip? Would help get this one going faster :-) Matt Loic, anyone have a machine ip? Would help get this one going faster :-) Woops looks like I can't quite bugzilla today Never mind, easy enough for me to recreate... our error is the following: GET http://localhost:3001/api/auth?requester_type=ws `{"error":{"kind":"bad_request","message":"PG::CharacterNotInRepertoire: ERROR: invalid byte sequence for encoding \"UTF8\": 0xe9 0x65 0x65\n: SELECT \"miq_groups\".* FROM \"miq_groups\" INNER JOIN \"miq_groups_users\" ON \"miq_groups\".\"id\" = \"miq_groups_users\".\"miq_group_id\" WHERE \"miq_groups_users\".\"user_id\" = $1 AND \"miq_groups\".\"description\" = $2 LIMIT $3","klass":"ActiveRecord::StatementInvalid"}}` and here's what our server is seeing: `[2018-01-09T08:49:48.073202 #8169] DEBUG -- : MiqGroup Load (1.4ms) SELECT "miq_groups".* FROM "miq_groups" INNER JOIN "miq_groups_users" ON "miq_groups"."id" = "miq_groups_users"."miq_group_id" WHERE "miq_groups_users"."user_id" = $1 AND "miq_groups"."description" = $2 LIMIT $3 [["user_id", 10000000000015], ["description", "\xE9eeeeeeee\xEA"], ["LIMIT", 1]] I, [2018-01-09T08:49:48.073989 #8169] INFO -- : Completed 400 Bad Request in 7ms (Views: 0.2ms | ActiveRecord: 1.6ms)` The rub is for the other call we do durning login, `api?attributes=authorization` we get 200, and it contains the correct group info `group:"éeeeeeeeeê"` Please forgive me Greg 😭 😏. Looks like the websockets auth request is mildly blowing up, this 400 halts SUI login, which otherwise has no problems completing (commented out the code that makes the call, login happens just fine). Found the root cause of the issue - the MIQ_GROUP header is being translated to "SR-APP-EPM-Membre-\xE9quipe" from "SR-APP-EPM-Membre-équipe". Have verified (with the help of Allen) that the SUI is sending the correct value. Working on a fix! https://github.com/ManageIQ/manageiq-api/pull/287 is one darn good looking pr to fix this pickle !! Ok but Jillian and I had another thought... what if we removed the offending header all together? It's no longer used, group switching happens through the api... do we even need it? https://github.com/ManageIQ/manageiq-ui-service/pull/1360 |
Description of problem: Trouble logging into SSUI with group that has Accent Marks in group name."SR-APP-EPM-Membre-équipe" is group name. Authentication is successful, authorization looks succcessful, but in evm.log we get: "[----] W, [2018-01-05T11:33:39.394991 #13219:dead28] WARN -- : MIQ(Authenticator::Ldap#groups_for) Required key not specified: [basedn] (from Authenticator#user_proxy_membership)" Login screen shows no errors just sit there, evntually gives apache http authentication dialogue box. - 5.9.0.15 Regression. Version-Release number of selected component (if applicable): 5.9.0.15 How reproducible: Steps to Reproduce: 1. Configure MIQLDAP for AD or OpenLDAP 2. Have user who is a member of a group with accent marks like "SR-APP-EPM-Membre-équipe" User's role was EvmRole-user_self_service which should have SSUI perms 3.Logging into classic UI works and groups can be switched. Logging into SSUI and login screen does not up, no error is returned to user(though there shouldn't be an error), eventually you get the Apache Http Authentication dialogue box. Actual