Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1444367 - ansible doesn't allow to set challenge true for Openid and gitlab
ansible doesn't allow to set challenge true for Openid and gitlab
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.4.0
Unspecified Unspecified
medium Severity medium
: ---
: 3.7.0
Assigned To: Michael Gugino
Johnny Liu
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-21 04:57 EDT by Jaspreet Kaur
Modified: 2017-11-28 16:53 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-28 16:53:29 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-28 21:34:54 EST

  None (edit)
Description Jaspreet Kaur 2017-04-21 04:57:35 EDT 
Description of problem: When using ansible to configure the openID-connect provider we got an error when setting 'challenge' to true. This happens because of the validate function not allowing this [2].

[2] https://github.com/openshift/openshift-ansible/blob/7496b1235f72bd4241e4917f50df722174bf90fa/roles/openshift_master_facts/filter_plugins/openshift_master.py#L348

Support for the resource owner password grant flow was added in 3.3 (https://github.com/openshift/origin/pull/8732)



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:  It gives an error when setting challenge=true


Expected results:
It should allow challenge true for openid and gitlab providers.

Additional info:
Comment 1 Scott Dodson 2017-06-13 10:57:15 EDT 
https://github.com/openshift/openshift-ansible/issues/4417 upstream issue open too
Comment 3 Michael Gugino 2017-10-20 09:27:02 EDT 
PR Created: https://github.com/openshift/openshift-ansible/pull/5828
Comment 7 Johnny Liu 2017-11-02 03:51:04 EDT 
Re-test this bug with openshift-ansible-3.7.0-0.189.0.git.0.d497c5e.el7.noarch, still failed.


openshift_master_identity_providers=[{'name': 'github', 'challenge': 'true', 'login': 'true', 'kind': 'GitHubIdentityProvider', 'clientID': 'xxx', 'clientSecret': 'xxx' }]


TASK [openshift_master : set_fact] *********************************************
Thursday 02 November 2017  07:06:18 +0000 (0:00:01.460)       0:07:46.683 ***** 
fatal: [ec2-54-234-90-16.compute-1.amazonaws.com]: FAILED! => {"failed": true, "msg": "|failed provider GitHubIdentityProvider does not allow challenge authentication"}
Comment 8 Michael Gugino 2017-11-02 09:55:21 EDT 
It seems the validation code was being applied in two separate places.

New PR Created: https://github.com/openshift/openshift-ansible/pull/5988
Comment 9 Scott Dodson 2017-11-06 20:08:31 EST 
Fix should be in openshift-ansible-3.7.0-0.196.0
Comment 10 Johnny Liu 2017-11-07 01:05:31 EST 
Re-test with openshift-ansible-3.7.0-0.196.0.git.0.27cd7ec.el7.noarch, FAIL.

Though installer does not refuse the setting, master is forbidding chanllenge set to true.

RUNNING HANDLER [openshift_master : restart master api] ************************
Tuesday 07 November 2017  05:49:51 +0000 (0:00:00.016)       0:13:11.566 ****** 

fatal: [ec2-34-230-15-172.compute-1.amazonaws.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to restart service atomic-openshift-master-api: Job for atomic-openshift-master-api.service failed because the control process exited with error code. See \"systemctl status atomic-openshift-master-api.service\" and \"journalctl -xe\" for details.\n"}


# journalctl -f  -u atomic-openshift-master-api
Nov 07 00:59:50 ip-172-18-7-188.ec2.internal systemd[1]: Starting Atomic OpenShift Master API...
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: I1107 00:59:51.437606   23908 start_api.go:104] Using a listen address override "0.0.0.0:8443"
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: I1107 00:59:51.438334   23908 plugins.go:77] Registered admission plugin "NamespaceLifecycle"
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: W1107 00:59:51.439442   23908 start_master.go:290] Warning: assetConfig.loggingPublicURL: Invalid value: "": required to view aggregated container logs in the console, master start will continue.
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: W1107 00:59:51.439466   23908 start_master.go:290] Warning: assetConfig.metricsPublicURL: Invalid value: "": required to view cluster metrics in the console, master start will continue.
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: W1107 00:59:51.439474   23908 start_master.go:290] Warning: oauthConfig.identityProvider[0]: Invalid value: "null": no organizations or teams specified, any GitHub user will be allowed to authenticate, master start will continue.
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: W1107 00:59:51.439481   23908 start_master.go:290] Warning: aggregatorConfig.proxyClientInfo: Invalid value: "": if no client certificate is specified, the aggregator will be unable to proxy to remote servers, master start will continue.
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: Invalid MasterConfig /etc/origin/master/master-config.yaml
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal atomic-openshift-master-api[23908]: oauthConfig.identityProvider[0].challenge: Invalid value: true: A GitHub identity provider cannot be used for challenges
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal systemd[1]: atomic-openshift-master-api.service: main process exited, code=exited, status=255/n/a
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal systemd[1]: Failed to start Atomic OpenShift Master API.
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal systemd[1]: Unit atomic-openshift-master-api.service entered failed state.
Nov 07 00:59:51 ip-172-18-7-188.ec2.internal systemd[1]: atomic-openshift-master-api.service failed.
Comment 11 Michael Gugino 2017-11-07 10:28:31 EST 
(In reply to Johnny Liu from comment #10)
> Re-test with openshift-ansible-3.7.0-0.196.0.git.0.27cd7ec.el7.noarch, FAIL.
> 
> Though installer does not refuse the setting, master is forbidding
> chanllenge set to true.

Johnny, this bug affects GitLab, not GitHub.  Can you verify with GitLab?  It should be supported for challenge auth, GitHub is specifically not supported with challenge auth.
Comment 12 Michael Gugino 2017-11-07 12:56:54 EST 
PR Created to re-implement github and google check: https://github.com/openshift/openshift-ansible/pull/6046
Comment 13 Johnny Liu 2017-11-08 03:48:39 EST 
Verified this bug with openshift-ansible-3.7.0-0.198.0.git.0.16275e5.el7.noarch, and PASS.

Setting the following line into inventory host file:
openshift_master_identity_providers=[{'name': 'gitlab', 'challenge': 'true', 'login': 'true', 'kind': 'GitLabIdentityProvider', 'clientID': 'xxx', 'clientSecret': 'xxx', 'url': 'https://gitlab.com/'}]

installation is completed successfully, and login succeed.
Comment 17 errata-xmlrpc 2017-11-28 16:53:29 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.