Bug 1846256 - SSO allows all engine users to login to grafana
Summary: SSO allows all engine users to login to grafana
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine-dwh
Classification: oVirt
Component: Setup
Version: 4.4.0
Hardware: Unspecified
OS: Unspecified
high
high vote
Target Milestone: ovirt-4.4.4
: 4.4.1.2
Assignee: Shirly Radco
QA Contact: Pavel Novotny
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-11 08:38 UTC by Yedidyah Bar David
Modified: 2021-03-07 09:15 UTC (History)
4 users (show)

Fixed In Version: ovirt-engine-dwh-4.4.1.2
Doc Type: Known Issue
Doc Text:
Grafana now allows Single-Sign-On (SSO) using oVirt engine users, but does not allow automatic creation of them. A future version (see bugs 1835163 and 1807323) will allow automatic creation of admin users. For now, users must be created manually, but following that, they can login using SSO.
Clone Of:
Environment:
Last Closed: 2020-08-05 06:25:20 UTC
oVirt Team: Metrics
pm-rhel: ovirt-4.4+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1807323 0 unspecified CLOSED Rebase of Grafana 2022-10-11 12:53:56 UTC
Red Hat Bugzilla 1835163 0 high CLOSED Configure role-mapping on SSO to grafana 2021-04-26 08:17:28 UTC
Red Hat Bugzilla 1856097 0 unspecified CLOSED Login attempt with non-admin user to Grafana via oVirt Engine Auth returns HTTP 500 error 2021-02-22 00:41:40 UTC
oVirt gerrit 109606 0 master MERGED grafana: Do not automatically create users via SSO 2021-02-17 07:03:20 UTC

Internal Links: 1835163

Description Yedidyah Bar David 2020-06-11 08:38:40 UTC
Description of problem:

We currently allow all authenticated engine users to login to grafana via SSO, potentially letting them see information they are not supposed to see.

A proper fix for this is probably part of bug 1835163, but we need something before it's fixed.

For now, I am going to disable automatic creation of a grafana user with SSO.

This means, that the admin will have to create/invite new users manually, and SSO will only work after they are manually created.

SSO identification is done on the email address of the user in the engine (this is already true, but required less attention if users are created automatically).

Version-Release number of selected component (if applicable):
Current master

How reproducible:
Always

Steps to Reproduce:
1. Install and setup engine+dwh+grafana
2. Create on the engine a non-admin user, login with this user to the VM portal
3. Try to login to grafana with 'Sign in with oVirt Engine Auth'

Actual results:
Works

Expected results:
Fails

Additional info:

If we indeed fix as described, letting access to such a user requires:

1. Set an email address for the user in the engine, if it does not already have one

2. Login to grafana with an existing admin (the initial admin, at first)

3. Go to: Configuration -> Users, Invite

4. Input the email address and name, select role

5. Send the invitation - either let grafana do this with "Send invite mail",

6. Or: Press "Pending Invites", locate the one you want, and press "Copy invite"

7. Then Copy (press Ctrl-C) and use this link to create the account (by using it yourself or sending to the user).

8. After the account is created, and if indeed there is an engine-side user with the same email address, SSO will work for this user.

Comment 1 Pavel Novotny 2020-07-12 16:35:35 UTC
Verified in
ovirt-engine-4.4.1.8-0.7.el8ev.noarch
ovirt-engine-dwh-4.4.1.2-1.el8ev.noarch

Verified with reproducer from comment 0:
1. Install and setup engine+dwh+grafana
2. Create on the engine a non-admin user, login with this user to the VM portal
3. Try to login to grafana with 'Sign in with oVirt Engine Auth'

Result:
HTTP 500 error page (see separate bug 1856097).


Login with an admin user works well.


I move this bug to VERIFIED as the functionality no longer allow a non-admin or uninvited user to access Grafana.
The error page is tracked separately in bug 1856097.

Comment 3 Yedidyah Bar David 2020-07-28 07:01:58 UTC
Eli - I rewrote the doc text to clarify the current status (with current bug fixed). Feel free to amend as needed, and in particular to include more detailed steps for how to create/invite users (you can based on comment 0), or open a doc bug to add this to the main docs.

When I initially wrote comment 0, it described a bug - a current bad behavior (allow all users to login). Now, this behavior is fixed, but on the expense of degraded functionality (impossible to auto-create users). I am writing this to clarify that in your text, "allows" actually refers to the situation before the fix (which, for RHV, does not exist, because we never released RHV with current bug unfixed), and "Workaround" is not a workaround but simply the behavior. So if you want to keep your own text with as few changes as possible, it can be e.g.:

The Grafana dashboard allowed any authenticated oVirt engine user to log in using Single Sign-On (SSO). 
With this version, automatic creation of Grafana SSO users has been disabled. A Grafana Admin user must create or invite a new user manually.

But as I said, this does not apply to RHV, because it was never released with current bug unfixed.

Comment 4 Lucie Leistnerova 2020-07-30 14:13:38 UTC
Didi, please add to the doc text that when DWH is installed on separate machine, smtp server must be installed/configured to sent the emails.

Comment 5 Yedidyah Bar David 2020-08-04 06:03:52 UTC
(In reply to Lucie Leistnerova from comment #4)
> Didi, please add to the doc text that when DWH is installed on separate
> machine, smtp server must be installed/configured to sent the emails.

Why is it specific to separate machine?

I think you refer to the emails with invitation links, right?
I think this applies always, currently.

I personally didn't let it send emails but copy/pasted, see step 6 of the "Additional info" in comment 0.

Eli - can you please add this "Additional info" text to the main docs, or perhaps just to doc text here? Thanks. Then, also add there something like:

For using "Send invite mail", you first have to configure postfix to allow sending outgoing email.

Comment 6 Sandro Bonazzola 2020-08-05 06:25:20 UTC
This bugzilla is included in oVirt 4.4.1 release, published on July 8th 2020.

Since the problem described in this bug report should be resolved in oVirt 4.4.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.