Uploaded image for project: 'Razor (moved to puppet.atlassian.net)'
  1. Razor (moved to puppet.atlassian.net)
  2. RAZOR-994

After setting auth_allow_localhost to true, create/update/register/delete commands fail with 500 error

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Done
    • RAZOR 1.3.0
    • RAZOR 1.6.1
    • Client, Server

    • PE Enterprise 2016.2.1

      1. razor --version
        Razor Server version: 1.3.0.0
        Razor Client version: 1.2.0
      2. cat /etc/redhat-release
        Red Hat Enterprise Linux Server release 7.3 (Maipo)
    • Hide

      When auth_allow_localhost is set to true, allow all razor CLI commands executing on the razor server itself and by a system user with appropriate rights to run successfully.

      Show
      When auth_allow_localhost is set to true, allow all razor CLI commands executing on the razor server itself and by a system user with appropriate rights to run successfully.
    • Analytics
    • 1
    • Analytics 2017-03-08
    • No Action
    • resource limitations

    Description

      After enabling the localhost to bypass authentication (auth_allow_localhost: true in config-defaults.yaml), we found that from the razor server read-only commands worked (i.e., razor nodes), but create/update/register/delete commands no longer worked. We would get a 500 error as follows:

      from /var/log/puppetlabs/razor-server/server.log:

      15:35:35,274 INFO [razor.web.log] (http-/0.0.0.0:8151-3) 127.0.0.1 - - [03/Feb/2017:15:35:35 -0600] "GET /api " 200 6629 0.0120
      15:35:35,356 INFO [razor.web.log] (http-/0.0.0.0:8151-3) 127.0.0.1 - - [03/Feb/2017:15:35:35 -0600] "GET /api/commands/register-node " 200 6205 0.0140
      15:35:35,419 INFO [razor.web.api] (http-/0.0.0.0:8151-2) 2017-02-03 15:35:35 - Java::OrgApacheShiroAuthz::UnauthenticatedException - This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against. A Subject instance will acquire these identifying principals automatically after a successful login is performed be executing org.apache.shiro.subject.Subject.login(AuthenticationToken) or when 'Remember Me' functionality is enabled by the SecurityManager. This exception can also occur when a previously logged-in Subject has logged out which makes it anonymous again. Because an identity is currently not known due to any of these conditions, authorization is denied.:
      org.apache.shiro.subject.support.DelegatingSubject.assertAuthzCheckPossible(org/apache/shiro/subject/support/DelegatingSubject.java:199)
      org.apache.shiro.subject.support.DelegatingSubject.checkPermissions(org/apache/shiro/subject/support/DelegatingSubject.java:214)
      ....
      java.lang.Thread.run(java/lang/Thread.java:745)
      15:35:35,422 INFO [razor.web.log] (http-/0.0.0.0:8151-2) 127.0.0.1 - - [03/Feb/2017:15:35:35 -0600] "POST /api/commands/register-node " 500 30 0.0130

      We are running these commands from the localhost (razor server itself) and without passing any credentials. If we pass credentials, all commands work as expected. We were hoping to take advantage of the auth_allow_localhost feature and not have to store razor creds in an environment variable or a bash profile.

      I had originally posted about this on the puppet-razor google group: https://groups.google.com/forum/#!topic/puppet-razor/2dmxYU0xEq0

      (I will create a feature request in a separate ticket regarding the CLI and how it handles authentication; would like to suggest something.)

      Attachments

        Issue Links

          links to

          Web Link razor-server PR 373

          Activity

            People

              Unassigned Unassigned
              lennyi Lenny Ilyashov
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support