MAAS-RBAC inconsistent login behavior
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Invalid
|
Medium
|
Unassigned |
Bug Description
The login behaviour of MAAS with rbac is erratic, for example:
1, I can log in as johndoe (johndoe is admin for rbac) in MAAS (http://
2, I can also log in as johndoe in rbac (https:/
3, Log out from johndoe, then log in as user5 - https:/
# log from maas regiond
2020-07-17 03:23:32 regiond: [info] 127.0.0.1 GET /MAAS/rpc/ HTTP/1.1 --> 200 OK (referrer: -; agent: provisioningser
2020-07-17 03:24:00 regiond: [info] 192.168.99.135 POST /MAAS/accounts/
2020-07-17 03:24:02 regiond: [info] 127.0.0.1 GET /MAAS/rpc/ HTTP/1.1 --> 200 OK (referrer: -; agent: provisioningser
# nothing log from maas rackd, and rbac's nginx and rbac's uwsgi and candid
4, there is no user5 from rbac portal now - https:/
5, we can see this user if we log in as this user to rbac portal directly (eg: user4 here - https:/
6, we set user4 as admin from rbac portal (https:/
# mass log when logging in mass as user4
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS HTTP/1.1 --> 302 FOUND (referrer: -; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS/?
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS/r/ HTTP/1.1 --> 200 OK (referrer: -; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS/accounts/
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS/accounts/
tags: | added: sts |
description: | updated |
After a lot of debugging, I finally solved this problem. The root cause is the exception 'django. db.utils. IntegrityError: duplicate key value violates unique constraint "auth_user_ email_1c89df09_ uniq'.
MAAS is now forcing LDAP/candid/rbac to pass on email attribute, so I fixed the problem by:
1, Add an attribue email for my test user 'user4'
sudo bash -c 'cat > addmail.ldif' << EOF ou=users, dc=test, dc=com
dn: cn=user4,
changetype: modify
add: mail
mail: <email address hidden>
EOF
# ldapmodify -a -H ldap:// node1.lan: 389 -D "cn=admin, dc=test, dc=com" -W -f ./addmail.ldif ou=users, dc=test, dc=com" dc=test, dc=com" -b dc=test,dc=com uid=user4 |grep mail
modifying entry "cn=user4,
# ldapsearch -h node1.lan -x -w crapper -D"cn=admin,
mail: <email address hidden>
2, add 'email: mail' into /var/snap/ candid/ current/ config. yaml, and restart candid by 'snap restart candid'
# grep -r mail /var/snap/ candid/ current/ config. yaml -B 2
user-query-attrs:
id: uid
email: mail
Now maas DB looks good.
maasdb=# select * from auth_user where username='user4'; ------- -+----- ------- ------- ------- -----+- ------- ------+ ------- ---+--- ------- --+---- ------- +------ ------- ----+-- ------- -+----- ------+ ------- ------- ------- ------- ---
id | password | last_login | is_superuser | username | first_name | last_name | email | is_staff | is_active | date_joined
----+--
49 | | 2020-07-23 15:53:34.120605+08 | t | user4 | | | <email address hidden> | f | t | 2020-07-23 15:51:01.110162+08
(1 row)
and I can successfully log into maas as user4 now (https:/ /imgur. com/a/4j6fMHR).