results: User cannot log in. Expected results: User should be able to log in. Additional info: [----] I, [2018-01-05T11:33:38.821354 #13219:dead28] INFO -- : MIQ(MiqLdap#initialize) Server Settings: {:basedn=>"DC=ad,DC=cloudqe,DC=bos,DC=redhat,DC=com", :bind_dn=>"CN=Administrator,CN=Users,DC=ad,DC=cloudqe,DC=bos,DC=redhat,DC=com", :bind_pwd=>"********", :bind_timeout=>30, :follow_referrals=>false, :get_direct_groups=>true, :group_memberships_max_depth=>2, :ldaphost=>["10.16.4.75"], :ldapport=>"389", :mode=>"ldap", :search_timeout=>30, :user_suffix=>"ad.cloudqe.bos.redhat.com", :user_type=>"userprincipalname", :amazon_key=>nil, :amazon_secret=>nil, :local_login_disabled=>false, :saml_enabled=>false, :sso_enabled=>false, :user_proxies=>[{:bind_dn=>"CN=Administrator,CN=Users,DC=ad,DC=cloudqe,DC=bos,DC=redhat,DC=com", :bind_pwd=>"********", :ldapport=>"389", :mode=>"ldap", :group_memberships_max_depth=>2}], :httpd_role=>false, :amazon_role=>false, :ldap_role=>true} [----] I, [2018-01-05T11:33:38.821462 #13219:dead28] INFO -- : MiqLdap.connection: Connecting to IP Address [10.16.4.75] [----] I, [2018-01-05T11:33:38.852532 #13219:dead28] INFO -- : options: {:auth=>{:basedn=>"DC=ad,DC=cloudqe,DC=bos,DC=redhat,DC=com", :bind_dn=>"CN=Administrator,CN=Users,DC=ad,DC=cloudqe,DC=bos,DC=redhat,DC=com", :bind_pwd=>"********", :bind_timeout=>30, :follow_referrals=>false, :get_direct_groups=>true, :group_memberships_max_depth=>2, :ldaphost=>["10.16.4.75"], :ldapport=>"389", :mode=>"ldap", :search_timeout=>30, :user_suffix=>"ad.cloudqe.bos.redhat.com", :user_type=>"userprincipalname", :amazon_key=>nil, :amazon_secret=>nil, :local_login_disabled=>false, :saml_enabled=>false, :sso_enabled=>false, :user_proxies=>[{:bind_dn=>"CN=Administrator,CN=Users,DC=ad,DC=cloudqe,DC=bos,DC=redhat,DC=com", :bind_pwd=>"********", :ldapport=>"389", :mode=>"ldap", :group_memberships_max_depth=>2}], :httpd_role=>false, :amazon_role=>false, :ldap_role=>true}, :host=>"10.16.4.75", :port=>"389"} [----] I, [2018-01-05T11:33:38.852756 #13219:dead28] INFO -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.16.4.75], User: [CN=Administrator,CN=Users,DC=ad,DC=cloudqe,DC=bos,DC=redhat,DC=com]... [----] I, [2018-01-05T11:33:38.916174 #13219:dead28] INFO -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.16.4.75], User: [CN=Administrator,CN=Users,DC=ad,DC=cloudqe,DC=bos,DC=redhat,DC=com]... successful [----] I, [2018-01-05T11:33:38.916554 #13219:dead28] INFO -- : MIQ(MiqLdap#get_user_object) Type: [userprincipalname], Base DN: [DC=ad,DC=cloudqe,DC=bos,DC=redhat,DC=com], Filter: <(userprincipalname=test-user5.bos.redhat.com)> [----] W, [2018-01-05T11:33:39.394991 #13219:dead28] WARN -- : MIQ(Authenticator::Ldap#groups_for) Required key not specified: [basedn] (from Authenticator#user_proxy_membership) [----] I, [2018-01-05T11:33:39.424626 #13219:dead28] INFO -- : MIQ(Authenticator::Ldap#authorize) Authorized User: [test-user5.bos.redhat.com] [----] I, [2018-01-05T11:33:39.424905 #13219:dead28] INFO -- : MIQ(MiqTask#update_status) Task: [46] [Finished] [Ok] [User authorized successfully] [----] I, [2018-01-05T11:33:39.432206 #13219:dead28] INFO -- : <AuditSuccess> MIQ(Base.authenticate) userid: [test-user5] - Authentication successful for user test-user5.bos.redhat.com