Bug 1762816

Summary: New web UI - cluster auth fails for remote cluster if local cluster exists and is not authenticated
Product: Red Hat Enterprise Linux 8 Reporter: Tomas Jelinek <tojeline>
Component: pcsAssignee: Ivan Devat <idevat>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: unspecified Docs Contact: Steven J. Levine <slevine>
Priority: high    
Version: 8.1CC: cfeist, cluster-maint, cluster-qe, idevat, lmanasko, mlisik, mmazoure, mpospisi, nhostako, omular, rsteiger, tojeline
Target Milestone: rcKeywords: TechPreview
Target Release: 8.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcs-0.10.8-1.el8 Doc Type: Bug Fix
Doc Text:
Cause: The user is connected to pcs web UI running in a cluster whose nodes are not authenticated. Consequence: It is not possible to authenticate remote clusters in the web UI. Fix: Inform the user the local cluster nodes are not authenticated and ask for their password. Result: Once the local cluster is authenticated, it is possible to authenticate the remote cluster.
 Story Points: ---
Clone Of: 1743735 Environment:
Last Closed: 2021-05-18 15:12:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1743735    
Bug Blocks: 1552470, 1996067, 1999014    

Description Tomas Jelinek 2019-10-17 14:42:22 UTC 
+++ This bug was initially created as a clone of Bug #1743735 +++

+++ This bug was initially created as a clone of Bug #1264886 +++

> Description of problem:

If a local cluster exists on a pcsd GUI machine (i.e. the machine itself is part of any cluster) and this machine's pcsd is not authenticated to itself (i.e. to the local cluster), any authentication performed against any other remote cluster will fail.

This is because pcsd finds the local cluster configuration and fails on it's auth before the remote cluster is ever checked. 

If no local cluster exists or is authenticated properly, this problem doesn't happen. Performing local auth first can be used as a workaround.


> Version-Release number of selected component (if applicable):

pcs-0.9.143-9.el7


> How reproducible:

Always


> Steps to Reproduce:

1. Create local cluster and add it to GUI
2. Create remote cluster and add it to GUI
3. Remove all tokens on the GUI node (rm /var/lib/pcsd/tokens)
4. Try to authenticate the remote cluster from GUI


> Actual results:

Auth fails.


> Expected results:

Auth passes.

--- Additional comment from Tomas Jelinek on 2019-06-14 16:12:32 CEST ---

In this case, authentication succeeds. The issue is tokens cannot be saved to the local cluster as the cluster nodes are not authenticated to each other. Pcsd backend needs to send a result of saving / synchronizing tokens (error/success, error messages) to JS frontend. JS frontend should display those messages in case of a failure.

CLI properly informs about the situation:
# pcs cluster auth rh69-node1
Username: hacluster
Password: 
rh69-node1: Authorized
Error: Unable to synchronize and save tokens on nodes: rh76-node1, rh76-node2. Are they authorized?
Comment 1 Tomas Jelinek 2019-10-17 14:45:03 UTC 
In bz1743735, the bug got fixed in web UI backend and current web UI frontend. The purpose of this bz is to fix the new web UI.
Comment 14 Michal Mazourek 2021-02-05 09:21:44 UTC 
BEFORE:
=======

[root@virt-031 ~]# rpm -q pcs
pcs-0.10.7-3.el8.x86_64


## Create 2 clusters, local & remote

[root@virt-031 ~]# pcs cluster setup local virt-031 --start --wait
{...}
[root@virt-032 ~]# pcs cluster setup remote virt-032 --start --wait
{...}


## web ui steps

1. Open new web UI: https://virt-031.cluster-qe.lab.eng.brq.redhat.com:2224/ui/
2. Log in
3. Click 'Add existing cluster' and proceed with the adding local and remote clusters
4. Remove tokens on the node from the local cluster
	[root@virt-031 ~]# rm /var/lib/pcsd/known-hosts
5. Click on remote cluster
6. Error message "Warning alert:Not authorized against node(s) virt-032"
7. The same problem on local cluster: "Not authorized against node(s) virt-031"

> No possibility to auth against nodes now


AFTER:
======

[root@virt-058 ~]# rpm -q pcs
pcs-0.10.8-1.el8.x86_64


## Create 2 clusters, local & remote

[root@virt-058 ~]# pcs cluster setup local virt-058 --start --wait
{...}
[root@virt-059 ~]# pcs cluster setup remote virt-059 --start --wait
{...}


## web ui steps

1. Open new web UI: https://virt-058.cluster-qe.lab.eng.brq.redhat.com:2224/ui/
2. Log in
3. Click 'Add existing cluster' and proceed with the adding local and remote clusters
4. Remove tokens on the node from the local cluster
	[root@virt-058 ~]# rm /var/lib/pcsd/known-hosts
5. Click on remote cluster
6. Error message: 
	Cluster is not authenticated against nodes
	Unauthenticated nodes: virt-059 

7. There is a new button "Fix authentication"
8. Specify Password and optional Address
9. Click 'Authenticate'
10. The process needs to authenticate local cluster as well:
	Authentication node error
	Unable to save new cluster settings as the local cluster nodes (virt-058) are not authenticated. Please, authenticate them as well.
11. Specify Password for the local cluster as well (and optional Address)
12. Click 'Authenticate'
	Nodes sucessfully authenticated
	Nodes virt-059, virt-058 has been sucessfully authenticated.
13. Both clusters are authenticated again

> It is now possible to fix authentication in the new web UI

Note: There is typo in 'sucessfully', will be resolved in RHEL 8.5 


Marking as VERIFIED for pcs-0.10.8-1.el8
Comment 16 errata-xmlrpc 2021-05-18 15:12:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pcs bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:1737