[jbosstools-issues] [JBoss JIRA] (JBIDE-15830) openshift-java-client: incompatibility with OpenShift Enterprise and Origin when using the remote-user authentication plugin

Andre Dietisheim (JIRA) jira-events at lists.jboss.org
Tue Nov 5 08:35:03 EST 2013 

    [ https://issues.jboss.org/browse/JBIDE-15830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12850866#comment-12850866 ] 

Andre Dietisheim commented on JBIDE-15830:
------------------------------------------

I see the jboss tools using the following user-agent:

{code}
"Java OpenShift REST/2.5.0-SNAPSHOT (org.jboss.tools.openshift.express.core 2.5.1.qualifier)" 
{code}

I think I found the issue in the client:
The check for authkey (and the resulting prepending/using of "OpenShift") is not executed if the useragent is set AFTER the client instance is created. It's only executed when the useragent is passed at client creation time. The current implementation would set the user-agent to the client AFTER it is created (this setup allows client users to provide their own client implementation). To fix this we would simply add the check to get executed if the useragent is passed in after instance creation. Nevertheless, I think that we should move this logic to the jenkins plugin, this should not be part of the openshift-java-client since it's jenkins-plugin specific. IMHO we should make sure the jenkins-plugin can set the useragent it needs.
                
> openshift-java-client: incompatibility with OpenShift Enterprise and Origin when using the remote-user authentication plugin
> ----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: JBIDE-15830
>                 URL: https://issues.jboss.org/browse/JBIDE-15830
>             Project: Tools (JBoss Tools)
>          Issue Type: Bug
>          Components: openshift
>            Reporter: Brenton Leanhardt
>            Assignee: Andre Dietisheim
>              Labels: openshift-java-client
>             Fix For: 4.1.1.CR1, 4.2.0.Alpha1
>
>
> OpenShift Enterprise and Origin both ship an authentication plugin that allows parts of authentication to be handled by Apache and other parts to be delegated to the openshift-origin-controller codebase.  I've found that all versions of openshift-java-client after 2.3.0.Final change a (poorly documented) requirement for the OpenShift remote-user plugin.
> In order for a request to bypass the Apache authentication and passthrough to the OpenShift Broker the user-agent header is inspected.  If the user-agent is 'OpenShift' then the Broker will require an encrypted authentication token.  Today this is used by the jenkins cartridge but I believe it's also still used for scaling.
> You can see this for details:
> https://github.com/openshift/origin-server/blob/master/documentation/archive/how_nodes_act_on_behalf_of_users.md#how-the-encrypted-token-is-used
> In 2.3.0.Final of the openshift-java-client the user-agent was 'OpenShift' however all versions after this set the user-agent to the java version (eg, User-Agent: Java/1.7.0_45).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbosstools-issues mailing list