RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1743735 - [GUI] 'pcs cluster auth' fails for remote cluster if local cluster exists and is not authenticated
Summary: [GUI] 'pcs cluster auth' fails for remote cluster if local cluster exists and...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pcs
Version: 8.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: 8.2
Assignee: Tomas Jelinek
QA Contact: cluster-qe@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1762816
TreeView+ depends on / blocked
 
Reported: 2019-08-20 14:47 UTC by Tomas Jelinek
Modified: 2023-02-19 10:46 UTC (History)
10 users (show)

Fixed In Version: pcs-0.10.3-1.el8
Doc Type: Bug Fix
Doc Text:
Cause: The user is connected to pcs web UI running in a cluster whose nodes are not authenticated. Consequence: It is not possible to authenticate remote clusters in the web UI. Fix: Inform the user the local cluster nodes are not authenticated and ask for their password. Result: Once the local cluster is authenticated, it is possible to authenticate the remote cluster.
Clone Of: 1264886
: 1762816 (view as bug list)
Environment:
Last Closed: 2020-04-28 15:27:56 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
proposed fix (18.13 KB, patch)
2019-10-15 11:57 UTC, Tomas Jelinek
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-26737 0 None None None 2023-02-19 10:46:55 UTC
Red Hat Product Errata RHEA-2020:1568 0 None None None 2020-04-28 15:28:14 UTC

Description Tomas Jelinek 2019-08-20 14:47:37 UTC
+++ This bug was initially created as a clone of Bug #1264886 +++

> Description of problem:

If a local cluster exists on a pcsd GUI machine (i.e. the machine itself is part of any cluster) and this machine's pcsd is not authenticated to itself (i.e. to the local cluster), any authentication performed against any other remote cluster will fail.

This is because pcsd finds the local cluster configuration and fails on it's auth before the remote cluster is ever checked. 

If no local cluster exists or is authenticated properly, this problem doesn't happen. Performing local auth first can be used as a workaround.


> Version-Release number of selected component (if applicable):

pcs-0.9.143-9.el7


> How reproducible:

Always


> Steps to Reproduce:

1. Create local cluster and add it to GUI
2. Create remote cluster and add it to GUI
3. Remove all tokens on the GUI node (rm /var/lib/pcsd/tokens)
4. Try to authenticate the remote cluster from GUI


> Actual results:

Auth fails.


> Expected results:

Auth passes.

--- Additional comment from Tomas Jelinek on 2019-06-14 16:12:32 CEST ---

In this case, authentication succeeds. The issue is tokens cannot be saved to the local cluster as the cluster nodes are not authenticated to each other. Pcsd backend needs to send a result of saving / synchronizing tokens (error/success, error messages) to JS frontend. JS frontend should display those messages in case of a failure.

CLI properly informs about the situation:
# pcs cluster auth rh69-node1
Username: hacluster
Password: 
rh69-node1: Authorized
Error: Unable to synchronize and save tokens on nodes: rh76-node1, rh76-node2. Are they authorized?

Comment 2 Tomas Jelinek 2019-10-15 11:57:28 UTC
Created attachment 1625972 [details]
proposed fix

Test:
1. Create a local cluster and add it to web UI
2. Create a remote cluster and add it to web UI
3. Remove all tokens on the GUI node (rm /var/lib/pcsd/tokens)
4. Try to authenticate the remote cluster from web UI
5. Web UI informs the user that the local cluster nodes are not authenticated and asks for their password
6. Once the local cluster is authenticated, it is possible to authenticate the remote cluster

Comment 3 Miroslav Lisik 2019-10-23 15:28:47 UTC
After fix:

[root@r81-node-01 ~]# rpm -q pcs
pcs-0.10.3-1.el8.x86_64

1. Created and added clusters into GUI on node r81-node-01:
  * Cluster1: r81-node-01, r81-node-02
  * Cluster2: r81-node-03, r81-node-04
2. Removed file '/var/lib/pcsd/known-hosts' from node r81-node-01
3. Reloaded GUI page "MANAGE CLUSTERS" (it also reloads by itself after a few seconds)
4. Selected Cluster2 (the other cluster without the GUI node) in GUI on "MANAGE CLUSTER" page
There is informatien on the right side of the page:
Errors:
    Unable to connect to the cluster.
Warnings:
    GUI is not authorized against node(s) r81-node-01, r81-node-02
    There are few authentication problems. To fix them, click here.
5. Clicked on the "here" link
6. Dialog "Authentication of nodes" for Cluster2's nodes appeared.
7. Filled password for nodes
8. Clicked on Authenticate button
9. A dialog window appeared with message:
Unable to save new cluster settings as the local cluster nodes are not authenticated. Please, authenticate them as well
10. clicked OK
11. Another dialog windows appeared with message:
Authentication failed.
12. clicked OK.
13. Dialog "Authentication of nodes" for Cluster1's nodes appeared.
14. Filled password for the nodes
15. Clicked Authenticate.
16. Autentication succeeded

Comment 7 errata-xmlrpc 2020-04-28 15:27:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1568

Comment 8 Preston Silva 2023-02-19 10:46:10 UTC Comment hidden (spam)

Note You need to log in before you can comment on or make changes to this bug.