Bug 1572521 - [ASB] Basic auth fail
Summary: [ASB] Basic auth fail
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.10.0
Assignee: Jesus M. Rodriguez
QA Contact: Jian Zhang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-27 08:16 UTC by Jian Zhang
Modified: 2018-07-30 19:14 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
no doc update required
Clone Of:
Environment:
Last Closed: 2018-07-30 19:14:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1816 None None None 2018-07-30 19:14:34 UTC

Description Jian Zhang 2018-04-27 08:16:25 UTC
Description of problem:
Got below errors after enable the basic auth of the ASB.

[2018-04-27T07:53:33.354Z] [INFO] - Configured for basic auth
[2018-04-27T07:53:33.354Z] [ERROR] - Error reading username. open /var/run/asb-auth/username: no such file or directory
[2018-04-27T07:53:33.354Z] [ERROR] - we had a problem building the DB for FileUserServiceAdapter. %!(EXTRA *os.PathError=open /var/run/asb-auth/username: no such file or directory)
[2018-04-27T07:53:33.354Z] [WARNING] - Unable to create provider for &{map[type:basic enabled:true] {{0 0} 0 0 0 0}}. open /var/run/asb-auth/username: no such file or directory

Version-Release number of selected component (if applicable):
The ASB version: 1.2.7
Service catalog version: v0.1.13

How reproducible:
always

Steps to Reproduce:
1. Enable the basic auth, like below:
# oc edit cm broker-config
  auth:
    - type: basic
      enabled: true
# oc rollout latest dc/asb

2, Check the ASB logs.

Actual results:
Got the above errors described in original info.

Expected results:
Should not occur these errors.

Additional info:

Comment 1 Jesus M. Rodriguez 2018-04-30 21:30:41 UTC
Can you please show me the volumes defined for your deployment config?

oc volumes dc/asb


Also, oc rsh asb.... 

run mount in the container to see what it thinks it has as well.

Comment 2 Jesus M. Rodriguez 2018-04-30 21:35:59 UTC
I hit this problem recently on a test broker I was working on. The problem I had was I created the auth secret in a directory called /var/run/sb-auth. 

          volumeMounts:
            - name: config-volume
              mountPath: /etc/ansible-service-broker
            - name: samplebroker-tls
              mountPath: /etc/tls/private
            - name: sb-auth-volume
              mountPath: /var/run/sb-auth

This caused the errors I saw in the original comment.

I switched this to be /var/run/asb-auth

And it works now. The Automation Broker has a hard coded path to look for the secret. :(

Comment 3 Jesus M. Rodriguez 2018-05-01 15:22:10 UTC
Can you please show me the volumes defined for your deployment config?

oc volumes dc/asb


Also, oc rsh asb.... 

run mount in the container to see what it thinks it has as well.

Comment 4 Jian Zhang 2018-05-02 03:17:00 UTC
Jesus,

I did not find the corresponding mount path in "DC", as below:
[root@host-172-16-120-63 ~]# oc volumes dc/asb
deploymentconfigs/asb
  configMap/broker-config as config-volume
    mounted at /etc/ansible-service-broker
  secret/asb-tls as asb-tls
    mounted at /etc/tls/private

