MAAS

MAAS-RBAC inconsistent login behavior

Bug #1887877 reported by Hua Zhang
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Invalid
Medium
Unassigned

Bug Description

The login behaviour of MAAS with rbac is erratic, for example:

1, I can log in as johndoe (johndoe is admin for rbac) in MAAS (http://node1.lan:5240/MAAS) - https://imgur.com/a/g45dALC
2, I can also log in as johndoe in rbac (https://node1.lan:5000) - https://imgur.com/a/wKIGdf1
3, Log out from johndoe, then log in as user5 - https://imgur.com/a/pAxk2Ev

# log from maas regiond

2020-07-17 03:23:32 regiond: [info] 127.0.0.1 GET /MAAS/rpc/ HTTP/1.1 --> 200 OK (referrer: -; agent: provisioningserver.rpc.clusterservice.ClusterClientService)
2020-07-17 03:24:00 regiond: [info] 192.168.99.135 POST /MAAS/accounts/login/ HTTP/1.1 --> 400 BAD_REQUEST (referrer: http://node1.lan:5240/MAAS/r/machines; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)
2020-07-17 03:24:02 regiond: [info] 127.0.0.1 GET /MAAS/rpc/ HTTP/1.1 --> 200 OK (referrer: -; agent: provisioningserver.rpc.clusterservice.ClusterClientService)

# nothing log from maas rackd, and rbac's nginx and rbac's uwsgi and candid

4, there is no user5 from rbac portal now - https://imgur.com/a/37f9ld7

5, we can see this user if we log in as this user to rbac portal directly (eg: user4 here - https://imgur.com/a/MKtVMxz)

6, we set user4 as admin from rbac portal (https://imgur.com/a/TEefcqa), but we saw 'Access denied' when using user4 to log in rbac portal (https://imgur.com/a/CjxFPJI), we can log in as user4 from maas portal (https://imgur.com/a/fNKrMyy) but maas portal doesn't jump (https://imgur.com/a/70al1rj)

# mass log when logging in mass as user4

2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS HTTP/1.1 --> 302 FOUND (referrer: -; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS/?next=%2FMAAS%2F HTTP/1.1 --> 302 FOUND (referrer: -; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS/r/ HTTP/1.1 --> 200 OK (referrer: -; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS/accounts/login/ HTTP/1.1 --> 200 OK (referrer: http://node1.lan:5240/MAAS/r/; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)
2020-07-17 03:47:41 regiond: [info] 192.168.99.135 GET /MAAS/accounts/discharge-request/ HTTP/1.1 --> 401 UNAUTHORIZED (referrer: http://node1.lan:5240/MAAS/r/; agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0)

See original description
Tags: sts
Hua Zhang (zhhuabj)
tags: added: sts
description: updated
Revision history for this message
Hua Zhang (zhhuabj) wrote :

After a lot of debugging, I finally solved this problem. The root cause is the exception 'django.db.utils.IntegrityError: duplicate key value violates unique constraint "auth_user_email_1c89df09_uniq'.

MAAS is now forcing LDAP/candid/rbac to pass on email attribute, so I fixed the problem by:

1, Add an attribue email for my test user 'user4'

sudo bash -c 'cat > addmail.ldif' << EOF
dn: cn=user4,ou=users,dc=test,dc=com
changetype: modify
add: mail
mail: <email address hidden>
EOF

# ldapmodify -a -H ldap://node1.lan:389 -D "cn=admin,dc=test,dc=com" -W -f ./addmail.ldif
modifying entry "cn=user4,ou=users,dc=test,dc=com"
# ldapsearch -h node1.lan -x -w crapper -D"cn=admin,dc=test,dc=com" -b dc=test,dc=com uid=user4 |grep mail
mail: <email address hidden>

2, add 'email: mail' into /var/snap/candid/current/config.yaml, and restart candid by 'snap restart candid'

# grep -r mail /var/snap/candid/current/config.yaml -B 2
  user-query-attrs:
    id: uid
    email: mail

Now maas DB looks good.

maasdb=# select * from auth_user where username='user4';
 id | password | last_login | is_superuser | username | first_name | last_name | email | is_staff | is_active | date_joined
----+----------+-------------------------------+--------------+----------+------------+-----------+-----------------+----------+-----------+-------------------------------
 49 | | 2020-07-23 15:53:34.120605+08 | t | user4 | | | <email address hidden> | f | t | 2020-07-23 15:51:01.110162+08
(1 row)

and I can successfully log into maas as user4 now (https://imgur.com/a/4j6fMHR).

Revision history for this message
Hua Zhang (zhhuabj) wrote :

A question in my mind, do we have to add constraint auth_user_email_1c89df09_uniq for auth_user?

vim ./src/maasserver/testing/initial.maas_test.sql
...
5974 ALTER TABLE ONLY public.auth_user
5975 ADD CONSTRAINT auth_user_email_1c89df09_uniq UNIQUE (email);

Revision history for this message
Alberto Donato (ack) wrote :

The constraint on email uniqueness is created (and required) by django itself.

it should be made clear in setup instructions for candid that the email is a required attribute for MAAS.

Changed in maas:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Jerzy Husakowski (jhusakowski) wrote :

Doc issue, related to configuration of candid.

Changed in maas:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.