[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16449813#comment-16449813
]
ASF subversion and git services commented on CLOUDSTACK-10327:
--
Commit 9a13227a78acb14d9fd4f9ad5246ce67396cef7a in cloudstack's branch
refs/heads/master from [~olemasle]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=9a13227 ]
CLOUDSTACK-10327: Do not invalidate the session when an API command is not
available (#2498)
CloudStack SSO (using security.singlesignon.key) does not work anymore with
CloudStack 4.11, since commit 9988c26, which introduced a regression due to a
refactoring: every API request that is not "validated" generates the same error
(401 - Unauthorized) and invalidates the session.
However, CloudStack UI executes a call to listConfigurations in method
bypassLoginCheck. A non-admin user does not have the permissions to execute
this request, which causes an error 401:
{"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
to verify user credentials and/or request signature"}}
The session (already created by SSO) is then invalidated and the user cannot
access to CloudStack UI (error "Session Expired").
Before 9988c26 (up to CloudStack 4.10), an error 432 was returned (and ignored):
{"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
user is not allowed to request the API command or the API command does not
exist"}}
Even if the call to listConfigurations was removed, another call to listIdps
also lead to an error 401 for user accounts if the SAML plugin is not enabled.
This pull request aims to fix the SSO issue, by restoring errors 432 (instead
of 401 + invalidate session) for commands not available. However, if an API
command is explicitly denied using ACLs or if the session key is incorrect, it
still generates an error 401 and invalidates the session.
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16449801#comment-16449801
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
rhtyd commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the session
when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-383921632
Merged based on test results and code review.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16449802#comment-16449802
]
ASF subversion and git services commented on CLOUDSTACK-10327:
--
Commit 9a13227a78acb14d9fd4f9ad5246ce67396cef7a in cloudstack's branch
refs/heads/4.11 from [~olemasle]
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=9a13227 ]
CLOUDSTACK-10327: Do not invalidate the session when an API command is not
available (#2498)
CloudStack SSO (using security.singlesignon.key) does not work anymore with
CloudStack 4.11, since commit 9988c26, which introduced a regression due to a
refactoring: every API request that is not "validated" generates the same error
(401 - Unauthorized) and invalidates the session.
However, CloudStack UI executes a call to listConfigurations in method
bypassLoginCheck. A non-admin user does not have the permissions to execute
this request, which causes an error 401:
{"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
to verify user credentials and/or request signature"}}
The session (already created by SSO) is then invalidated and the user cannot
access to CloudStack UI (error "Session Expired").
Before 9988c26 (up to CloudStack 4.10), an error 432 was returned (and ignored):
{"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
user is not allowed to request the API command or the API command does not
exist"}}
Even if the call to listConfigurations was removed, another call to listIdps
also lead to an error 401 for user accounts if the SAML plugin is not enabled.
This pull request aims to fix the SSO issue, by restoring errors 432 (instead
of 401 + invalidate session) for commands not available. However, if an API
command is explicitly denied using ACLs or if the session key is incorrect, it
still generates an error 401 and invalidates the session.
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16449800#comment-16449800
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
rhtyd closed pull request #2498: CLOUDSTACK-10327: Do not invalidate the
session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/api/src/main/java/com/cloud/exception/UnavailableCommandException.java
b/api/src/main/java/com/cloud/exception/UnavailableCommandException.java
new file mode 100644
index 000..d5b7faa8f36
--- /dev/null
+++ b/api/src/main/java/com/cloud/exception/UnavailableCommandException.java
@@ -0,0 +1,36 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.exception;
+
+import com.cloud.utils.SerialVersionUID;
+
+public class UnavailableCommandException extends PermissionDeniedException {
+
+private static final long serialVersionUID =
SerialVersionUID.UnavailableCommandException;
+
+protected UnavailableCommandException() {
+super();
+}
+
+public UnavailableCommandException(String msg) {
+super(msg);
+}
+
+public UnavailableCommandException(String msg, Throwable cause) {
+super(msg, cause);
+}
+}
diff --git
a/plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
b/plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
index 3dfdb01b2e5..d10c191151f 100644
---
a/plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
+++
b/plugins/acl/dynamic-role-based/src/org/apache/cloudstack/acl/DynamicRoleBasedAPIAccessChecker.java
@@ -25,6 +25,7 @@
import javax.inject.Inject;
import javax.naming.ConfigurationException;
+import com.cloud.exception.UnavailableCommandException;
import org.apache.cloudstack.api.APICommand;
import com.cloud.exception.PermissionDeniedException;
@@ -53,8 +54,7 @@ protected DynamicRoleBasedAPIAccessChecker() {
}
private void denyApiAccess(final String commandName) throws
PermissionDeniedException {
-throw new PermissionDeniedException("The API does not exist or is
blacklisted for the account's role. " +
-"The account with is not allowed to request the api: " +
commandName);
+throw new PermissionDeniedException("The API " + commandName + " is
blacklisted for the account's role.");
}
public boolean isDisabled() {
@@ -99,8 +99,7 @@ public boolean checkAccess(User user, String commandName)
throws PermissionDenie
}
// Default deny all
-denyApiAccess(commandName);
-return false;
+throw new UnavailableCommandException("The API " + commandName + "
does not exist or is not available for this account.");
}
public void addApiToRoleBasedAnnotationsMap(final RoleType roleType, final
String commandName) {
diff --git
a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
index f3dc3a3b8d7..4a33a0876c3 100644
---
a/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
+++
b/plugins/acl/static-role-based/src/org/apache/cloudstack/acl/StaticRoleBasedAPIAccessChecker.java
@@ -25,6 +25,7 @@
import javax.inject.Inject;
import javax.naming.ConfigurationException;
+import com.cloud.exception.UnavailableCommandException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.APICommand;
@@ -45,6 +46,7 @@
protected static final Logger LOGGER =
Logger.getLogger(StaticRoleBasedAPIAccessChecker.class);
private Set commandPropertyFiles = new HashSet();
+private Set commandNames = new HashSet();
private Set
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16426760#comment-16426760
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
rafaelweingartner commented on issue #2498: CLOUDSTACK-10327: Do not invalidate
the session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-378901994
@borisstoyanov here we also have that same
`test_04_restart_network_wo_cleanup` failure.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16426757#comment-16426757
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
blueorangutan commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the
session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-378900724
Trillian test result (tid-2456)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 95355 seconds
Marvin logs:
