Description of problem: Fail to run 'rhc setup' when normalizing user on broker Version-Release number of selected component (if applicable): puddle [2.1.z/2014-08-15.1] How reproducible: 100% Steps to Reproduce: 1. Enable normalization of user on the broker NORMALIZE_USERNAME_METHOD="strip,lowercase,remove_domain" 2. Add a user with htpasswd #htpasswd -b /etc/openshift/htpasswd 'Test2 @Example.com ' 'redhat' 3. run 'rhc setup' rhc setup -l "Test2 @Example.com " Actual results: Output: <--snip--> Using Test2 @Example.com to login to broker.ose21z-manual.com.cn Password: ****** OpenShift can create and store a token on disk which allows to you to access the server without using your password. The key is stored in your home directory and should be kept secret. You can delete the key at any time by running 'rhc logout'. Generate a token now? (yes|no) yes Generating an authorization token for this client ... The requested cloud user was not found Expected results: Run 'rhc setup' successfully Additional info: If disabled normalization of user on the broker, user can setup successfully.
If only configure one rule, "rhc setup " will succeed. e.g NORMALIZE_USERNAME_METHOD="strip".
I believe the normalization is being applied more than once in this code path. As long as normalization is idempotent, this isn't a problem, but examples where you get a different result applying it once versus twice can certainly be constructed, and this is one. It's not clear to me how to address this generally such that normalization is always applied once and only once. It would not be too hard within a request, e.g. just add a marker to the string when it's normalized: login.define_singleton_method(:normalized?) { true } ...and then check for it before normalizing. However, when you have something that normalizes the login, stores it somewhere, retrieves that, then searches for it based on the already-normalized value, it's going to get normalized twice across different requests. I think that's what's happening here. We might be able to fix up this particular case by storing uuid instead of login, but that would just hide the problem temporarily; e.g. if the username stored in the DB has been normalized once, but normalizing it again would change it, then you won't be able to access it to add it to teams and domains. So I propose documenting basically: "normalization must be idempotent across your expected username space". I.e. "if you run it twice you should get the same result as just once, for all the user names you have". "strip" and "lowercase" are inherently idempotent. "remove_domain" is not, even by itself (only removes one "@example.com" from the end; in light of this I should change that to remove all after first "@"), and in combination with other methods may not be either as this bug demonstrates. Custom methods of course may not be either. Note that this would work (for the given example) with: NORMALIZE_USERNAME_METHOD="remove_domain,strip,lowercase" That would still fail with login "foo@bar@baz", but if you expected usernames like that, you could either specify remove_domain twice or define a custom normalization method to wind up with what you really wanted using regexes or other logic.
Having thought further about it, I guess the solution is obvious... since normalization will never work right unless it is idempotent, repeat the normalization until it stops making changes.
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/caa593f28c13ed0eca77b263d5306d3ec5750ef8 broker: ensure normalization is idempotent https://bugzilla.redhat.com/show_bug.cgi?id=1131317 Bug 1131317 - Fail to run 'rhc setup' when normalizing user with complex matrix on broker When the username is normalized, then stored, then retrieved and used in a new request, it is normalized again. In order for this to match, normalization should be idempotent. It's possible to come up with reasonable normalizations that accidentally break this rule. So, to make sure, we now normalize names repeatedly until the answer stays the same.
Check on puddle [2.1.z/2014-08.28.1] 1. Enable normalization of user on the broker NORMALIZE_USERNAME_METHOD="strip,lowercase,remove_domain" 2. Add a user with htpasswd #htpasswd -b /etc/openshift/htpasswd 'Test2 @Example.com ' 'redhat' 3. run 'rhc setup' rhc setup -l "Test2 @Example.com " Run 'rhc setup' successfully!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1183.html