[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16449801#comment-16449801
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
---------------------------------------------
rhtyd commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the session
when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-383921632
Merged based on test results and code review.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -------------------------------------------------------------
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
> Affects Versions: 4.11.0.0
> Reporter: Olivier Lemasle
> Assignee: Olivier Lemasle
> Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":9999,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
