Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reverseProxyAuth: If user has more groups than configured then login fails #2851

Open
brunnels opened this issue Aug 17, 2024 · 7 comments
Open

reverseProxyAuth: If user has more groups than configured then login fails #2851

brunnels opened this issue Aug 17, 2024 · 7 comments
Labels
feature request Let's add something new xf:authentication

Comments

@brunnels
Copy link

I had this working well when my user was only a member of 2 groups and I configured the groups in initial-data.conf

{
    teams: [
        {
            subjectId: "Administrators",
            teamName: "Administrators",
            description: "Administrative access. Has all permissions.",
            permissions: [ "admin" ]
        },
        {
            subjectId: "Domain Users",
            teamName: "Domain Users",
            description: "All users, including anonymous.",
            permissions: [ ]
        }
    ]
}

When I added an additional group to the user in my upstream auth, causing the reverse proxy auth header to contain more groups, I was no longer able to login and was presented with this in the logs:

17-08-2024 15:16:17.672 [qtp1835713430-44] DEBUG i.c.service.auth.RPSessionHandler - Attempting to authenticate user 'cbtestuser' with teams [Domain Users, Administrators, Qsync] through reverse proxy
17-08-2024 15:16:17.695 [qtp1835713430-44] ERROR i.c.service.core.impl.WebServiceCore - Error calling session handler 'RPSessionHandler'
io.cloudbeaver.DBWebException: Error:
Error saving user teams in database
.....
Caused by: org.jkiss.dbeaver.model.exec.DBCException: Error saving user teams in database
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.setUserTeams(CBEmbeddedSecurityController.java:222)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.findOrCreateExternalUserByCredentials(CBEmbeddedSecurityController.java:2454)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.finishAuthentication(CBEmbeddedSecurityController.java:2160)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1565)
        at io.cloudbeaver.service.auth.RPSessionHandler.reverseProxyAuthentication(RPSessionHandler.java:130)
        ... 61 common frames omitted
Caused by: org.postgresql.util.PSQLException: ERROR: insert or update on table "cb_user_team" violates foreign key constraint "cb_user_team_team_id_fkey"
  Detail: Key (team_id)=(Qsync) is not present in table "cb_team".

Here's my auth config as well

        authConfigurations: [
          {
            id: "reverseProxy",
            provider: "reverseProxy",
            displayName: "Reverse Proxy",
            disabled: false,
            iconURL: "",
            description: "Authelia Reverse Proxy with ingress-nginx",
            parameters: {
              full-name-header: "Remote-Name",
              user-header: "Remote-User",
              team-header: "Remote-Groups",
              team-delimiter: ",",
              logout-url: "https://auth.${SECRET_DOMAIN}/logout?rd\u003dhttps://cloudbeaver.${SECRET_DOMAIN}"
            }
          }
        ]

I can resolve the issue by adding the qsync group to my config but I don't believe I should need to do this because cloudbeaver should be able to deal with a user being a member of a group it doesn't know about.
@brunnels brunnels added bug Something isn't working wait for review labels Aug 17, 2024
@EvgeniaBzzz
Copy link
Contributor

Hi @brunnels
We'll add the ability to create teams via proxy. Thank you for your request!

@EvgeniaBzzz EvgeniaBzzz added feature request Let's add something new xf:authentication and removed bug Something isn't working wait for review labels Aug 19, 2024
@brunnels
Copy link
Author

@EvgeniaBzzz I'm not sure I would want it to create the teams. I just want it to ignore any groups sent in the proxy header that don't exist in the cloudbeaver config.

@EvgeniaBzzz
Copy link
Contributor

Let me ask, what is the purpose of adding additional non-existent groups to the upstream auth?

@brunnels
Copy link
Author

@EvgeniaBzzz It's a standard thing. The upstream reverse proxy is backed by ldap. This would automatically send any groups the user is a member of in the Remote-Groups header. There's no way to filter or modify this. Cloudbeaver should only care about groups/teams it knows about so I think it's a bug for it to raise an exception in this case.

@EvgeniaBzzz
Copy link
Contributor

Ok, thanks for the clarification

@elixxx
Copy link

elixxx commented Aug 24, 2024

Hey, I struggel with the same issue, but for me it would nice to have the teams automatically created as I filter the forwarded groups already in keycloak. Maybe a configuration like „createUnkownTeams“ would be nice! :)

@EvgeniaBzzz
Copy link
Contributor

@elixxx thanks for your comment, we will try to come up with a solution that will suit everyone

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request Let's add something new xf:authentication
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brunnels @elixxx @EvgeniaBzzz