Bug 1456584 - EFK fails when used with Active Directory authentication user with slashes and comma
Summary: EFK fails when used with Active Directory authentication user with slashes an...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.3.0
Hardware: All
OS: All
high
medium
Target Milestone: ---
: 3.7.0
Assignee: Jeff Cantrill
QA Contact: Anping Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-29 16:51 UTC by Bruno Andrade
Modified: 2020-07-16 09:41 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: openshift-elasticsearch-plugin was creating ACL roles based on the provided name which could include slashes and commas. Consequence: This caused the dependent lib to not properly evaluate roles Fix: Hash the name when creating ACL roles so they no longer contain the invalid characters Result: AD users can use kibana and logging
Clone Of:
Environment:
Last Closed: 2017-11-28 21:56:17 UTC
Target Upstream Version:


Attachments (Terms of Use)
User error (102.01 KB, image/png)
2017-06-05 12:28 UTC, Bruno Andrade
no flags Details


Links
System ID Priority Status Summary Last Updated
Github fabric8io openshift-elasticsearch-plugin pull 108 'None' 'closed' '1456584 ldap names' 2019-11-21 02:43:47 UTC
Github openshift origin-aggregated-logging pull 741 'None' 'closed' 'bump openshift-elasticsearch-plugin to 2.4.4.16 to fix' 2019-11-21 02:43:48 UTC
Red Hat Product Errata RHSA-2017:3188 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Bruno Andrade 2017-05-29 16:51:06 UTC
Description of problem:
Kibana fails when used with Active Directory authentication user with spaces. In our case we had the user/identity like:

"CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com"

We got the following error.

{"name":"Kibana","hostname":"logging-kibana-1-dm00w","pid":8,"level":30,"req":{"method":"POST","url":"/elasticsearch/_msearch?timeout=0&ignore_unavailable=true&preference=1494510053959","headers":{"forwarded":"for=10.154.235.189;host=kibana.apps.ose101.dynamic.eng-openshift.cloud.td.com;proto=https","x-forwarded-proto":"https","x-forwarded-port":"443","x-forwarded-host":"kibana.apps.ose101.dynamic.eng-openshift.cloud.td.com","accept-language":"en-US,en;q=0.8","accept-encoding":"gzip, deflate, br","referer":"https://kibana.apps.ose101.dynamic.eng-openshift.cloud.td.com/","content-type":"application/json;charset=UTF-8","kbn-xsrf-token":"kibana","user-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36","origin":"https://kibana.apps.ose101.dynamic.eng-openshift.cloud.td.com","accept":"application/json, text/plain, */*","content-length":"768","host":"kibana.apps.ose101.dynamic.eng-openshift.cloud.td.com","connection":"close","x-proxy-remote-user":"CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com"},"remoteAddress":"127.0.0.1","remotePort":51434},"res":{"statusCode":500,"responseTime":45,"contentLength":227},"msg":"POST /_msearch?timeout=0&ignore_unavailable=true&preference=1494510053959 500 - 45ms","time":"2017-05-11T13:41:10.636Z","v":0}

Version-Release number of selected component (if applicable):
3.3.0

How reproducible:

Steps to Reproduce:
1. Bind LDAPPasswordIdentityProvider with id as distinguished name(DN) 
2. Create a user with spaces (firstname and lastname)
3. Try to access EFK with Kibana Dashboard

Comment 1 Jeff Cantrill 2017-06-02 21:15:54 UTC
1. Are you able to log into the Openshift web console using the same name & password?
2. What exactly are you entering into the login page when you visit the kibana url

Comment 2 Bruno Andrade 2017-06-05 12:05:09 UTC
1. Are you able to log into the Openshift web console using the same name & password?
>Yes
2. What exactly are you entering into the login page when you visit the kibana url
> User access the Kibana publicLoggingURL. User is redirect to Openshift Login page and can login with success. When he's redirected to Kibana URL again, it's returned the following ERROR:"Discover: An Error occured with your request. Reset your inputs and try again"

Here is my considerations:

1) Not related with https://bugzilla.redhat.com/show_bug.cgi?id=1410694. Because the user has at least a view permission of several projects.
2) There is indexed information between the selected range
3) The problem only occurs when user has slashes and commas on his Distinguished Name. "CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com". I tried with another user with spaces and it's possible to view the logs successfully. 

