| Summary: | Upgrade from OSE 1.1 to 1.2 breaks auth passthrough for JBossTools | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Luke Meyer <lmeyer> |
| Component: | Cluster Version Operator | Assignee: | John W. Lamb <jolamb> |
| Status: | CLOSED ERRATA | QA Contact: | libra bugs <libra-bugs> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.2.1 | CC: | baulakh, bleanhar, erich, jialiu, libra-onpremise-devel |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openshift-enterprise-upgrade-broker-1.2.2-1 | Doc Type: | Bug Fix |
| Doc Text: |
When upgrading from OpenShift Enterprise 1.1 to 1.2 some Broker authentication configuration settings were not added correctly to configuration files. The upgrade process incorrectly assumed the name of the configuration file and caused the JBoss Tools authentication to fail. The upgrade process has been fixed in the current release of OpenShift Enterprise. However, users are advised to manually add this setting as suggested by the oo-accept-broker script in broken installations.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-09-25 15:30:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Luke Meyer
2013-08-20 21:43:29 UTC
The format for the remote auth httpd config file changed slightly between the releases. Previously there was a line in /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf that started with "BrowserMatchNoCase" which is updated by the upgrade to:
SetEnvIfNoCase Authorization Bearer passthrough
However - the upgrade makes an assumption about the name of the conf file where this is configured. Technically it could be named anything. In the reported case it was named /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user-basic.conf to match the sample file it came from. Just copying the updated sample into place fixed the issue.
We can't really fix the issue that the file can be named anything. It is probably reasonable to give the 08-broker-fix-conf-remote-user upgrade script some latitude to update conf files with likely names. Conceivably this should be added to the release notes upgrade caveats.
Pull request addressing this can be found at: https://github.com/openshift/enterprise/pull/31 - awaiting review Verified this bug with the following packages, and PASS.
openshift-enterprise-upgrade-broker-1.2.2-1.el6op.noarch
openshift-enterprise-upgrade-node-1.2.2-1.el6op.noarch
Before upgrade:
# cat openshift.conf
<--snip-->
<Location /broker>
AuthName "OpenShift broker API"
AuthType Basic
AuthUserFile /etc/openshift/htpasswd
require valid-user
# The node->broker auth is handled in the Ruby code
BrowserMatchNoCase ^OpenShift passthrough
Allow from env=passthrough
# Console traffic will hit the local port. mod_proxy will set this header automatically.
SetEnvIf X-Forwarded-For "^$" local_traffic=1
# Turn the Console output header into the Apache environment variable for the broker remote-user plugin
SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
Allow from env=local_traffic
Order Deny,Allow
Deny from all
Satisfy any
</Location>
<--snip-->
After upgrade:
# cat /var/www/openshift/broker/httpd/conf.d/openshift.conf
<--snip-->
<Location /broker>
AuthName "OpenShift broker API"
AuthType Basic
AuthUserFile /etc/openshift/htpasswd
require valid-user
# The node->broker auth is handled in the Ruby code
SetEnvIfNoCase Authorization Bearer passthrough
BrowserMatchNoCase ^OpenShift passthrough
Allow from env=passthrough
# Console traffic will hit the local port. mod_proxy will set this header automatically.
SetEnvIf X-Forwarded-For "^$" local_traffic=1
# Turn the Console output header into the Apache environment variable for the broker remote-user plugin
SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
Allow from env=local_traffic
Order Deny,Allow
Deny from all
Satisfy any
</Location>
<--snip-->
And oo-accept-broker is PASS. JBoss Tools is working fine against the env.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1275.html |