Bug 1444367 - ansible doesn't allow to set challenge true for Openid and gitlab
Summary: ansible doesn't allow to set challenge true for Openid and gitlab
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.7.0
Assignee: Michael Gugino
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-21 08:57 UTC by Jaspreet Kaur
Modified: 2017-11-28 21:53 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-28 21:53:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Jaspreet Kaur 2017-04-21 08:57:35 UTC
Description of problem: When using ansible to configure the openID-connect provider we got an error when setting 'challenge' to true. This happens because of the validate function not allowing this [2].

[2] https://github.com/openshift/openshift-ansible/blob/7496b1235f72bd4241e4917f50df722174bf90fa/roles/openshift_master_facts/filter_plugins/openshift_master.py#L348

Support for the resource owner password grant flow was added in 3.3 (https://github.com/openshift/origin/pull/8732)



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:  It gives an error when setting challenge=true


Expected results:
It should allow challenge true for openid and gitlab providers.

Additional info:

Comment 1 Scott Dodson 2017-06-13 14:57:15 UTC
https://github.com/openshift/openshift-ansible/issues/4417 upstream issue open too

Comment 3 Michael Gugino 2017-10-20 13:27:02 UTC
PR Created: https://github.com/openshift/openshift-ansible/pull/5828

Comment 7 Johnny Liu 2017-11-02 07:51:04 UTC
Re-test this bug with openshift-ansible-3.7.0-0.189.0.git.0.d497c5e.el7.noarch, still failed.


openshift_master_identity_providers=[{'name': 'github', 'challenge': 'true', 'login': 'true', 'kind': 'GitHubIdentityProvider', 'clientID': 'xxx', 'clientSecret': 'xxx' }]


TASK [openshift_master : set_fact] *********************************************
Thursday 02 November 2017  07:06:18 +0000 (0:00:01.460)       0:07:46.683 ***** 
fatal: [ec2-54-234-90-16.compute-1.amazonaws.com]: FAILED! => {"failed": true, "msg": "|failed provider GitHubIdentityProvider does not allow challenge authentication"}

Comment 8 Michael Gugino 2017-11-02 13:55:21 UTC
It seems the validation code was being applied in two separate places.

New PR Created: https://github.com/openshift/openshift-ansible/pull/5988

Comment 9 Scott Dodson 2017-11-07 01:08:31 UTC
Fix should be in openshift-ansible-3.7.0-0.196.0

Comment 10 Johnny Liu 2017-11-07 06:05:31 UTC
Re-test with openshift-ansible-3.7.0-0.196.0.git.0.27cd7ec.el7.noarch, FAIL.

Though installer does not refuse the setting, master is forbidding chanllenge set to true.

RUNNING HANDLER [openshift_master : restart master api] ************************
Tuesday 07 November 2017  05:49:51 +0000 (0:00:00.016)       0:13:11.566 ****** 

fatal: [ec2-34-230-15-172.compute-1.amazonaws.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to restart service atomic-openshift-master-api: Job for atomic-openshift-master-api.service failed because the control process exited with error code. See \"systemctl status atomic-openshift-master-api.service\" and \"journalctl -xe\" for details.\n"}


# journalctl -f  -u atomic-openshift-master-api
Nov 07 00:59:50 ip-172-18-7-188.ec2.internal systemd[1]: Starting Atomic OpenShift Master API...
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: I1107 00:59:51.437606   23908 start_api.go:104] Using a listen address override "0.0.0.0:8443"
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: I1107 00:59:51.438334   23908 plugins.go:77] Registered admission plugin "NamespaceLifecycle"
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: W1107 00:59:51.439442   23908 start_master.go:290] Warning: assetConfig.loggingPublicURL: Invalid value: "": required to view aggregated container logs in the console, master start will continue.
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: W1107 00:59:51.439466   23908 start_master.go:290] Warning: assetConfig.metricsPublicURL: Invalid value: "": required to view cluster metrics in the console, master start will continue.
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: W1107 00:59:51.439474   23908 start_master.go:290] Warning: oauthConfig.identityProvider[0]: Invalid value: "null": no organizations or teams specified, any GitHub user will be allowed to authenticate, master start will continue.
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: W1107 00:59:51.439481   23908 start_master.go:290] Warning: aggregatorConfig.proxyClientInfo: Invalid value: "": if no client certificate is specified, the aggregator will be unable to proxy to remote servers, master start will continue.
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: Invalid MasterConfig /etc/origin/master/master-config.yaml
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: oauthConfig.identityProvider[0].challenge: Invalid value: true: A GitHub identity provider cannot be used for challenges
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal systemd[1]: atomic-openshift-master-api.service: main process exited, code=exited, status=255/n/a
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal systemd[1]: Failed to start Atomic OpenShift Master API.
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal systemd[1]: Unit atomic-openshift-master-api.service entered failed state.
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal systemd[1]: atomic-openshift-master-api.service failed.

Comment 11 Michael Gugino 2017-11-07 15:28:31 UTC
(In reply to Johnny Liu from comment #10)
> Re-test with openshift-ansible-3.7.0-0.196.0.git.0.27cd7ec.el7.noarch, FAIL.
> 
> Though installer does not refuse the setting, master is forbidding
> chanllenge set to true.

Johnny, this bug affects GitLab, not GitHub.  Can you verify with GitLab?  It should be supported for challenge auth, GitHub is specifically not supported with challenge auth.

Comment 12 Michael Gugino 2017-11-07 17:56:54 UTC
PR Created to re-implement github and google check: https://github.com/openshift/openshift-ansible/pull/6046

Comment 13 Johnny Liu 2017-11-08 08:48:39 UTC
Verified this bug with openshift-ansible-3.7.0-0.198.0.git.0.16275e5.el7.noarch, and PASS.

Setting the following line into inventory host file:
openshift_master_identity_providers=[{'name': 'gitlab', 'challenge': 'true', 'login': 'true', 'kind': 'GitLabIdentityProvider', 'clientID': 'xxx', 'clientSecret': 'xxx', 'url': 'https://gitlab.com/'}]

installation is completed successfully, and login succeed.

Comment 17 errata-xmlrpc 2017-11-28 21:53:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188


Note You need to log in before you can comment on or make changes to this bug.