puppet-rundeck icon indicating copy to clipboard operation
puppet-rundeck copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Preauth userNameHeader line breaks deployement with Tomcat

Open philippeganz opened this issue 6 years ago • 1 comments

Hello,

In our setup we use Tomcat to deploy Rundeck, but since Tomcat uses AJP, there is an issue with the new 4 preauth lines added to the config file: more precisely, the rundeck.security.authorization.preauthenticated.userNameHeader = "" breaks our config; removing or commenting out that line works for us. As preauth, we use Shibboleth based on AD.

The patch we are currently using is shown in the What behaviour did you expect instead section. We'd be glad to provide you with a PR if that solution would be accepted.

Best regards, Philippe

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 4.9.4
  • Ruby: 2.0.0p648
  • Distribution: Centos 7.4 3.10.0-693.21.1.el7.x86_64
  • Module version: 5.1

How to reproduce (e.g Puppet code you use)

class { '::rundeck':
...
    preauthenticated_config => {
      enabled       => true,
      attributeName => 'ADFS_GROUP',
      delimiter     => ';',
    },
...

What are you seeing

When trying to connect to Rundeck, previously working, we get an error message.

Error
Authentication is required

We found out that the problem was related to preauth config, more precisely to the userNameHeader being empty.

rundeck.security.authorization.preauthenticated.enabled = "true"
rundeck.security.authorization.preauthenticated.attributeName = "ADFS_GROUP"
rundeck.security.authorization.preauthenticated.delimiter = ";"
rundeck.security.authorization.preauthenticated.userNameHeader = ""
rundeck.security.authorization.preauthenticated.userRolesHeader = ""
rundeck.security.authorization.preauthenticated.redirectLogout = ""
rundeck.security.authorization.preauthenticated.redirectUrl = ""

What behaviour did you expect instead

To have these lines not added if the values are not defined, e.g.

<%- if @preauthenticated_config['userNameHeader'] -%>
rundeck.security.authorization.preauthenticated.userNameHeader = "<%= @preauthenticated_config['userNameHeader']%>"
<%- end -%>
<%- if @preauthenticated_config['userNameHeader'] -%>
rundeck.security.authorization.preauthenticated.userRolesHeader = "<%= @preauthenticated_config['userRolesHeader']%>"
<%- end -%>
<%- if @preauthenticated_config['userNameHeader'] -%>
rundeck.security.authorization.preauthenticated.redirectLogout = "<%= @preauthenticated_config['redirectLogout']%>"
<%- end -%>
<%- if @preauthenticated_config['userNameHeader'] -%>
rundeck.security.authorization.preauthenticated.redirectUrl = "<%= @preauthenticated_config['redirectUrl']%>"
<%- end -%>

Output log

Any additional information you'd like to impart

philippeganz avatar Apr 26 '18 10:04 philippeganz