Issue configuring preauthentication with Apache httpd
Tripp Holden
You have no authorized access to projects.
Contact your administrator. (User roles: )
My remote-user variable seems to being set as I am being recognized as my pre-authenticated user. I have performed some testing but I am stuck at the moment and not sure how to proceed.
Apache config:
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
ProxyRequests Off
<LocationMatch /rundeck.*>
AuthType Basic
AuthName "Login"
AuthPAM_Enabled On
Require group my_group
Require valid-user
SetEnv AJP_REMOTE_USER_GROUPS "admin:testrole1:testrole2"
</LocationMatch>
RewriteEngine On
#SetEnv REMOTE_USER_GROUPS "admin:testrole1:testrole2"
SetEnv AJP_REMOTE_USER_GROUPS "admin:testrole1:testrole2"
I have also tested setting RequestHeaders and validated they are getting passed to Tomcat.
rundeck-config.properties:
# Preauthenticate users
rundeck.security.authorization.preauthenticated.enabled=true
rundeck.security.authorization.preauthenticated.attributeName=REMOTE_USER_GROUPS
rundeck.security.authorization.preauthenticated.delimiter=:
Any ideas what may be the problem here?
Thanks!
Tripp
Kundan Khanal
You have no authorized access to projects.
Contact your administrator. (User roles: )
I am passing custom headers X-Forwarded-Uuid and X-Forwarded-Roles from my authentication script. Since, user is being recognized, the first header X-Forwarded-Uuid is passed correctly to rundeck and X-Forwarded-Roles is not.
However, if i setup Apache to add headers like: RequestHeader set X-Forwarded-Roles "admin:user", this works and i can access my rundeck projects normally. But i can't do it this way as all the users connecting will have the admin privilege in rundeck. I wan to pass the headers from my auth script.
Any suggestions?
Regards,
Kundan
rac...@rundeck.com
You can provide the service.log content to take a look? Also, check your ACLs, maybe you have an ACL that avoid see the projects your user.
Kundan Khanal
Hi,
Thank you for the reply. I have this in my service.log.
++++++++++++++++++++
Configuring Spring Security Core ...
... finished configuring Spring Security Core
2019-03-01 12:08:12.598 INFO --- [ main] rundeckapp.BootStrap : Starting Rundeck 3.0.16-20190223 (2019-02-23) ...
2019-03-01 12:08:12.601 INFO --- [ main] rundeckapp.BootStrap : using rdeck.base config property: /var/lib/rundeck
2019-03-01 12:08:12.632 INFO --- [ main] rundeckapp.BootStrap : loaded configuration: /etc/rundeck/framework.properties
2019-03-01 12:08:12.662 INFO --- [ main] rundeckapp.BootStrap : RSS feeds disabled
2019-03-01 12:08:12.662 INFO --- [ main] rundeckapp.BootStrap : Using builtin realm authentication
2019-03-01 12:08:12.676 INFO --- [ main] rundeckapp.BootStrap : Preauthentication is enabled
2019-03-01 12:08:12.697 INFO --- [ main] rundeckapp.BootStrap : Rundeck is ACTIVE: executions can be run.
2019-03-01 12:08:12.852 WARN --- [ main] rundeckapp.BootStrap : [Development Mode] Usage of H2 database is recommended only for development and testing
2019-03-01 12:08:12.858 INFO --- [ main] rundeckapp.BootStrap : Rundeck startup finished in 334ms
+++++++++++++++++++++++++
There are no errors in the log.
If I set a request header in Apache (which is running as a reverse proxy) config like below:
RequestHeader set X-Forwarded-Roles "myuser"
RequestHeader set X-Forwarded-Roles "admin:user"
This works without any issue. I can access rundeck normally. But that does not solve my problem as I have to hardcode the roles in Apache. So, I need a way to dynamically set headers from my custom auth script. In my script I have done this:
<script>
function call_cors(username,role)
{
var url = 'https://abc/rundeck/';
var http = new XMLHttpRequest();
http.open('GET',url,false);
http.setRequestHeader('X-Forwarded-Uuid', username);
http.setRequestHeader('X-Forwarded-Roles', role);
http.send();
window.location.replace(url);
}
</script>";
Without setting the headers in Apache, if I use the above script, the username value is successfully passed to rundeck as I can see my username in the rundeck page. However, role is empty and I think rundeck is not accepting the X-Forwarded-Roles header properly from the script. Is this a bug or am I missing something?
My Apache config looks like below:
+++++++++++++++++++++++
SSLProxyEngine On
ProxyRequests Off
RewriteEngine On
ServerName abc
DocumentRoot /var/www/html
<Location /rundeck>
RewriteCond %{REQUEST_URI} !^/rundeck/rundeckauth/
RewriteCond %{HTTP_COOKIE} !^.*rundeck=(.*)_([a-zA-Z0-9]+)
RewriteRule ^(.*)$ /rundeck/rundeckauth/?/rundeck/%{QUERY_STRING} [L,PT]
RewriteCond %{REQUEST_URI} !^/rundeck/rundeckauth/
RewriteCond %{HTTP_COOKIE} ^.*rundeck=(.*)_([a-zA-Z0-9]+)
RewriteCond /var/www/rundeckauth/state/%2 !-f
RewriteRule ^(.*)$ /rundeck/rundeckauth/?/rundeck/%{QUERY_STRING} [L,PT]
</Location>
+++++++++++++++++++++++++++++++
Regards,
KK