Bug 1743735

Summary: [GUI] 'pcs cluster auth' fails for remote cluster if local cluster exists and is not authenticated
Product: Red Hat Enterprise Linux 8 Reporter: Tomas Jelinek <tojeline>
Component: pcsAssignee: Tomas Jelinek <tojeline>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: unspecified Docs Contact:
Priority: high    
Version: 8.1CC: cfeist, cluster-maint, cluster-qe, idevat, jilal34845, mlisik, mmazoure, omular, rsteiger, tojeline
Target Milestone: rc   
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcs-0.10.3-1.el8 Doc Type: Bug Fix
Doc Text:
Cause: The user is connected to pcs web UI running in a cluster whose nodes are not authenticated. Consequence: It is not possible to authenticate remote clusters in the web UI. Fix: Inform the user the local cluster nodes are not authenticated and ask for their password. Result: Once the local cluster is authenticated, it is possible to authenticate the remote cluster.
 Story Points: ---
Clone Of: 1264886
: 1762816 (view as bug list) Environment:
Last Closed: 2020-04-28 15:27:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1762816    
Attachments:
Description Flags
proposed fix none

Description Tomas Jelinek 2019-08-20 14:47:37 UTC 
+++ This bug was initially created as a clone of Bug #1264886 +++

> Description of problem:

If a local cluster exists on a pcsd GUI machine (i.e. the machine itself is part of any cluster) and this machine's pcsd is not authenticated to itself (i.e. to the local cluster), any authentication performed against any other remote cluster will fail.

This is because pcsd finds the local cluster configuration and fails on it's auth before the remote cluster is ever checked. 

If no local cluster exists or is authenticated properly, this problem doesn't happen. Performing local auth first can be used as a workaround.


> Version-Release number of selected component (if applicable):

pcs-0.9.143-9.el7


> How reproducible:

Always


> Steps to Reproduce:

1. Create local cluster and add it to GUI
2. Create remote cluster and add it to GUI
3. Remove all tokens on the GUI node (rm /var/lib/pcsd/tokens)
4. Try to authenticate the remote cluster from GUI


> Actual results:

Auth fails.


> Expected results:

Auth passes.

--- Additional comment from Tomas Jelinek on 2019-06-14 16:12:32 CEST ---

In this case, authentication succeeds. The issue is tokens cannot be saved to the local cluster as the cluster nodes are not authenticated to each other. Pcsd backend needs to send a result of saving / synchronizing tokens (error/success, error messages) to JS frontend. JS frontend should display those messages in case of a failure.

CLI properly informs about the situation:
# pcs cluster auth rh69-node1
Username: hacluster
Password: 
rh69-node1: Authorized
Error: Unable to synchronize and save tokens on nodes: rh76-node1, rh76-node2. Are they authorized?
Comment 2 Tomas Jelinek 2019-10-15 11:57:28 UTC 
Created attachment 1625972 [details]
proposed fix

Test:
1. Create a local cluster and add it to web UI
2. Create a remote cluster and add it to web UI
3. Remove all tokens on the GUI node (rm /var/lib/pcsd/tokens)
4. Try to authenticate the remote cluster from web UI
5. Web UI informs the user that the local cluster nodes are not authenticated and asks for their password
6. Once the local cluster is authenticated, it is possible to authenticate the remote cluster
Comment 3 Miroslav Lisik 2019-10-23 15:28:47 UTC 
After fix:

[root@r81-node-01 ~]# rpm -q pcs
pcs-0.10.3-1.el8.x86_64

1. Created and added clusters into GUI on node r81-node-01:
  * Cluster1: r81-node-01, r81-node-02
  * Cluster2: r81-node-03, r81-node-04
2. Removed file '/var/lib/pcsd/known-hosts' from node r81-node-01
3. Reloaded GUI page "MANAGE CLUSTERS" (it also reloads by itself after a few seconds)
4. Selected Cluster2 (the other cluster without the GUI node) in GUI on "MANAGE CLUSTER" page
There is informatien on the right side of the page:
Errors:
    Unable to connect to the cluster.
Warnings:
    GUI is not authorized against node(s) r81-node-01, r81-node-02
    There are few authentication problems. To fix them, click here.
5. Clicked on the "here" link
6. Dialog "Authentication of nodes" for Cluster2's nodes appeared.
7. Filled password for nodes
8. Clicked on Authenticate button
9. A dialog window appeared with message:
Unable to save new cluster settings as the local cluster nodes are not authenticated. Please, authenticate them as well
10. clicked OK
11. Another dialog windows appeared with message:
Authentication failed.
12. clicked OK.
13. Dialog "Authentication of nodes" for Cluster1's nodes appeared.
14. Filled password for the nodes
15. Clicked Authenticate.
16. Autentication succeeded
Comment 7 errata-xmlrpc 2020-04-28 15:27:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1568
Comment 8 Preston Silva 2023-02-19 10:46:10 UTC Comment hidden (spam)