Bug 999182 - Upgrade from OSE 1.1 to 1.2 breaks auth passthrough for JBossTools
Upgrade from OSE 1.1 to 1.2 breaks auth passthrough for JBossTools
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Upgrade (Show other bugs)
1.2.1
Unspecified Unspecified
unspecified Severity low
: ---
: ---
Assigned To: John W. Lamb
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-20 17:43 EDT by Luke Meyer
Modified: 2017-03-08 12 EST (History)
5 users (show)

See Also:
Fixed In Version: openshift-enterprise-upgrade-broker-1.2.2-1
Doc Type: Bug Fix
Doc Text:
When upgrading from OpenShift Enterprise 1.1 to 1.2 some Broker authentication configuration settings were not added correctly to configuration files. The upgrade process incorrectly assumed the name of the configuration file and caused the JBoss Tools authentication to fail. The upgrade process has been fixed in the current release of OpenShift Enterprise. However, users are advised to manually add this setting as suggested by the oo-accept-broker script in broken installations.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-25 11:30:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Luke Meyer 2013-08-20 17:43:29 EDT
Description of problem:

After an OSE 1.1->1.2 upgrade JBoss Dev Studio fails to publish (it just hangs).

Doing an oo-accept-broker I now get the following message:

"FAIL: Auth passthrough appears not to be enabled, which will break JBossTools and node-to-broker authentication and authentication tokens"

JBoss Dev Studio worked before the upgrade.
Comment 1 Luke Meyer 2013-08-20 17:50:40 EDT
The format for the remote auth httpd config file changed slightly between the releases. Previously there was a line in /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf that started with "BrowserMatchNoCase" which is updated by the upgrade to:

    SetEnvIfNoCase Authorization Bearer passthrough

However - the upgrade makes an assumption about the name of the conf file where this is configured. Technically it could be named anything. In the reported case it was named /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user-basic.conf to match the sample file it came from. Just copying the updated sample into place fixed the issue.

We can't really fix the issue that the file can be named anything. It is probably reasonable to give the 08-broker-fix-conf-remote-user upgrade script some latitude to update conf files with likely names. Conceivably this should be added to the release notes upgrade caveats.
Comment 3 John W. Lamb 2013-09-10 14:35:51 EDT
Pull request addressing this can be found at: https://github.com/openshift/enterprise/pull/31 - awaiting review
Comment 5 Johnny Liu 2013-09-11 08:33:20 EDT
Verified this bug with the following packages, and PASS.

openshift-enterprise-upgrade-broker-1.2.2-1.el6op.noarch
openshift-enterprise-upgrade-node-1.2.2-1.el6op.noarch

Before upgrade:
# cat openshift.conf 
<--snip-->
<Location /broker>
    AuthName "OpenShift broker API"
    AuthType Basic
    AuthUserFile /etc/openshift/htpasswd
    require valid-user

    # The node->broker auth is handled in the Ruby code
    BrowserMatchNoCase ^OpenShift passthrough
    Allow from env=passthrough

    # Console traffic will hit the local port.  mod_proxy will set this header automatically.
    SetEnvIf X-Forwarded-For "^$" local_traffic=1
    # Turn the Console output header into the Apache environment variable for the broker remote-user plugin
    SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
    Allow from env=local_traffic

    Order Deny,Allow
    Deny from all
    Satisfy any
</Location>
<--snip-->

After upgrade:
# cat /var/www/openshift/broker/httpd/conf.d/openshift.conf
<--snip-->
<Location /broker>
    AuthName "OpenShift broker API"
    AuthType Basic
    AuthUserFile /etc/openshift/htpasswd
    require valid-user

    # The node->broker auth is handled in the Ruby code
    SetEnvIfNoCase Authorization Bearer passthrough
    BrowserMatchNoCase ^OpenShift passthrough
    Allow from env=passthrough

    # Console traffic will hit the local port.  mod_proxy will set this header automatically.
    SetEnvIf X-Forwarded-For "^$" local_traffic=1
    # Turn the Console output header into the Apache environment variable for the broker remote-user plugin
    SetEnvIf X-Remote-User "(..*)" REMOTE_USER=$1
    Allow from env=local_traffic

    Order Deny,Allow
    Deny from all
    Satisfy any
</Location>
<--snip-->

And oo-accept-broker is PASS. JBoss Tools is working fine against the env.
Comment 8 errata-xmlrpc 2013-09-25 11:30:22 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1275.html

Note You need to log in before you can comment on or make changes to this bug.