https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr2498-t2456-kvm-centos7.zip
Intermitten failure detected:
/marvin/tests/smoke/test_deploy_virtio_scsi_vm.py
Intermitten failure detected: /marvin/tests/smoke/test_loadbalance.py
Intermitten failure detected: /marvin/tests/smoke/test_routers.py
Intermitten failure detected: /marvin/tests/smoke/test_vpc_redundant.py
Intermitten failure detected: /marvin/tests/smoke/test_host_maintenance.py
Smoke tests completed. 65 look OK, 2 have error(s)
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
test_04_restart_network_wo_cleanup | `Failure` | 4.11 | test_routers.py
test_04_rvpc_network_garbage_collector_nics | `Failure` | 538.30 |
test_vpc_redundant.py
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16425153#comment-16425153
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
borisstoyanov commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the
session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-378517279
@blueorangutan test
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16425154#comment-16425154
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
blueorangutan commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the
session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-378517387
@borisstoyanov a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has
been kicked to run smoke tests
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16423903#comment-16423903
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
blueorangutan commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the
session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-378222844
Trillian test result (tid-2449)
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 7042 seconds
Marvin logs:
https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr2498-t2449-kvm-centos7.zip
Intermitten failure detected: /marvin/tests/smoke/test_accounts.py
Smoke tests completed. 0 look OK, 1 have error(s)
Only failed tests results shown below:
Test | Result | Time (s) | Test File
--- | --- | --- | ---
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16423723#comment-16423723
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
blueorangutan commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the
session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-378185367
@borisstoyanov a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has
been kicked to run smoke tests
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16423721#comment-16423721
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
borisstoyanov commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the
session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-378185187
@blueorangutan test
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16413606#comment-16413606
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
olivierlemasle commented on a change in pull request #2498: CLOUDSTACK-10327:
Do not invalidate the session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#discussion_r177023277
##
File path: server/src/com/cloud/api/ApiServer.java
##
@@ -958,6 +959,9 @@ private boolean commandAvailable(final InetAddress
remoteAddress, final String c
} catch (final RequestLimitException ex) {
s_logger.debug(ex.getMessage());
throw new ServerApiException(ApiErrorCode.API_LIMIT_EXCEED,
ex.getMessage());
+} catch (final UnavailableCommandException ex) {
+s_logger.debug(ex.getMessage());
+throw new
ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, ex.getMessage());
Review comment:
@rhtyd I'm not sure I understand your suggestion. The Http error code is
specified here, in line 964). The `ServerApiException` is caught on
`ApiServlet` which generates the HTTP response.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16410919#comment-16410919
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
blueorangutan commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the
session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-375567486
Packaging result: ✔centos6 ✔centos7 ✖debian. JID-1818
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16410882#comment-16410882
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
blueorangutan commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the
session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-375559143
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted
as I make progress.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16410881#comment-16410881
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
rhtyd commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the session
when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-375559096
@blueorangutan package
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16409872#comment-16409872
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
wido commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the session
when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-375377353
I don't see anything odd in this PR, looks good to me. I didn't catch this
situation.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16409095#comment-16409095
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
rhtyd commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the session
when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-375189991
Thanks @olivierlemasle. I've one comment, since the last change around this
was made by Wido, let's ask @wido for review.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16409093#comment-16409093
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
rhtyd commented on a change in pull request #2498: CLOUDSTACK-10327: Do not
invalidate the session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#discussion_r176315829
##
File path: server/src/com/cloud/api/ApiServer.java
##
@@ -958,6 +959,9 @@ private boolean commandAvailable(final InetAddress
remoteAddress, final String c
} catch (final RequestLimitException ex) {
s_logger.debug(ex.getMessage());
throw new ServerApiException(ApiErrorCode.API_LIMIT_EXCEED,
ex.getMessage());
+} catch (final UnavailableCommandException ex) {
+s_logger.debug(ex.getMessage());
+throw new
ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, ex.getMessage());
Review comment:
Why not throw ServerApiException with suitable http error code so as to not
cause log out in the UI. Simply handle permission denied exception here? (or
the line below)
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16408850#comment-16408850
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
olivierlemasle commented on issue #2498: CLOUDSTACK-10327: Do not invalidate
the session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-375142120
@rhtyd Ok, I've rebased the PR against 4.11 and updated the base branch
accordingly.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16408198#comment-16408198
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
rhtyd commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the session
when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-375008974
@olivierlemasle can you edit the PR and rebase against 4.11 branch?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16408200#comment-16408200
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
rhtyd commented on issue #2498: CLOUDSTACK-10327: Do not invalidate the session
when API command not found
URL: https://github.com/apache/cloudstack/pull/2498#issuecomment-375008974
@olivierlemasle can you edit the PR and rebase against 4.11 branch? I tried
to do that, but Github requires rebasing against 4.11.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
> "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
> an API command reserved for root admins. When the user is not a root admin,
> he does not have the privileges for this command.