[root@host-172-16-120-63 ~]# oc rsh asb-6-gdlwm
...
sh-4.2$ pwd
/var/run/asb-auth
sh-4.2$ mount
overlay on / type overlay (rw,relatime,context="system_u:object_r:container_file_t:s0:c0,c11",lowerdir=/var/lib/containers/storage/overlay/l/CQ33AG2HDAG2MZMDQS6MNV2LYE:/var/lib/containers/storage/overlay/l/T53VMYIY7TBDCJBJU7BPZ64QEA:/var/lib/containers/storage/overlay/l/MGXCTOZ2XMVFJMEMPXCHGSYLHH,upperdir=/var/lib/containers/storage/overlay/0570853fcc89c81bb4bfa837a3c13b8b25fc888daa4e04090ef3770107b24e3e/diff,workdir=/var/lib/containers/storage/overlay/0570853fcc89c81bb4bfa837a3c13b8b25fc888daa4e04090ef3770107b24e3e/work)
proc on /proc type proc (rw,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,context="system_u:object_r:container_file_t:s0:c0,c11",size=65536k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,context="system_u:object_r:container_file_t:s0:c0,c11",gid=5,mode=620,ptmxmode=666)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,context="system_u:object_r:container_file_t:s0:c0,c11",size=65536k)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime,seclabel)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime,seclabel)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,relatime,context="system_u:object_r:container_file_t:s0:c0,c11",mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,devices)
cgroup on /sys/fs/cgroup/blkio type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,perf_event)
cgroup on /sys/fs/cgroup/memory type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,memory)
cgroup on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,cpuset)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,hugetlb)
cgroup on /sys/fs/cgroup/freezer type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,freezer)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,cpuacct,cpu)
cgroup on /sys/fs/cgroup/pids type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,pids)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (ro,nosuid,nodev,noexec,relatime,seclabel,net_prio,net_cls)
shm on /etc/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,context="system_u:object_r:container_file_t:s0:c0,c11",size=65536k)
tmpfs on /etc/resolv.conf type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
tmpfs on /etc/hostname type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
/dev/mapper/rhel-root on /etc/ansible-service-broker type xfs (ro,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/rhel-root on /etc/hosts type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/rhel-root on /tmp/termination-log type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
tmpfs on /run/secrets type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
tmpfs on /etc/tls/private type tmpfs (ro,relatime,seclabel)
tmpfs on /run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime,seclabel)
proc on /proc/bus type proc (ro,relatime)
proc on /proc/fs type proc (ro,relatime)
proc on /proc/irq type proc (ro,relatime)
proc on /proc/sys type proc (ro,relatime)
proc on /proc/sysrq-trigger type proc (ro,relatime)
tmpfs on /proc/kcore type tmpfs (rw,nosuid,context="system_u:object_r:container_file_t:s0:c0,c11",size=65536k,mode=755)
tmpfs on /proc/timer_list type tmpfs (rw,nosuid,context="system_u:object_r:container_file_t:s0:c0,c11",size=65536k,mode=755)
tmpfs on /proc/timer_stats type tmpfs (rw,nosuid,context="system_u:object_r:container_file_t:s0:c0,c11",size=65536k,mode=755)
tmpfs on /proc/sched_debug type tmpfs (rw,nosuid,context="system_u:object_r:container_file_t:s0:c0,c11",size=65536k,mode=755)
tmpfs on /proc/scsi type tmpfs (ro,relatime,seclabel)
tmpfs on /sys/firmware type tmpfs (ro,relatime,seclabel)

Comment 5 Jesus M. Rodriguez 2018-05-03 19:18:16 UTC
Without the auth mountpoint the broker will not be able to use basic auth. It currently looks in /var/run/asb-auth mountpoint for a two files. username and password which each contains a base64 encoded value. 

If you are going to change the auth type in the configmap, we require that you create the volume mount and the secret before doing that change.

We documented what is required to create the secret, the volume mounts, and how to configure the service catalog to use the basic auth credentials.

https://github.com/openshift/ansible-service-broker/blob/master/docs/auth.md#basic-auth

Comment 6 Jian Zhang 2018-05-04 08:45:30 UTC
Jesus,

Thank you! I followed that doc and it works well!

1) create a secret:
[root@host-172-16-120-86 ~]# cat secret.yaml 
apiVersion: v1
kind: Secret
metadata:
  name: asb-auth-secret
  namespace: openshift-ansible-service-broker
data:
  username: amlhemhh
  password: cmVkaGF0

2) mount it:
[root@host-172-16-120-86 ~]# oc volumes dc/asb
deploymentconfigs/asb
  configMap/broker-config as config-volume
    mounted at /etc/ansible-service-broker
  secret/asb-tls as asb-tls
    mounted at /etc/tls/private
  secret/asb-auth-secret as asb-auth-volume
    mounted at /var/run/asb-auth

Comment 8 errata-xmlrpc 2018-07-30 19:14:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816


Note You need to log in before you can comment on or make changes to this bug.