Bug 1301345 - Nested FreeIPA/LDAP groups breaks aaa LDAP and aaa LDAP SSO authentication
Nested FreeIPA/LDAP groups breaks aaa LDAP and aaa LDAP SSO authentication
Status: CLOSED CURRENTRELEASE
Product: ovirt-engine
Classification: oVirt
Component: AAA (Show other bugs)
3.6.1.3
Unspecified Unspecified
unspecified Severity medium (vote)
: ovirt-3.6.3
: 3.6.3.3
Assigned To: Martin Perina
Ondra Machacek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-24 06:55 EST by Dan Lavu
Modified: 2016-08-02 11:04 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-11 02:24:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑3.6.z+
rule-engine: exception+
mgoldboi: planning_ack+
oourfali: devel_ack+
pstehlik: testing_ack+


Attachments (Terms of Use)
ovirt-engine-extensions-tool log (625.09 KB, text/plain)
2016-01-29 15:13 EST, Dan Lavu
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 52860 master MERGED aaa: Prevent of recursion loop in flat groups 2016-03-16 05:49 EDT
oVirt gerrit 53047 master MERGED exttool: aaa: fix recursive loop print 2016-02-04 04:35 EST
oVirt gerrit 53083 ovirt-engine-3.6 MERGED exttool: aaa: fix recursive loop print 2016-02-18 09:04 EST
oVirt gerrit 53469 ovirt-engine-3.6 MERGED aaa: prevent of recursion loop in flat groups 2016-02-19 06:06 EST
oVirt gerrit 53705 ovirt-engine-3.6.3 MERGED exttool: aaa: fix recursive loop print 2016-02-19 03:17 EST
oVirt gerrit 53707 ovirt-engine-3.6.3 MERGED aaa: prevent of recursion loop in flat groups 2016-02-19 06:07 EST
oVirt gerrit 54067 master ABANDONED core: Upgrade Jackson to version 2.5.4 for enginesso 2016-08-02 11:04 EDT
oVirt gerrit 54673 master MERGED aaa: Fix JSON serialization of cyclic nested groups 2016-03-16 05:15 EDT

  None (edit)
Description Dan Lavu 2016-01-24 06:55:29 EST
Description of problem:
After configuring aaa LDAP authentication and/or kerberos aaa authentication, authentication fails if the group contains groups as members (aka nested groups). 

---
2016-01-24 06:37:01,051 ERROR [io.undertow.servlet] (default task-238) Exception while dispatching incoming RPC call: com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract org.ovirt.engine.core.common.action.VdcReturnValueBase org.ovirt.engine.ui.frontend.gwtservices.GenericApiGWTService.login(java.lang.String,java.lang.String,java.lang.String,org.ovirt.engine.core.common.action.VdcActionType)' threw an unexpected exception: javax.ejb.EJBException: JBAS014580: Unexpected Error
	at com.google.gwt.rpc.server.RPC.invokeAndStreamResponse(RPC.java:219) [gwt-servlet.jar:]
	at com.google.gwt.rpc.server.RpcServlet.processCall(RpcServlet.java:172) [gwt-servlet.jar:]
	at com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:233) [gwt-servlet.jar:]
	at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62) [gwt-servlet.jar:]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.utils.servlet.HeaderFilter.doFilter(HeaderFilter.java:94) [utils.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.ui.frontend.server.gwt.GwtCachingFilter.doFilter(GwtCachingFilter.java:132) [frontend.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.branding.BrandingFilter.doFilter(BrandingFilter.java:73) [branding.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:65) [utils.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.aaa.filters.SessionMgmtFilter.doFilter(SessionMgmtFilter.java:31) [aaa.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.aaa.filters.LoginFilter.doFilter(LoginFilter.java:75) [aaa.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.aaa.filters.NegotiationFilter.doFilter(NegotiationFilter.java:132) [aaa.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:90) [aaa.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.ovirt.engine.core.aaa.filters.SessionValidationFilter.doFilter(SessionValidationFilter.java:77) [aaa.jar:]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:248) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:77) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:167) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:761) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_65]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_65]
	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_65]
Caused by: javax.ejb.EJBException: JBAS014580: Unexpected Error
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInNoTx(CMTTxInterceptor.java:213) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:262) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:399) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:243) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:43) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:95) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [wildfly-ejb3-8.2.1.Final.jar:8.2.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
	at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:448)
	at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
	at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
	at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
	at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73)
	at org.ovirt.engine.core.common.interfaces.BackendLocal$$$view2.login(Unknown Source)
	at org.ovirt.engine.ui.frontend.server.gwt.GenericApiGWTServiceImpl.login(GenericApiGWTServiceImpl.java:189) [frontend.jar:]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_65]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_65]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_65]
	at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_65]
	at com.google.gwt.rpc.server.RPC.invokeAndStreamResponse(RPC.java:196) [gwt-servlet.jar:]
	... 62 more
Caused by: java.lang.StackOverflowError
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
---

Version-Release number of selected component (if applicable):


How reproducible:
Always. 