Exception:

[2017-05-12 11:23:46,402][ERROR][com.floragunn.searchguard.filter.SearchGuardActionFilter] Error while apply() due to com.floragunn.searchguard.tokeneval.MalformedConfigurationException: no bypass or execute filters at all for action indices:data/read/msearch
com.floragunn.searchguard.tokeneval.MalformedConfigurationException: no bypass or execute filters at all
	at com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator.validateAndMerge(TokenEvaluator.java:374)
	at com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator.<init>(TokenEvaluator.java:362)
	at com.floragunn.searchguard.tokeneval.TokenEvaluator.getEvaluator(TokenEvaluator.java:310)
	at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply0(SearchGuardActionFilter.java:253)
	at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply(SearchGuardActionFilter.java:90)
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
	at com.floragunn.searchguard.filter.FLSActionFilter.applySecure(FLSActionFilter.java:76)
	at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
	at com.floragunn.searchguard.filter.DLSActionFilter.applySecure(DLSActionFilter.java:73)
	at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
	at com.floragunn.searchguard.filter.RequestActionFilter.applySecure(RequestActionFilter.java:94)
	at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97)
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
	at org.elasticsearch.action.support.ActionFilter$Simple.apply(ActionFilter.java:64)
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
	at io.fabric8.elasticsearch.plugin.ActionForbiddenActionFilter.apply(ActionForbiddenActionFilter.java:48)
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
	at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:82)
	at org.elasticsearch.client.node.NodeClient.execute(NodeClient.java:98)
	at org.elasticsearch.client.FilterClient.execute(FilterClient.java:66)
	at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.execute(BaseRestHandler.java:92)
	at org.elasticsearch.client.support.AbstractClient.multiSearch(AbstractClient.java:364)
	at org.elasticsearch.rest.action.search.RestMultiSearchAction.handleRequest(RestMultiSearchAction.java:66)
	at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:53)
	at org.elasticsearch.rest.RestController.executeHandler(RestController.java:225)
	at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:299)
	at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:280)
	at io.fabric8.elasticsearch.plugin.KibanaUserReindexFilter.process(KibanaUserReindexFilter.java:76)
	at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:283)
	at com.floragunn.searchguard.rest.DefaultRestFilter.processSecure(DefaultRestFilter.java:37)
	at com.floragunn.searchguard.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:198)
	at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:283)
	at io.fabric8.elasticsearch.plugin.acl.DynamicACLFilter.process(DynamicACLFilter.java:162)
	at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:283)
	at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:180)
	at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:121)
	at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:83)
	at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:329)
	at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:65)
	at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
	at org.elasticsearch.common.netty.channel.SimpleChannelHandler.messageReceived(SimpleChannelHandler.java:142)
	at com.floragunn.searchguard.http.netty.MutualSSLHandler.messageReceived(MutualSSLHandler.java:80)
	at org.elasticsearch.common.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
	at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)
	at org.elasticsearch.common.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
	at org.elasticsearch.common.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)
	at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
	at org.elasticsearch.common.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)
	at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
	at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:296)
	at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
	at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)
	at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435)
	at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
	at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:74)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
	at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:296)
	at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462)
	at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443)
	at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
	at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
	at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
	at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)
	at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)
	at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
	at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
	at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
	at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
	at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
	at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
	at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

Comment 3 Bruno Andrade 2017-06-05 12:28:20 UTC
Created attachment 1285044 [details]
User error

Comment 4 Jeff Cantrill 2017-06-20 01:37:56 UTC
Bruno,

I am just getting around to looking at this issue again.  With regards to what you are entering in the login page:

1.  You are directed to the Openshift login page that has username and password
2.  You enter "CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com" as the username
3.  You are authed, but are presented with the an error message as seen in the attachemnt.

Does this properly summarize what you are experiencing?

Comment 5 Jeff Cantrill 2017-09-13 12:42:18 UTC
From our QE who is familiar with Active Directory:

"
We need to know the logon username, "CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com" is not username, and it is not allowd to use "Szabo\\, Steve" as username.

"

Can you provide the logon username that was used to expose this issue?

Comment 6 Jeff Cantrill 2017-09-19 17:32:34 UTC
Possibly related: https://bugzilla.redhat.com/show_bug.cgi?id=1491227

Comment 7 Jeff Cantrill 2017-10-06 15:04:02 UTC
*** Bug 1494239 has been marked as a duplicate of this bug. ***

Comment 9 Anping Li 2017-11-02 08:03:17 UTC
For QE couldn't create user with slashes and comma in our Active directory. I use a fake user [1]. Kibana works with this fake user. so move bug to verified. 

Please re-open the bug, if you still hit this issue. 

[1]# oc get users
NAME                                                     UID                                    FULL NAME   IDENTITIES
CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com   abb8e332-bf9e-11e7-a35f-fa163ea6cdef               allow_all:CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com

Comment 12 errata-xmlrpc 2017-11-28 21:56:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188


Note You need to log in before you can comment on or make changes to this bug.