> With CloudStack up to 4.10, an error 432 was returned (and ignored):
> {noformat}
> {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
> user is not allowed to request the API command or the API command does not
> exist"}}
> {noformat}
> With CloudStack 4.11, the error 432 is replaced by an error 401 and the
> session is invalidated. Then the next API calls lead to an error "Session
> Expired" and the user cannot log in.
> {noformat}
> {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
> to verify user credentials and/or request signature"}}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin
[
https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16407960#comment-16407960
]
ASF GitHub Bot commented on CLOUDSTACK-10327:
-
olivierlemasle opened a new pull request #2498: CLOUDSTACK-10327: Do not
invalidate the session when API command not found
URL: https://github.com/apache/cloudstack/pull/2498
## Description
CloudStack SSO (using `security.singlesignon.key`) does not work anymore
with CloudStack 4.11, since commit 9988c26, which introduced a regression due
to a refactoring: every API request that is not "validated" generates the same
error (401 - Unauthorized) and invalidates the session.
However, CloudStack UI executes a call to `listConfigurations` [in method
`bypassLoginCheck`](https://github.com/apache/cloudstack/blob/1c99fd73881938/ui/scripts/cloudStack.js#L172).
A non-admin user does not have the permissions to execute this request, which
causes an error 401:
```
{"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable
to verify user credentials and/or request signature"}}
```
The session (already created by SSO) is then invalidated and the user cannot
access to CloudStack UI (error "Session Expired").
Before 9988c26 (up to CloudStack 4.10), an error 432 was returned (and
ignored):
```
{"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":,"errortext":"The
user is not allowed to request the API command or the API command does not
exist"}}
```
Even if the call to `listConfigurations` was removed, another call to
[`listIdps`](https://github.com/apache/cloudstack/blob/1c99fd73881938/ui/scripts/cloudStack.js#L192)
also lead to an error 401 for user accounts if the SAML plugin is not enabled.
This pull request aims to fix the SSO issue, by restoring errors 432
(instead of 401 + invalidate session) for commands not available. However, if
an API command is explicitly denied using ACLs or if the session key is
incorrect, it still generates an error 401 and invalidates the session.
## Types of changes
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
## How Has This Been Tested?
Compiled and ran CloudStack.
- API commands not explicitly allowed for a role (e.g. `listConfigurations`
for a user) generate 432.
- API commands not enabled (e.g. `listIdps` with SAML disabled) generate 432.
- non-existing API commands (e.g. `fooBar`) generate 432
However, API calls with session key removed generate 401 and invalidate
session.
SSO is ok.
## Checklist:
- [x] I have read the
[CONTRIBUTING](https://github.com/apache/cloudstack/blob/master/CONTRIBUTING.md)
document.
- [x] My code follows the code style of this project.
- [ ] My change requires a change to the documentation.
- [ ] I have updated the documentation accordingly.
- [ ] I have added tests to cover my changes.
- [x] All new and existing tests passed.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SSO fails with error "Session Expired", except for root admin
> -
>
> Key: CLOUDSTACK-10327
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
>Affects Versions: 4.11.0.0
>Reporter: Olivier Lemasle
>Assignee: Olivier Lemasle
>Priority: Critical
>
> CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore
> with CloudStack 4.11, since commit
> [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
> This commit introduced a new feature (the ability to limit admin API calls to
> a network CIDR), but also a regression due to a refactoring: every API
> request that is not "validated" generates the same error (401 - Unauthorized)
> and *invalidates the session*.
> However, during an SSO login, CloudStack executes (since ACS 4.7), a [call to
>