Steps to Reproduce:
1. Authenticate oVirt against LDAP/FreeIPA.
2. Add FreeIPA group to SuperUser role in oVirt. 
3. Add a nested group in IdM/LDAP, to the group that that has a role in oVirt. 

Actual results:
LDAP/KRB auth hangs and times out. 

Caused by: java.lang.StackOverflowError
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]
	at org.ovirt.engine.core.bll.aaa.DirectoryUtils.flatGroups(DirectoryUtils.java:202) [bll.jar:]


Expected results:
User in both the parent and nested group are able to log in to oVirt. 


Additional info:

LDAP AAA configuration 


[root@groot:/etc/ovirt-engine/aaa]# cat idm.properties
include = <ipa.properties>

vars.server1 = auth.lab.runlevelone.lan
vars.server2 = idm.lab.runlevelone.lan

vars.user = uid=ovirtauth,cn=sysaccounts,cn=etc,dc=lab,dc=runlevelone,dc=lan
vars.password = someverylongpassphrasethatisbetterthana12characterpassword

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.serverset.type = round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}


[root@groot:/etc/ovirt-engine/extensions.d]# cat idm-authn.properties
ovirt.engine.extension.name = idm-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = idm
ovirt.engine.aaa.authn.authz.plugin = idm-authz
config.profile.file.1 = ../aaa/idm.properties


[root@groot:/etc/ovirt-engine/extensions.d]# cat idm-authz.properties
ovirt.engine.extension.name = idm-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/idm.properties
Comment 1 Oved Ourfali 2016-01-24 11:45:38 EST
Dan, this happens only on master?
Comment 2 Dan Lavu 2016-01-24 15:21:50 EST
Sorry, no it's happening on 1.1.2-1 


ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch
ovirt-engine-extension-aaa-misc-1.0.0-1.el7.centos.noarch
ovirt-engine-extension-aaa-jdbc-1.0.4-1.el7.noarch
Comment 4 Martin Perina 2016-01-25 02:56:23 EST
Just to be sure about versions:

1. ovirt-engine-extension-aaa-ldap is 1.1.2, right?
2. What is the exact version of ovirt-engine package? Master of 3.6? If 3.6, what is the exact version?

