Olivier Lemasle created CLOUDSTACK-10327:
--------------------------------------------
Summary: SSO fails with error "Session Expired", except for root
admin
Key: CLOUDSTACK-10327
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10327
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: API
Affects Versions: 4.11.0.0
Reporter: Olivier Lemasle
Assignee: Olivier Lemasle
CloudStack SSO (using {{security.singlesignon.key}}) does not work anymore with
CloudStack 4.11, since commit
[9988c26|https://github.com/apache/cloudstack/commit/9988c269b259b84c0b8436bad17f88dbc1d706e7#diff-16f2bfa56c6e8760760dd2b27b47d5b4]
This commit introduced a new feature (the ability to limit admin API calls to a
network CIDR), but also a regression due to a refactoring: every API request
that is not "validated" generates the same error (401 - Unauthorized) and
*invalidates the session*.
However, during an SSO login, CloudStack executes (since CS 4.7), a [call to
"listConfigurations"|https://github.com/apache/cloudstack/blob/8a3943b7632eddf3856a19e7d9a3fee82dd325be/ui/scripts/cloudStack.js#L172],
an API command reserved for root admins. When the user is not a root admin, he
does not have the privileges for this command.
With CloudStack up to 4.10, an error 432 was returned (and ignored):
{{{"errorresponse":\{"uuidList":[],"errorcode":432,"cserrorcode":9999,"errortext":"The
user is not allowed to request the API command or the API command does not
exist"}}}}
With CloudStack 4.11, the error 432 is replaced by an error 401 and the session
is invalidated. Then the next API calls lead to an error "Session Expired" and
the user cannot log in.
{{{"listconfigurationsresponse":\{"uuidList":[],"errorcode":401,"errortext":"unable
to verify user credentials and/or request signature"}}}}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
