Bug 1019294 - Meet some stack trace while trying to deploy an application by an member with only view role
Meet some stack trace while trying to deploy an application by an member wit...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Online
Classification: Red Hat
Component: Command Line Interface (Show other bugs)
2.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Fabiano Franz
libra bugs
: Reopened
Depends On:
Blocks: 1026762
  Show dependency treegraph
 
Reported: 2013-10-15 08:29 EDT by Jianwei Hou
Modified: 2015-05-14 22:25 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1026762 (view as bug list)
Environment:
Last Closed: 2014-01-23 22:24:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jianwei Hou 2013-10-15 08:29:49 EDT
Description of problem:
A member as 'view' role has the access to deploy an application

Version-Release number of selected component (if applicable):
On devenv_3897

How reproducible:
Always

Steps to Reproduce:
1. Create an application
rhc create-app php1 php-5.3
2. Disable auto deployment via rest api
curl -s -k -H 'Content-Type: Application/json' --user jhou@redhat.com:x https://ec2-54-237-111-30.compute-1.amazonaws.com/broker/rest/domain/jhou/application/php1 -X PUT -d '{"auto_deploy": false}'
3. Add a member as 'view' role to the domain
rhc member add jhou1 -r view
4. Deploy the application with the added member
rhc deploy-app php1 --ref $commit_id

Actual results:
After step 4, the app is deployed

0 master % rhc member-list -n jhou
Login           Role
--------------- -------------
jhou@redhat.com admin (owner)
jhou1           view


0 master % rhc app-deploy --ref 430e0d1 -a php1 -l jhou1
Deployment of '430e0d1' in progress for application php1 ... 
Stopping PHP cartridge
[Tue Oct 15 08:24:45 2013] [warn] PassEnv variable SHELL was undefined
[Tue Oct 15 08:24:45 2013] [warn] PassEnv variable USER was undefined
[Tue Oct 15 08:24:45 2013] [warn] PassEnv variable LOGNAME was undefined
Waiting for stop to finish
Building git ref '430e0d1', commit 430e0d1
Building PHP cartridge
Preparing build for deployment
Prepared deployment artifacts in /var/lib/openshift/525d32ef921de51d1f00016f/app-deployments/2013-10-15_08-24-46.472
Deployment id is f2daaf0c
Activating deployment
Starting PHP cartridge

Success 



Expected results:
Since the member has view role, he can not have access to deploy the application.

Additional info:
Comment 1 Abhishek Gupta 2013-10-17 16:25:45 EDT
The authorization code seems to be in place on the broker controllers. 

Can someone from the UI team please tell me if the "rhc app-deploy ..." command goes through the rest api or directly to the gear?
Comment 2 Fabiano Franz 2013-10-21 13:16:00 EDT
SSH access already respects membership rules so it is already not allowed unless the user has the 'edit' role. I'm guessing you are able to deploy because both users may be using the same ssh key. Please make sure the users are each using their own ssh key and reopen the bug if can still be reproduced.
Comment 3 Jianwei Hou 2013-10-21 21:57:00 EDT
(In reply to Fabiano Franz from comment #2)
> SSH access already respects membership rules so it is already not allowed
> unless the user has the 'edit' role. I'm guessing you are able to deploy
> because both users may be using the same ssh key. Please make sure the users
> are each using their own ssh key and reopen the bug if can still be
> reproduced.

Retested, and actually, I do not have any ssh keys associated with the 'view' only member. But eventually I was able to deploy the app with this member. The test env was devenv_3925

% rhc member list -n jhou
Login           Role
--------------- -------------
jhou@redhat.com admin (owner)
jhou1           view


% rhc sshkey list -l jhou1
You have 0 SSH keys associated with your account.