Thanks
Comment 5 Dan Lavu 2016-01-25 06:55:23 EST
ovirt-engine-jboss-as-7.1.1-1.el7.centos.x86_64
ovirt-vmconsole-host-1.0.0-1.el7.centos.noarch
ovirt-engine-setup-3.6.1.3-1.el7.centos.noarch
ovirt-engine-setup-plugin-allinone-3.6.1.3-1.el7.centos.noarch
ovirt-image-uploader-3.6.0-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.1.2-1.el7.centos.noarch
ovirt-engine-wildfly-8.2.1-1.el7.x86_64
ovirt-engine-extensions-api-impl-3.6.1.3-1.el7.centos.noarch
ebay-cors-filter-1.0.1-0.1.ovirt.el7.noarch
ovirt-engine-webadmin-portal-3.6.1.3-1.el7.centos.noarch
ovirt-engine-3.6.1.3-1.el7.centos.noarch
ovirt-engine-reports-3.6.1.1-1.el7.centos.noarch
ovirt-engine-setup-plugin-dockerc-3.6.1.3-1.el7.centos.noarch
ovirt-engine-setup-base-3.6.1.3-1.el7.centos.noarch
ovirt-engine-setup-plugin-websocket-proxy-3.6.1.3-1.el7.centos.noarch
ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.1.3-1.el7.centos.noarch
ovirt-engine-cli-3.6.0.2-1.el7.centos.noarch
ovirt-engine-sdk-python-3.6.0.3-1.el7.centos.noarch
ovirt-engine-dwh-3.6.1-1.el7.centos.noarch
ovirt-engine-reports-setup-3.6.1.1-1.el7.centos.noarch
ovirt-engine-lib-3.6.1.3-1.el7.centos.noarch
ovirt-host-deploy-java-1.4.1-1.el7.centos.noarch
ovirt-vmconsole-1.0.0-1.el7.centos.noarch
ovirt-engine-websocket-proxy-3.6.1.3-1.el7.centos.noarch
ovirt-engine-dbscripts-3.6.1.3-1.el7.centos.noarch
ovirt-engine-setup-plugin-ovirt-engine-3.6.1.3-1.el7.centos.noarch
ovirt-iso-uploader-3.6.0-1.el7.centos.noarch
ovirt-engine-wildfly-overlay-8.0.4-1.el7.noarch
ovirt-engine-dwh-setup-3.6.1-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-setup-1.1.2-1.el7.centos.noarch
ovirt-engine-userportal-3.6.1.3-1.el7.centos.noarch
ovirt-engine-restapi-3.6.1.3-1.el7.centos.noarch
ovirt-release36-002-2.noarch
ovirt-engine-extension-aaa-misc-1.0.0-1.el7.centos.noarch
ovirt-vmconsole-proxy-1.0.0-1.el7.centos.noarch
ovirt-engine-vmconsole-proxy-helper-3.6.1.3-1.el7.centos.noarch
ovirt-host-deploy-offline-1.4.1-1.el7.centos.x86_64
ovirt-engine-extension-aaa-jdbc-1.0.4-1.el7.noarch
ovirt-engine-setup-plugin-ovirt-engine-common-3.6.1.3-1.el7.centos.noarch
ovirt-engine-tools-3.6.1.3-1.el7.centos.noarch
ovirt-engine-backend-3.6.1.3-1.el7.centos.noarch
ovirt-host-deploy-1.4.1-1.el7.centos.noarch
Comment 6 Ondra Machacek 2016-01-27 09:01:38 EST
I am 100% sure that I've tried it and it worked well.

Can you please share with us:
1) IPA version

2) how the user membership look like?
     From what I understand from your post it look like this:
     user
        |-> group1
                    |-> group2

     Then you assign group2 SuperUserRole. And try to login with user, right?

3) Also not sure what do you mean by SSO and kerberos. Based on properties you posted in description you don't use it at all.
Comment 7 Dan Lavu 2016-01-28 00:18:41 EST
1. IPA version.

[root@auth:~]# rpm -qa | grep ipa
ipa-python-4.2.0-15.el7_2.3.x86_64
ipa-server-trust-ad-4.2.0-15.el7_2.3.x86_64
ipa-server-4.2.0-15.el7_2.3.x86_64
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-admintools-4.2.0-15.el7_2.3.x86_64
python-iniparse-0.4-9.el7.noarch
redhat-access-plugin-ipa-0.9.1-2.el7.noarch
libipa_hbac-1.13.0-40.el7_2.1.x86_64
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
ipa-client-4.2.0-15.el7_2.3.x86_64
ipa-server-dns-4.2.0-15.el7_2.3.x86_64


2. Correct, actually I'm unable to log in at all, the web app breaks entirely, regular idm login do not work nor local logins. 

3. Sorry I was trying to simplify the config. Here is the relevant krb configuration. 

[root@groot:/etc/ovirt-engine/extensions.d]# cat idm-krb-authz.properties 
ovirt.engine.extension.name = idm-krb-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/idm.properties
#config.globals.bindFormat.simple_bindFormat = realm

[root@groot:/etc/ovirt-engine/extensions.d]# cat idm-krb-http-authn.properties 
ovirt.engine.extension.name = idm-krb-http-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = idm-krb-http
ovirt.engine.aaa.authn.authz.plugin = idm-krb-authz
ovirt.engine.aaa.authn.mapping.plugin = idm-krb-http-mapping
config.artifact.name = HEADER
config.artifact.arg = X-Remote-User

[root@groot:/etc/ovirt-engine/extensions.d]# cat idm-krb-http-mapping.properties 
ovirt.engine.extension.name = idm-krb-http-mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapAuthRecord.type = regex
config.mapAuthRecord.regex.mustMatch = true
config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}

[root@groot:/etc/ovirt-engine/extensions.d]# cat /etc/httpd/conf.d/ovirt-sso.conf 
#
# 1. make sure /etc/krb5.keytab is available and valid.
# 2. update KrbAuthRealms
# 3. symlink into /etc/httpd/conf.d
#
<LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>
	RewriteEngine on
	RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
	RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
	RequestHeader set X-Remote-User %{REMOTE_USER}s

#	AuthType Kerberos
#	AuthName "Kerberos Login"
#	Krb5Keytab /etc/ovirt.keytab
#	KrbAuthRealms LAB.RUNLEVELONE.LAN 

#	KrbMethodK5Passwd off 
#	Require valid-user
        AuthType GSSAPI
        GssapiLocalName off 
        AuthName "Login"
        GssapiBasicAuth on 
        GssapiCredStore keytab:/etc/ovirt.keytab
        Require valid-user
</LocationMatch>
Comment 8 Dan Lavu 2016-01-28 00:22:56 EST
When attempting to access the manager, the following is displayed. 

