console icon indicating copy to clipboard operation
console copied to clipboard

Published 20 hours ago verified publisher icon minio

Error message overflow on LDAP login error

Open mattdowdell opened this issue 2 years ago • 1 comments

I've configured MinIO to use LDAP for access which works great. When no group configuration is present, and no policy is assigned to the user, logging into the console will show an error message at the top of the screen with the message "expecting a policy to be set for user $DN ...". While experimenting with this, I found that the raw LDAP error codes were output to the end-user as well, which seems a little odd, but not a hugely objectionable experience.

However, when I configured groups using the MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN and MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER environment variables, pointed it my company's LDAP server, and similarly did not configure a policy for any users or groups, it got a 1000+ character error message back due to the number of groups I've been added to over the years. This seemed to break the assumption that the error message popup in the console UI shouldn't have more than 3 lines of text. I ended up with 5 lines vertically centered in a space that only seems to want 3 causing the text to overflow above and below the popup. The text below was accessible because there's nothing hiding the overflow there, but the overflow above the modal was hidden because my browser window did not extend that far. As it happens, the useful part of the error message is at the very start and the very end, and missing the start probably means there's going to be some confusion over time. It's worth pointing out that one might need a narrower screen as they might find on a laptop to reproduce this (I'm on a 16'' macbook pro).

Expected Behavior

Error message should be fully visible to support debugging of an issue.

Current Behavior

Error message overflows popup with extreme error message lengths, hiding the start of the message. I would attach a screenshot, but it contained the group DNs which I'm not entirely sure if I'm allowed to publicly share.

Possible Solution

Couple of options to resolve:

  • As a generic fix, allow the error popup in the console UI to grow arbitrarily to fully show the error message.
  • As a targeted fix, consider trimming the number of groups in such an error message to something like: group1, group2, group3, and N other(s).

Steps to Reproduce (for bugs)

  1. Have a user in a LDAP server that is a member of multiple groups (I apparently have 22).
  2. Configure LDAP access that includes a group filter. I was forced to use %d to match the DN of the user which probably exacerbates the issue further.
  3. Attempt to login as that user to the console UI when the user has no matching policies for access.
  4. Observe a long error message overflowing the error popup.

Alternatively, add a couple of parapgraphs of lorem ipsum into the error popup if you're able to trigger error popups independently of anything else.

Context

I appreciate this is an edge case in a couple of different ways:

  • User is a member of lots of LDAP groups.
  • User is attempting to login with no access policy configured.

So ultimately, it's not the most debilitating bug in the world. However, I would argue that the generic problem of long error messages has the potential to recoccur elsewhere so may be worthwhile fixing from a UX perspective.

Regression

Not as far as I'm aware.

Your Environment

I'm using docker-compose on MacOS (so effectively Linux) with the following config:

services:
  minio:
    image: quay.io/minio/minio:RELEASE.2022-04-16T04-26-02Z
    restart: always
    command: server /data --console-address ":9001"
    ports:
      - 9000:9000
      - 9001:9001
    volumes:
      - minio-data:/data
    environment:
      ## root credentials for `mc` cli
      # TODO: move to secrets
      MINIO_ROOT_USER: '<omitted>'
      MINIO_ROOT_PASSWORD: '<omitted>'

      ## LDAP config
      MINIO_IDENTITY_LDAP_SERVER_ADDR: '<omitted>'
      MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN: '<omitted>'
      MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD: '<omitted>'
      MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN: 'ou=People,o=<omitted>'
      MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER: '(uid=%s)'
      MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN: 'ou=Groups,o=<omitted>'
      MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER: '(member=%d)'

volumes:
  minio-data:

I don't have a LDAP server that would readily display this issue to hand, but I would imagine it's possible to build one relatively simply. In the past, I've used https://github.com/inejge/ldap3/tree/master/data as a base for local LDAP testing with ldap-utils and slapd on Debian 11.

mattdowdell avatar Apr 18 '22 09:04 mattdowdell

I think for starters we shouldn't leak your group names to the UI, so perhaps we can remove that from the error, and only show the full message on the server logs? @Alevsk

dvaldivia avatar Apr 19 '22 01:04 dvaldivia

We'll handle this by showing the full error on console and show a smaller error prompt in the UI.

cesnietor avatar May 15 '23 17:05 cesnietor

PR merged.

prakashsvmx avatar Nov 24 '23 04:11 prakashsvmx