[jbosstools-issues] [JBoss JIRA] (JBIDE-15830) openshift-java-client: incompatibility with OpenShift Enterprise and Origin when using the remote-user authentication plugin
Andre Dietisheim (JIRA)
jira-events at lists.jboss.org
Thu Oct 31 18:02:01 EDT 2013
[ https://issues.jboss.org/browse/JBIDE-15830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12826347#comment-12826347 ]
Andre Dietisheim edited comment on JBIDE-15830 at 10/31/13 6:00 PM:
--------------------------------------------------------------------
[~bleanhar] the above tests are unit tests, they're not run against any env. They just pass a client-id in and assert the useragent that the client's using.
The code that's creating the useragent that's being used is the following:
{code:title=UrlConnectionHttpClient}
...
private static final String USERAGENT_FOR_KEYAUTH = "OpenShift";
...
private String setupUserAgent(String authKey, String authIV, String userAgent) {
if (!StringUtils.isEmpty(authKey)) {
if (userAgent == null) {
userAgent = USERAGENT_FOR_KEYAUTH;
} else if (!userAgent.startsWith(USERAGENT_FOR_KEYAUTH)) {
userAgent = USERAGENT_FOR_KEYAUTH + '-' + userAgent;
}
}
return userAgent;
}
{code}
To my understanding this would always prepend "OpenShift" if it's not there already, given that the client's using an authkey.
[~bleanhar] do you have any idea of what the jenkins-plugin's using as authkey?
was (Author: adietish):
[~bleanhar] the above tests are unit tests, they're not run against any env. They just pass a client-id in and assert the useragent that the client's using.
The code that's creating the useragent that's being used is the following:
{code:title=UrlConnectionHttpClient}
...
private static final String USERAGENT_FOR_KEYAUTH = "OpenShift";
...
private String setupUserAgent(String authKey, String authIV, String userAgent) {
if (!StringUtils.isEmpty(authKey)) {
if (userAgent == null) {
userAgent = USERAGENT_FOR_KEYAUTH;
} else if (!userAgent.startsWith(USERAGENT_FOR_KEYAUTH)) {
userAgent = USERAGENT_FOR_KEYAUTH + '-' + userAgent;
}
}
return userAgent;
}
{code}
To my understand this would always prepend "OpenShift" if it's not there already.
> openshift-java-client: incompatibility with OpenShift Enterprise and Origin when using the remote-user authentication plugin
> ----------------------------------------------------------------------------------------------------------------------------
>
> Key: JBIDE-15830
> URL: https://issues.jboss.org/browse/JBIDE-15830
> Project: Tools (JBoss Tools)
> Issue Type: Bug
> Reporter: Brenton Leanhardt
> Assignee: Andre Dietisheim
> Labels: openshift-java-client
> Fix For: 4.1.1.Beta1, 4.2.0.Alpha1
>
>
> OpenShift Enterprise and Origin both ship an authentication plugin that allows parts of authentication to be handled by Apache and other parts to be delegated to the openshift-origin-controller codebase. I've found that all versions of openshift-java-client after 2.3.0.Final change a (poorly documented) requirement for the OpenShift remote-user plugin.
> In order for a request to bypass the Apache authentication and passthrough to the OpenShift Broker the user-agent header is inspected. If the user-agent is 'OpenShift' then the Broker will require an encrypted authentication token. Today this is used by the jenkins cartridge but I believe it's also still used for scaling.
> You can see this for details:
> https://github.com/openshift/origin-server/blob/master/documentation/archive/how_nodes_act_on_behalf_of_users.md#how-the-encrypted-token-is-used
> In 2.3.0.Final of the openshift-java-client the user-agent was 'OpenShift' however all versions after this set the user-agent to the java version (eg, User-Agent: Java/1.7.0_45).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jbosstools-issues
mailing list