From issues-return-91048-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org Fri Mar 16 11:58:06 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 68AC7180608 for ; Fri, 16 Mar 2018 11:58:05 +0100 (CET) Received: (qmail 74695 invoked by uid 500); 16 Mar 2018 10:58:04 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 74686 invoked by uid 500); 16 Mar 2018 10:58:04 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 74683 invoked by uid 99); 16 Mar 2018 10:58:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Mar 2018 10:58:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id E1804180493 for ; Fri, 16 Mar 2018 10:58:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.261 X-Spam-Level: X-Spam-Status: No, score=-109.261 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, KAM_LOTSOFHASH=0.25, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id rgZdUnCDz3s4 for ; Fri, 16 Mar 2018 10:58:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 87E665F167 for ; Fri, 16 Mar 2018 10:58:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 7B18DE00C7 for ; Fri, 16 Mar 2018 10:58:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 1D36D21277 for ; Fri, 16 Mar 2018 10:58:00 +0000 (UTC) Date: Fri, 16 Mar 2018 10:58:00 +0000 (UTC) From: "Olivier Lemasle (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (CLOUDSTACK-10327) SSO fails with error "Session Expired", except for root admin MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-10327?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Lemasle updated CLOUDSTACK-10327: ----------------------------------------- Description: CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore with CloudStack 4.11, since commit [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4] This commit introduced a new feature (the ability to limit admin API calls to a network CIDR), but also a regression due to a refactoring: every API request that is not "validated" generates the same error (401 - Unauthorized) and *invalidates the session*. However, during an SSO login, CloudStack executes (since CS 4.7), a [call to "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172], an API command reserved for root admins. When the user is not a root admin, he does not have the privileges for this command. With CloudStack up to 4.10, an error 432 was returned (and ignored): {noformat} {"errorresponse":\{"uuidList":[],"errorcode":432,"cserrorcode":9999,"errortext":"The user is not allowed to request the API command or the API command does not exist"}} {noformat} With CloudStack 4.11, the error 432 is replaced by an error 401 and the session is invalidated. Then the next API calls lead to an error "Session Expired" and the user cannot log in. {noformat} {"listconfigurationsresponse":\{"uuidList":[],"errorcode":401,"errortext":"unable to verify user credentials and/or request signature"}} {noformat} was: CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore with CloudStack 4.11, since commit [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4] This commit introduced a new feature (the ability to limit admin API calls to a network CIDR), but also a regression due to a refactoring: every API request that is not "validated" generates the same error (401 - Unauthorized) and *invalidates the session*. However, during an SSO login, CloudStack executes (since CS 4.7), a [call to "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172], an API command reserved for root admins. When the user is not a root admin, he does not have the privileges for this command. With CloudStack up to 4.10, an error 432 was returned (and ignored): {{{"errorresponse":\{"uuidList":[],"errorcode":432,"cserrorcode":9999,"errortext":"The user is not allowed to request the API command or the API command does not exist"}}}} With CloudStack 4.11, the error 432 is replaced by an error 401 and the session is invalidated. Then the next API calls lead to an error "Session Expired" and the user cannot log in. {{{"listconfigurationsresponse":\{"uuidList":[],"errorcode":401,"errortext":"unable to verify user credentials and/or request signature"}}}} > SSO fails with error "Session Expired", except for root admin > ------------------------------------------------------------- > > Key: CLOUDSTACK-10327 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the default.) > Components: API > Affects Versions: 4.11.0.0 > Reporter: Olivier Lemasle > Assignee: Olivier Lemasle > Priority: Critical > > CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore with CloudStack 4.11, since commit [9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4] > This commit introduced a new feature (the ability to limit admin API calls to a network CIDR), but also a regression due to a refactoring: every API request that is not "validated" generates the same error (401 - Unauthorized) and *invalidates the session*. > However, during an SSO login, CloudStack executes (since CS 4.7), a [call to "listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172], an API command reserved for root admins. When the user is not a root admin, he does not have the privileges for this command. > With CloudStack up to 4.10, an error 432 was returned (and ignored): > {noformat} > {"errorresponse":\{"uuidList":[],"errorcode":432,"cserrorcode":9999,"errortext":"The user is not allowed to request the API command or the API command does not exist"}} > {noformat} > With CloudStack 4.11, the error 432 is replaced by an error 401 and the session is invalidated. Then the next API calls lead to an error "Session Expired" and the user cannot log in. > {noformat} > {"listconfigurationsresponse":\{"uuidList":[],"errorcode":401,"errortext":"unable to verify user credentials and/or request signature"}} > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)