MAAS-RBAC inconsistent login behavior

Bug #1887877 reported by Hua Zhang on 2020-07-17
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Medium
Unassigned

Bug Description

The login behaviour of MAAS with rbac is erratic, for example:

1, I can log in as johndoe (johndoe is admin for rbac) in MAAS (http://node1.lan:5240/MAAS) - https://imgur.com/a/g45dALC
2, I can also log in as johndoe in rbac (https://node1.lan:5000) - https://imgur.com/a/wKIGdf1
3, Log out from johndoe, then log in as user5 - https://imgur.com/a/pAxk2Ev

# log from maas regiond

2020-07-17 03:23:32 regiond: [info] 127.0.0.1 GET /MAAS/rpc/ HTTP/1.1 --> 200 OK (referrer: -; agent: provisioningserver.rpc.clusterservice.ClusterClientService)
2020-07-17 03:24:00 regiond: [info] 192.168.99.135 POST /MAAS/accounts/login/ HTTP/1.1 --> 400 BAD_REQUEST (referrer: http://node1.lan:5240/MAAS/r/machines; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)
2020-07-17 03:24:02 regiond: [info] 127.0.0.1 GET /MAAS/rpc/ HTTP/1.1 --> 200 OK (referrer: -; agent: provisioningserver.rpc.clusterservice.ClusterClientService)

# nothing log from maas rackd, and rbac's nginx and rbac's uwsgi and candid

4, there is no user5 from rbac portal now - https://imgur.com/a/37f9ld7

5, we can see this user if we log in as this user to rbac portal directly (eg: user4 here - https://imgur.com/a/MKtVMxz)

6, we set user4 as admin from rbac portal (https://imgur.com/a/TEefcqa), but we saw 'Access denied' when using user4 to log in rbac portal (https://imgur.com/a/CjxFPJI), we can log in as user4 from maas portal (https://imgur.com/a/fNKrMyy) but maas portal doesn't jump (https://imgur.com/a/70al1rj)

# mass log when logging in mass as user4

2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS HTTP/1.1 --> 302 FOUND (referrer: -; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS/?next=%2FMAAS%2F HTTP/1.1 --> 302 FOUND (referrer: -; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS/r/ HTTP/1.1 --> 200 OK (referrer: -; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS/accounts/login/ HTTP/1.1 --> 200 OK (referrer: http://node1.lan:5240/MAAS/r/; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS/accounts/discharge-request/ HTTP/1.1 --> 401 UNAUTHORIZED (referrer: http://node1.lan:5240/MAAS/r/; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)

Tags: sts Edit Tag help
Hua Zhang (zhhuabj) on 2020-07-17
tags: added: sts
description: updated
Hua Zhang (zhhuabj) wrote :

After a lot of debugging, I finally solved this problem. The root cause is the exception 'django.db.utils.IntegrityError: duplicate key value violates unique constraint "auth_user_email_1c89df09_uniq'.

MAAS is now forcing LDAP/candid/rbac to pass on email attribute, so I fixed the problem by:

1, Add an attribue email for my test user 'user4'

sudo bash -c 'cat > addmail.ldif' << EOF
dn: cn=user4,ou=users,dc=test,dc=com
changetype: modify
add: mail
mail: <email address hidden>
EOF

# ldapmodify -a -H ldap://node1.lan:389 -D "cn=admin,dc=test,dc=com" -W -f ./addmail.ldif
modifying entry "cn=user4,ou=users,dc=test,dc=com"
# ldapsearch -h node1.lan -x -w crapper -D"cn=admin,dc=test,dc=com" -b dc=test,dc=com uid=user4 |grep mail
mail: <email address hidden>

2, add 'email: mail' into /var/snap/candid/current/config.yaml, and restart candid by 'snap restart candid'

# grep -r mail /var/snap/candid/current/config.yaml -B 2
  user-query-attrs:
    id: uid
    email: mail

Now maas DB looks good.

maasdb=# select * from auth_user where username='user4';
 id | password | last_login | is_superuser | username | first_name | last_name | email | is_staff | is_active | date_joined
----+----------+-------------------------------+--------------+----------+------------+-----------+-----------------+----------+-----------+-------------------------------
 49 | | 2020-07-23 15:53:34.120605+08 | t | user4 | | | <email address hidden> | f | t | 2020-07-23 15:51:01.110162+08
(1 row)

and I can successfully log into maas as user4 now (https://imgur.com/a/4j6fMHR).

Hua Zhang (zhhuabj) wrote :

A question in my mind, do we have to add constraint auth_user_email_1c89df09_uniq for auth_user?

vim ./src/maasserver/testing/initial.maas_test.sql
...
5974 ALTER TABLE ONLY public.auth_user
5975 ADD CONSTRAINT auth_user_email_1c89df09_uniq UNIQUE (email);

Alberto Donato (ack) wrote :

The constraint on email uniqueness is created (and required) by django itself.

it should be made clear in setup instructions for candid that the email is a required attribute for MAAS.

Changed in maas:
status: New → Triaged
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers