Bug 969886

Summary: Signing out from Katello does not sign current user from Foreman
Product: Red Hat Satellite Reporter: Og Maciel <omaciel>
Component: InfrastructureAssignee: Marek Hulan <mhulan>
Status: CLOSED WONTFIX QA Contact: Og Maciel <omaciel>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.1CC: bkearney, cwelton, mmccune
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-22 06:18:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Og Maciel 2013-06-02 22:25:57 UTC
Description of problem:

I've been playing with adding new users and checking if they can login successfully to both Katello and Foreman (SSO enabled) and I noticed that signing out from Katello does not sign current user from Foreman (and vice-versa). I'm not sure if this is by design but imvho this is very confusing to the end user.

Version-Release number of selected component (if applicable):

* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.8.9-1.el6_4.noarch
* candlepin-cert-consumer-qeblade35.rhq.lab.eng.bos.redhat.com-1.0-1.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.8.9-1.el6_4.noarch
* candlepin-tomcat6-0.8.9-1.el6_4.noarch
* elasticsearch-0.19.9-8.el6sat.noarch
* foreman-1.1.10002-44.noarch
* foreman-installer-puppet-concat-0-2.d776701.git.0.21ef926.el6sat.noarch
* foreman-installer-puppet-dhcp-0-5.3a4a13c.el6sat.noarch
* foreman-installer-puppet-dns-0-7.fcae203.el6sat.noarch
* foreman-installer-puppet-foreman-0-6.568c5c4.el6sat.noarch
* foreman-installer-puppet-foreman_proxy-0-8.bd1e35d.el6sat.noarch
* foreman-installer-puppet-puppet-0-3.ab46748.el6sat.noarch
* foreman-installer-puppet-tftp-0-5.ea6c5e5.el6sat.noarch
* foreman-installer-puppet-xinetd-0-50a267b8.git.0.44aca6a.el6sat.noarch
* foreman-postgresql-1.1.10002-44.noarch
* foreman-proxy-1.1.10002-1.el6sat.noarch
* foreman-proxy-installer-1.0.1-8.f5ae2cd.el6sat.noarch
* katello-1.4.2-8.el6sat.noarch
* katello-all-1.4.2-8.el6sat.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.4.2-2.el6sat.noarch
* katello-cli-1.4.2-6.el6sat.noarch
* katello-cli-common-1.4.2-6.el6sat.noarch
* katello-common-1.4.2-8.el6sat.noarch
* katello-configure-1.4.3-12.el6sat.noarch
* katello-configure-foreman-1.4.3-12.el6sat.noarch
* katello-foreman-all-1.4.2-8.el6sat.noarch
* katello-glue-candlepin-1.4.2-8.el6sat.noarch
* katello-glue-elasticsearch-1.4.2-8.el6sat.noarch
* katello-glue-pulp-1.4.2-8.el6sat.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-selinux-1.4.3-3.el6sat.noarch
* openldap-2.4.23-31.el6.x86_64
* pulp-rpm-plugins-2.1.1-1.el6sat.noarch
* pulp-selinux-2.1.1-1.el6sat.noarch
* pulp-server-2.1.1-1.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-ldap_fluff-0.1.7-3.el6sat.noarch
* ruby193-rubygem-net-ldap-0.2.2-7.el6_4.noarch
* signo-0.0.15-1.el6sat.noarch
* signo-katello-0.0.15-1.el6sat.noarch

How reproducible:


Steps to Reproduce:
1. Make sure to have at least 2 valid users created via the Katello UI and that one of them is the administrator
2. Login to Katello UI as the admin user
3. Proceed to navigate to Foreman via the Provisioning link (you should be logged in as the same administrator user)
4. Navigate back to Katello via the Content link and log out
5. Immediately login as the other non-administrator user
6. Proceed to navigate to Foreman via the Provisioning link

Actual results:

Once in the Foreman UI you will see that the administrator user is still logged in

Expected results:

Signo should automatically sign out users from both Katello and Foreman


Additional info:

Comment 1 Marek Hulan 2013-06-03 06:07:33 UTC
This is intentional. Imagine a situation you work on both systems at the same time. You have filled a form with a lot of inputs in Foreman, then in second tab you logout from Katello. If you switched back to Foreman and submitted a form you'd lost all data from form and you would not even know why. I think that would be more confusing.

I think most or all SSO works like this. E.g. when you use OpenID providers, logging out from one application does not destroy you session on all other systems.

Comment 2 Kurt Seifried 2013-06-03 19:45:06 UTC
This appears to be a security hardening issue and not a security vulnerability (e.g. there is no need for a CVE/etc.). This issue should probably be fixed as security hardening, my main concern would be if someone finds a CSRF vuln in the product they could then leverage this potentially to gain access/execute commands/etc. 

We should also document this to ensure there are no unexpected surprises for end users.

Also should there be a "log out all my sessions" option like I have seen a number of SSO providers give so that people can force a complete log out if they are worried that someone has used this to gain access/etc. (combined with a password change and so on).

Also moving this bug back to being public.

Comment 3 Marek Hulan 2013-06-04 08:43:12 UTC
Adding support for logging out user from all systems would currently require one change - sessions would have to be stored on server in Katello. Then Signo could store list of all aplication the user was logged into and then enforce logout. It seems as RFE more than a bug to me. Another way (but looks hackish to me since apps can have some logout hooks) would be just to delete cookies for all apps. This would not require changes in Katello. And this would be another limitation for using same domain for all systems.

Also the question is, where should this "log out all my sessions" option should be? Only in Signo UI which is usually not displayed to end user (just for login form) or in Foreman and Katello? I still find it more confusing :-)

Comment 6 Corey Welton 2013-10-09 14:26:35 UTC
*** Bug 1010042 has been marked as a duplicate of this bug. ***

Comment 7 Mike McCune 2013-10-15 15:55:41 UTC
We can CLOSED:WONTFIX this since Signo is going away with the engificiation of Katello

Comment 8 Mike McCune 2014-01-16 21:16:51 UTC
removing signo component and moving these bugs to 'Infrastructure'