Bug 1894800
| Summary: | IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sunny Wu <suwu> | |
| Component: | ipa | Assignee: | Thomas Woerner <twoerner> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.3 | CC: | abokovoy, ksiddiqu, ndehadra, pasik, rcritten, ssidhaye, tmihinto, tscherf | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.9.0-0.1.rc1 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1895910 (view as bug list) | Environment: | ||
| Last Closed: | 2021-05-18 15:48:22 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1895910 | |||
|
Description
Sunny Wu
2020-11-05 05:45:28 UTC
Please force-refresh Web UI in your browser. May be even clean the cookies. It looks like the browser caches the Web UI pages aggressively. The idoverride-memberof.js is not needed anymore and is not referenced anywhere in the Web UI. Functionality provided by this plugin was merged into RHEL IdM itself. Note that the workaround
---------------------------
3. Workaround
- A workaround is to re-create ("touch") an empty file:
- /usr/share/ipa/ui/js/plugins/idoverride-memberof/idoverride-memberof.js
---------------------------
is simply wrong.
There is nothing in IPA itself that requires this plugin code. What is happening, I think, is a caching of a Javascript data on the browser side.
ipa-idoverride-memberof-plugin has been removed, but it is not cleaned up properly. # rpm -qa | grep -E "(ipa-idoverride-memberof|ipa-server-trust-ad)" ipa-server-trust-ad-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 # curl -v https://node-0.suwuipa1.lab.pnq2.cee.redhat.com/ipa/ui/js/freeipa/plugins.js?40807 * Trying 10.74.179.178... * TCP_NODELAY set * Connected to node-0.suwuipa1.lab.pnq2.cee.redhat.com (10.74.179.178) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, [no content] (0): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: O=SUWUIPA1.LAB.PNQ2.CEE.REDHAT.COM; CN=node-0.suwuipa1.lab.pnq2.cee.redhat.com * start date: Nov 5 03:39:55 2020 GMT * expire date: Nov 6 02:39:55 2022 GMT * subjectAltName: host "node-0.suwuipa1.lab.pnq2.cee.redhat.com" matched cert's "node-0.suwuipa1.lab.pnq2.cee.redhat.com" * issuer: O=SUWUIPA1.LAB.PNQ2.CEE.REDHAT.COM; CN=Certificate Authority * SSL certificate verify ok. * TLSv1.3 (OUT), TLS app data, [no content] (0): > GET /ipa/ui/js/freeipa/plugins.js?40807 HTTP/1.1 > Host: node-0.suwuipa1.lab.pnq2.cee.redhat.com > User-Agent: curl/7.61.1 > Accept: */* > * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS app data, [no content] (0): < HTTP/1.1 200 OK < Date: Thu, 05 Nov 2020 20:15:19 GMT < Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1g mod_auth_gssapi/1.6.1 mod_wsgi/4.6.4 Python/3.6 < X-Frame-Options: DENY < Content-Security-Policy: frame-ancestors 'none' < Cache-Control: no-cache, private < Content-Length: 54 < Vary: Accept-Encoding < Content-Type: application/javascript < * Connection #0 to host node-0.suwuipa1.lab.pnq2.cee.redhat.com left intact define([],function(){return['idoverride-memberof'];}); (In reply to Alexander Bokovoy from comment #2) > Note that the workaround > > --------------------------- > 3. Workaround > - A workaround is to re-create ("touch") an empty file: > - /usr/share/ipa/ui/js/plugins/idoverride-memberof/idoverride-memberof.js > --------------------------- > > is simply wrong. > > There is nothing in IPA itself that requires this plugin code. What is > happening, I think, is a caching of a Javascript data on the browser side. - There is no cache on curl - The workaround tricks browser to load a file. IPA does not need the code, but somehow browsers need to load the file to continue rendering login page. plugins.js is not a static file. It is a runtime generated by /usr/share/ipa/wsgi/plugins.py. It looks at the directories in /usr/share/ipa/ui/js/plugins/ and generates the list of 'file' references:
def get_plugin_index():
if not os.path.isdir(paths.IPA_JS_PLUGINS_DIR):
raise Exception("Supplied plugin directory path is not a directory")
dirs = os.listdir(paths.IPA_JS_PLUGINS_DIR)
index = 'define([],function(){return['
index += ','.join("'"+x+"'" for x in dirs)
index += '];});'
return index.encode('utf-8')
Later, Web UI will take this list and load for each plugin foo a file foo/foo.js.
So it looks like /usr/share/ipa/ui/js/plugins/idoverride-memberof directory is left and not removed when the package is removed?
I think the issue is due to the way how plugin content is referenced in ipa-idoverride-memberof spec file:
%files plugin
%license COPYING
%doc plugin/Feature.mediawiki README.md
# There is no client-side component yet
#%%python2_sitelib/ipaclient/plugins/*
%{ipa_python_sitelib}/ipaserver/plugins/*
%_datadir/ipa/schema.d/*
%_datadir/ipa/updates/*
%_datadir/ipa/ui/js/plugins/%{plugin_name}/*
E.g. the directory %_datadir/ipa/ui/js/plugins/%{plugin_name} is not marked as belonging to the package. Upon removal it then is left intact but the content of the folder cleaned up.
Now, I think the right solution would be to change plugins.py to actually verify that a foo/foo.js exists before adding it to the list of plugins.
As a workaround, please remove /usr/share/ipa/ui/js/plugins/ipa-idoverride-memberof directory instead of 'touching' a file in it.
Upstream ticket: https://pagure.io/freeipa/issue/8567 Fixed upstream master: https://pagure.io/freeipa/c/91706690e0c894864c93716c4fbecb285722e77d Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/29262465edf034d521c165e3854e28835d86b98d Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/45802f19789d560634046dc6fb48f3bbc13fafb9 Verified based on following info
Snip from runner.log for IPA Version:
------------------------------------
2020-12-17T14:33:33+0000 TASK [List installed IPA packages version] *************************************
2020-12-17T14:33:34+0000 ok: [master.testrelm.test] => (item=ipa-server) =>
2020-12-17T14:33:34+0000 msg:
2020-12-17T14:33:34+0000 - arch: x86_64
2020-12-17T14:33:34+0000 epoch: null
2020-12-17T14:33:34+0000 name: ipa-server
2020-12-17T14:33:34+0000 release: 0.5.rc3.module+el8.4.0+9124+ced20601
2020-12-17T14:33:34+0000 source: rpm
2020-12-17T14:33:34+0000 version: 4.9.0
Snip from test-result.xt:
-------------------------
Test "'test_jsplugins' (ipatests/test_ipaserver/test_jsplugins.py)" for this bugzilla is successful as per following details from the test run.
============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-262.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 159 items
test_ipaserver/test_adtrust_mockup.py::TestNetbiosName::test_NetbiosName PASSED [ 0%]
test_ipaserver/test_changepw.py::test_changepw::test_bad_options PASSED [ 1%]
...
test_ipaserver/test_jsplugins.py::test_jsplugins::test_jsplugins PASSED [ 16%]
...
test_ipaserver/test_install/test_service.py::test_format_seconds PASSED [100%]
---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
============== 155 passed, 4 skipped, 6 warnings in 20.15 seconds ==============
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1846 |