RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1762816 - New web UI - cluster auth fails for remote cluster if local cluster exists and is not authenticated
Summary: New web UI - cluster auth fails for remote cluster if local cluster exists an...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pcs
Version: 8.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: 8.4
Assignee: Ivan Devat
QA Contact: cluster-qe@redhat.com
Steven J. Levine
URL:
Whiteboard:
Depends On: 1743735
Blocks: 1552470 1996067 1999014
TreeView+ depends on / blocked
 
Reported: 2019-10-17 14:42 UTC by Tomas Jelinek
Modified: 2021-08-30 09:10 UTC (History)
12 users (show)

Fixed In Version: pcs-0.10.8-1.el8
Doc Type: Bug Fix
Doc Text:
Cause: The user is connected to pcs web UI running in a cluster whose nodes are not authenticated. Consequence: It is not possible to authenticate remote clusters in the web UI. Fix: Inform the user the local cluster nodes are not authenticated and ask for their password. Result: Once the local cluster is authenticated, it is possible to authenticate the remote cluster.
Clone Of: 1743735
Environment:
Last Closed: 2021-05-18 15:12:05 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Tomas Jelinek 2019-10-17 14:42:22 UTC 
+++ This bug was initially created as a clone of Bug #1743735 +++

+++ This bug was initially created as a clone of Bug #1264886 +++

> Description of problem:

If a local cluster exists on a pcsd GUI machine (i.e. the machine itself is part of any cluster) and this machine's pcsd is not authenticated to itself (i.e. to the local cluster), any authentication performed against any other remote cluster will fail.

This is because pcsd finds the local cluster configuration and fails on it's auth before the remote cluster is ever checked. 

If no local cluster exists or is authenticated properly, this problem doesn't happen. Performing local auth first can be used as a workaround.


> Version-Release number of selected component (if applicable):

pcs-0.9.143-9.el7


> How reproducible:

Always


> Steps to Reproduce:

1. Create local cluster and add it to GUI
2. Create remote cluster and add it to GUI
3. Remove all tokens on the GUI node (rm /var/lib/pcsd/tokens)
4. Try to authenticate the remote cluster from GUI


> Actual results:

Auth fails.


> Expected results:

Auth passes.

--- Additional comment from Tomas Jelinek on 2019-06-14 16:12:32 CEST ---

In this case, authentication succeeds. The issue is tokens cannot be saved to the local cluster as the cluster nodes are not authenticated to each other. Pcsd backend needs to send a result of saving / synchronizing tokens (error/success, error messages) to JS frontend. JS frontend should display those messages in case of a failure.

CLI properly informs about the situation:
# pcs cluster auth rh69-node1
Username: hacluster
Password: 
rh69-node1: Authorized
Error: Unable to synchronize and save tokens on nodes: rh76-node1, rh76-node2. Are they authorized?
Comment 1 Tomas Jelinek 2019-10-17 14:45:03 UTC 
In bz1743735, the bug got fixed in web UI backend and current web UI frontend. The purpose of this bz is to fix the new web UI.
Comment 14 Michal Mazourek 2021-02-05 09:21:44 UTC 
BEFORE:
=======

[root@virt-031 ~]# rpm -q pcs
pcs-0.10.7-3.el8.x86_64


## Create 2 clusters, local & remote

[root@virt-031 ~]# pcs cluster setup local virt-031 --start --wait
{...}
[root@virt-032 ~]# pcs cluster setup remote virt-032 --start --wait
{...}


## web ui steps

1. Open new web UI: https://virt-031.cluster-qe.lab.eng.brq.redhat.com:2224/ui/
2. Log in
3. Click 'Add existing cluster' and proceed with the adding local and remote clusters
4. Remove tokens on the node from the local cluster
	[root@virt-031 ~]# rm /var/lib/pcsd/known-hosts
5. Click on remote cluster
6. Error message "Warning alert:Not authorized against node(s) virt-032"
7. The same problem on local cluster: "Not authorized against node(s) virt-031"

> No possibility to auth against nodes now


AFTER:
======

[root@virt-058 ~]# rpm -q pcs
pcs-0.10.8-1.el8.x86_64


## Create 2 clusters, local & remote

[root@virt-058 ~]# pcs cluster setup local virt-058 --start --wait
{...}
[root@virt-059 ~]# pcs cluster setup remote virt-059 --start --wait
{...}


## web ui steps

1. Open new web UI: https://virt-058.cluster-qe.lab.eng.brq.redhat.com:2224/ui/
2. Log in
3. Click 'Add existing cluster' and proceed with the adding local and remote clusters
4. Remove tokens on the node from the local cluster
	[root@virt-058 ~]# rm /var/lib/pcsd/known-hosts
5. Click on remote cluster
6. Error message: 
	Cluster is not authenticated against nodes
	Unauthenticated nodes: virt-059 

7. There is a new button "Fix authentication"
8. Specify Password and optional Address
9. Click 'Authenticate'
10. The process needs to authenticate local cluster as well:
	Authentication node error
	Unable to save new cluster settings as the local cluster nodes (virt-058) are not authenticated. Please, authenticate them as well.
11. Specify Password for the local cluster as well (and optional Address)
12. Click 'Authenticate'
	Nodes sucessfully authenticated
	Nodes virt-059, virt-058 has been sucessfully authenticated.
13. Both clusters are authenticated again

> It is now possible to fix authentication in the new web UI

Note: There is typo in 'sucessfully', will be resolved in RHEL 8.5 


Marking as VERIFIED for pcs-0.10.8-1.el8
Comment 16 errata-xmlrpc 2021-05-18 15:12:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pcs bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:1737
Note You need to log in before you can comment on or make changes to this bug.