Internal Server Error

From the apache logs.

[Thu Jan 28 00:20:32.694096 2016] [proxy:error] [pid 16069] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 5s
[Thu Jan 28 00:20:32.694107 2016] [proxy_ajp:error] [pid 16069] [client 192.168.71.16:54636] AH00896: failed to make connection to backend: 127.0.0.1, referer: https://ovirt.lab.runlevelone.lan/ovirt-engine/webadmin/?locale=en_US
Comment 9 Ondra Machacek 2016-01-29 03:42:53 EST
Thank you for information. One last question. Can you please send output of the following command(on engine)?

$ ovirt-engine-extensions-tool --log-level=FINEST aaa search --extension-name=idm-krb-authz --authz-flag=resolve-groups-recursive --authz-flag=resolve-groups --entity-name=problematic_user
Comment 10 Oved Ourfali 2016-01-29 11:56:43 EST
Martin, shall we target that to 3.6.3?
Comment 11 Martin Perina 2016-01-29 12:07:07 EST
Ondra has provided a patch [1]. If he confirms that it solves this issue, we should get this into 3.6.3, because AFAIU this issue could happen on any LDAP server with "nested group cycle (A is a member of B and B is a member of A).
Ondro?

[1] https://gerrit.ovirt.org/#/c/52860/
Comment 12 Dan Lavu 2016-01-29 15:13 EST
Created attachment 1119515 [details]
ovirt-engine-extensions-tool log

Log attached.
Comment 13 Oved Ourfali 2016-01-31 12:22:23 EST
Restoring needinfo
Comment 14 Dan Lavu 2016-01-31 12:37:36 EST
Martin, 

Just for clarification, it's just a nested group, Group A is a member of group B, it does not loop. 

Group admins is nested beneath ovirt Admins

[root@auth:~]# ipa group-find

  Group name: ovirt_admins
  Description: oVirt Administrators
  Member users: user1, user2, user3, dlavu **sanitized**
  Member groups: admins  << Removing this membership, fixes the problem.


  Group name: admins
  Description: Administrators
  GID: 100000
  Member users: admin, dlavu
  Member of groups: idm_admins, ovirt_admins
  Member of Sudo rule: root_users
  Member of HBAC rule: allow_all
  Indirect Member of role: helpdesk, IT Security Specialist, IT Specialist, Security Architect, User Administrator
Comment 15 Ondra Machacek 2016-02-01 13:07:43 EST
With following setup I couldn't reproduce(should be same as you have):
[root@brq-ipa-4 ~]# ipa group-find
  Group name: admins
  Member users: admin, my_test1
  Member of groups: ovirt_admins, idm_admins

  Group name: idm_admins
  Member users: my_test1
  Member groups: admins
  Indirect Member users: admin

  Group name: ovirt_admins
  Member users: my_test1
  Member groups: admins
  Indirect Member users: admin

I've assigned SuperUser role to 'ovirt_admins ' group and I was able to log-in as 'my_test1' user.

The only way I was able to reproduce was to create a recursion between groups.
Once I've added to 'admin' group 'ovirt_admins' group, then I got issue you had.
Comment 16 Ondra Machacek 2016-02-18 07:40:38 EST
I was able to reproduce also on latest 3.5.
Comment 17 Martin Perina 2016-02-19 06:11:03 EST
Master fix will be a bit different and ready next week, but we need this to get into last 3.6.3 build
Comment 18 Ondra Machacek 2016-02-25 06:11:46 EST
I've successfully logged in with user with nested groups and which has group recursion loop.

Dan, can you please try if it works for you as well? Thanks.
Comment 19 Dan Lavu 2016-02-25 06:38:57 EST
Ondra, 


Is it up on Fedora or do I need to get it from the nightly builds? but certainly I will test.

Note You need to log in before you can comment on or make changes to this bug.