Bug #30535: When using Puma with Foreman 2.1 FreeIPA external authentication does not work - Foreman

Bug #30535

When using Puma with Foreman 2.1 FreeIPA external authentication does not work

Added by Steve Jacobs 3 months ago. Updated 4 days ago.

Status:

Closed

Priority:

High

Assignee:

Tomer Brisker

Category:

Authentication

Target version:

2.2.0

Difficulty:

Triaged:

Yes

Bugzilla link:

1877307

Pull request:

https://github.com/theforeman/puppet-foreman/pull/896, https://github.com/theforeman/puppet-foreman/pull/872, https://github.com/theforeman/foreman/pull/7909

Fixed in Releases:

2.2.0

Found in Releases:

2.1.0

Description

I looked into this a bit. It appears that all of the freeIPA authentication bits are configured to set internal apache variables, and mod_passenger would be able to read them as environment variables on each request. Because puma is being used as a generic http proxy via mod_proxy, no information about the intercepted form logins or kerberos auth makes its way to foreman through puma.

All of this needs to be reworked with puma in the mix. None of the existing IPA logic will work. (Check headers, not env if puma is used, etc).

Associated revisions

Revision 6f5b99bb (diff)
Added by Hesham S. Ahmed 12 days ago

Fixes #30535 - Set HTTP headers for proxy requests

Revision 05e0aaf0 (diff)
Added by Hesham Ahmed 7 days ago

Fixes #30535 - Use HTTP headers in puma

Revision 6dea3b75 (diff)
Added by Tomer Brisker 4 days ago

Refs #30535 - Correctly unset remote user groups

This corrects a typo in the previous change, which unset
REMOTE_USER_USER_GROUPS instead of REMOTE_USER_GROUPS in the apache
configuration.

History

#1 Updated by Steve Jacobs 3 months ago

What I did to check this:

Turned up debug logging in apache and installed mod_dumpio.

I can verify that auth is occurring, and the ifp service is delivering email, etc.

mod_dumpio trace shows that no REMOTE_USER, etc header is being sent to puma on port 3000.

#2 Updated by Ewoud Kohl van Wijngaarden 3 months ago

Triaged changed from No to Yes
Category set to Foreman modules
Project changed from Foreman to Installer

With 2.1 you can revert back to passenger using --foreman-passenger true. I consider that a workaround, not a solution since long term we want to align on Puma and this is a feature we support. This is something in the installer, so moving to the correct project.

#3 Updated by The Foreman Bot 2 months ago

Status changed from New to Ready For Testing
Pull request https://github.com/theforeman/puppet-foreman/pull/872 added

#4 Updated by Hesham Ahmed 2 months ago

Pull request https://github.com/theforeman/foreman/pull/7909 added
Pull request deleted (~~https://github.com/theforeman/puppet-foreman/pull/872~~)

I have fixed this by changing app/services/sso/apache.rb to use HTTP_REMOTE_USER instead of REMOTE_USER and setting HTTP_REMOTE_USER in apache. I have created pull requests to foreman and puppet-foreman projects in case this is acceptable.

#5 Updated by Adam Winberg 2 months ago

Hesham Ahmed wrote:

I have fixed this by changing app/services/sso/apache.rb to use HTTP_REMOTE_USER instead of REMOTE_USER and setting HTTP_REMOTE_USER in apache. I have created pull requests to foreman and puppet-foreman projects in case this is acceptable.

Have you actually tested this? I have tried this with many variations and never got it to work. Tested on RHEL8.

#6 Updated by Hesham Ahmed 2 months ago

I have tested this and it works fine on EL7

#7 Updated by Adam Winberg 2 months ago

Ok, got it working. But when using mod_ssl the request header statement need to look a bit different:

RequestHeader set REMOTE_USER %{REMOTE_USER}s

Notice the ending 's' instead of 'e' to make it work with mod_ssl

#8 Updated by The Foreman Bot 2 months ago

Pull request https://github.com/theforeman/puppet-foreman/pull/872 added

#9 Updated by Tomer Brisker about 1 month ago

Target version set to 2.1.3

#10 Updated by Ewoud Kohl van Wijngaarden about 1 month ago

Target version changed from 2.1.3 to 2.2.0

#11 Updated by Tomer Brisker about 1 month ago

Bugzilla link set to 1877307

#12 Updated by Tomer Brisker 27 days ago

Category deleted (~~Foreman modules~~)
Project changed from Installer to Foreman

#13 Updated by Tomer Brisker 27 days ago

Category set to Authentication

#14 Updated by Anonymous 12 days ago

Status changed from Ready For Testing to Closed

Applied in changeset puppet-foreman:puppet-foreman|6f5b99bb08f19ff61410dc6208346b9c8c333221.

#15 Updated by The Foreman Bot 7 days ago

Fixed in Releases 2.3.0 added

#16 Updated by Tomer Brisker 7 days ago

Fixed in Releases 2.2.0 added
Fixed in Releases deleted (~~2.3.0~~)

#17 Updated by Ewoud Kohl van Wijngaarden 6 days ago

Subject changed from When using puma with foreman 2.1 freeipa external authentication does not work to When using Puma with Foreman 2.1 freeipa external authentication does not work

#18 Updated by Ewoud Kohl van Wijngaarden 6 days ago

Subject changed from When using Puma with Foreman 2.1 freeipa external authentication does not work to When using Puma with Foreman 2.1 FreeIPA external authentication does not work

#19 Updated by The Foreman Bot 4 days ago

Assignee set to Tomer Brisker
Pull request https://github.com/theforeman/puppet-foreman/pull/896 added

Also available in: Atom PDF

Project

General

Profile

Issues

Custom queries