% rhc deploy-app -a  php1 --ref 400c3b9fd127f59cf94757cec1987326f81f706a -l jhou1
Please sign in to start a new session to ec2-184-73-108-226.compute-1.amazonaws.com.
Password: 

Deployment of '400c3b9fd127f59cf94757cec1987326f81f706a' in progress for application php1 ... 
Stopping PHP cartridge
[Mon Oct 21 21:52:56 2013] [warn] PassEnv variable SHELL was undefined
[Mon Oct 21 21:52:56 2013] [warn] PassEnv variable USER was undefined
[Mon Oct 21 21:52:56 2013] [warn] PassEnv variable LOGNAME was undefined
Waiting for stop to finish
Building git ref '400c3b9fd127f59cf94757cec1987326f81f706a', commit 400c3b9
Building PHP cartridge
Preparing build for deployment
Prepared deployment artifacts in /var/lib/openshift/5265d9abf010931397000006/app-deployments/2013-10-21_21-52-57.934
Deployment id is f2ad21ee
Activating deployment
Starting PHP cartridge

Success
Comment 4 Jordan Liggitt 2013-10-22 10:00:51 EDT
If you have the admin ssh keys available, the ssh session that "rhc deploy" triggers will make use of them.

Can you run "rhc sshkey list -l jhou@redhat.com" and see if it says any of the admin's ssh keys are available.
Comment 5 Jianwei Hou 2013-10-23 01:44:05 EDT
Thanks for the info, you are right, the admin's ssh key is available, and I was testing under a same machine with 2 different accounts -- admin and member. After switching to another machine, I was unable to deploy the application with the 'view' member, the result is:

% rhc app-deploy -a p1 --ref c46ec42ae0e0bd924404989c368506daf64588ed -l jhou1 -px --server ec2-54-221-130-189.compute-1.amazonaws.com 1 ↵
Deployment of git ref 'c46ec42ae0e0bd924404989c368506daf64588ed' in progress for application p1 ...
Error trying to deploy git ref. You can ssh to your application and try to deploy manually with:
gear deploy c46ec42ae0e0bd924404989c368506daf64588ed
/usr/local/rvm/gems/ruby-1.9.3-p392/gems/net-ssh-2.6.7/lib/net/ssh.rb:207:in `start': 52675627d026b771d4000004 (Net::SSH::AuthenticationFailed)
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/ssh_helpers.rb:171:in `ssh_ruby'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/deployment_helpers.rb:28:in `deploy_git_ref'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/deployment_helpers.rb:18:in `deploy_artifact'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/commands/app.rb:385:in `deploy'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/commands.rb:285:in `send'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/commands.rb:285:in `execute'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/commands.rb:276:in `to_commander'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/commander-4.1.3/lib/commander/command.rb:180:in `call'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/commander-4.1.3/lib/commander/command.rb:180:in `call'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/commander-4.1.3/lib/commander/command.rb:155:in `run'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/commander-4.1.3/lib/commander/runner.rb:402:in `run_active_command'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/command_runner.rb:73:in `run!'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/commander-4.1.3/lib/commander/delegates.rb:7:in `run!'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/lib/rhc/cli.rb:37:in `start'
	from /usr/local/rvm/gems/ruby-1.9.3-p392/gems/rhc-1.16.1/bin/rhc:20
	from /usr/bin/rhc:19:in `load'
	from /usr/bin/rhc:19
Comment 6 Fabiano Franz 2013-10-23 15:01:27 EDT
Fixed in https://github.com/openshift/rhc/pull/490
Comment 7 openshift-github-bot 2013-10-23 17:10:08 EDT
Commit pushed to master at https://github.com/openshift/rhc

https://github.com/openshift/rhc/commit/c566294a3027a93519f0666ab28a2f745e61d546
Bug 1019294 - ssh_helpers now handle authentication failures
Comment 8 Jianwei Hou 2013-10-24 04:12:39 EDT
This is fixed on devenv_3939

When trying to deploy with a 'view' role and without the admin ssh key, reasonable message is displayed instead of previous stack trace

[root@ip-10-238-133-152 ~]# rhc deploy-app -a php1 --ref 134bae4b99f3e202f32858b5ab7395e485b04d59 -l jhou1 -px
Deployment of git ref '134bae4b99f3e202f32858b5ab7395e485b04d59' in progress for application php1 ...
Error deploying git ref. You can try to deploy manually with:
ssh -t 5268d544c60bcee36a000014@php1-jhou.dev.rhcloud.com 'gear deploy 134bae4b99f3e202f32858b5ab7395e485b04d59'
Authentication to server php1-jhou.dev.rhcloud.com with user 5268d544c60bcee36a000014 failed

Note You need to log in before you can comment on or make changes to this bug.