Eucalyptus 4.4.4 Eucaconsole Immediate Logout of All Credentials - eucalyptus

I have a new Eucalyptus installation and new Eucaconsole installation. I have created users with login profiles and passwords assigned and verified them as not expired and enabled.
No matter what account/user/pass I log into the console with (even invalid accounts) I am delivered to a password reset page. The password reset appears to work but when I then click on any other part of the console or the generate keys button I am logged out and the whole problem starts again. The freshly changed password is asked to be changed again. I'm seeing errors nowhere in my logs. I see this in the eucaconsole_nginx_access.log each time this occurs.
10.0.0.7 - - [09/Nov/2018:13:14:58 -0500] "POST /login?
login_type=Eucalyptus HTTP/1.1" 302 256 "https://cloud/" "Mozilla/5.0
(Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0"
10.0.0.7 - - [09/Nov/2018:13:14:58 -0500] "GET /managecredentials?
came_from=&expired=true&account=console&username=admin HTTP/1.1" 200
4447 "https://cloud/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14;
rv:63.0) Gecko/20100101 Firefox/63.0"
10.0.0.7 - - [09/Nov/2018:13:14:59 -0500] "GET
/static/4.4.4/html/help/console_manage_credentials.html HTTP/1.1" 304 0
"https://cloud/managecredentials?
came_from=&expired=true&account=console&username=admin" "Mozilla/5.0
(Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0"
Did I miss an important piece in my setup or is this some kind of bug. The fact that it happens even for invalid credentials and nonsense users that don't exist is an interesting detail but I haven't been able to make sense of it in a useful way.
FINAL: I abandoned this and rebuilt after the 4.4.5 release and all is working.

For admin users in an account, setting a password (e.g. euare-usermodloginprofile or euare-useraddloginprofile) should be sufficient to allow console access.
When you add non-admin users to an account they will not have permission to perform any actions until you grant access via iam policy. Using the console you can access the details for a user and use ADD ACCESS POLICY under GENERAL / PERMISSIONS. You can pick a predefined policy such as User access or Monitor access to get started.
http://docs.eucalyptus.cloud/eucalyptus/4.4.4/index.html#shared/console_user_detail_general.html

Piggybacking on Steve's response, this is what I do for the admin group of the account. Save the file as admin-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
}
Then import the policy for the group. For example, my accounting group is isp-services and my admin group is isp-services-admins. Be sure your user it part of the group.
euare-groupuploadpolicy --as-account "isp-services" -g isp-services-admins -p AccountAdminAccessPolicy-isp-services-admins -f admin-policy.json

Related

How to debug a wordpress plugin that gives timeout

I have a site that have some plugins, and one of those plugins (facebook for woocommerce) is loading until it returns a timeout error (504). I can change some constants in wp-config.php, but none of them works when I need to debug a timeout.
I tried to remove every configuration and file that I found from this plugin and then reinstall it, but the error is still there.
I tried to deactivate every other plugin, but woocommerce and the error is still there.
I looked for some debug plugins, but I only found plugins that change wp-config.php constants and do some logs at files. It is useless, I can do this.
I tried to put some "die" with messages in plugin's code, but nothing changed.
Server log just shows this:
x.x.x.x - - [09/Nov/2020:17:52:56 -0300] "xxxxx.com" "GET /wp-admin/admin.php?page=wc-facebook HTTP/1.1" 504 160 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0" "-"
I don't know what I can to do to debug this timeout, I've tried everything I know with the wordpress.
I solved by asking on plugin's forum: https://wordpress.org/support/topic/plugin-page-giving-timeout-504/#post-13687667
I just needed to activate WP_DEBUG and WP_DEBUG_LOG flags. I discovered the line that was breaking the site and then I could properly debug and find the problem.

WSO2 Identity server - SAML - redirection page keeps loading forever instead of taking me to the application

I am implementing the single sign on functionality using WSO2 identity server as the identity provider, PHP-SimpleSamlPhp package and Drupal following this article https://wso2.com/library/articles/2014/10/wso2-identity-server-single-sign-on-with-drupal/
Everything has been setup successfully as below.
Access the drupal app login page and click on the federated link
This redirects you to the WSO2 IS login page as expected
You enter the credentials (stored in WSO2) and click login
The page redirects you to the samlsso URL https://localhost:9443/samlsso?SAMLRequest=fZJNT....
This page keeps loading forever and the SAMLRequest value in the above URL keeps changing.
Logs
This shows up at the point 2 above
TID: [-1234] [] [2020-04-12 18:48:14,334] [http://localhost/drupal-8.8.5/en/saml_login] INFO {org.opensaml.core.config.InitializationService} - Initializing OpenSAML using the Java Services API
This shows up at point 5 above
TID: [-1234] [2020-04-12 18:53:06,793] [http://localhost/drupal-8.8.5/en/saml_login] INFO {AUDIT_LOG} - Initiator=wso2.system.user Action=Get-User-List Target=null Data={"Claim Value":"ebdefe27-3912-4502-ad48-5b1a2ee30224","Users":["wickrema"],"Claim":"http://wso2.org/claims/userid"} Outcome=Success
TID: [-1234] [2020-04-12 18:53:06,793] [http://localhost/drupal-8.8.5/en/saml_login] INFO {AUDIT_LOG} - Initiator=wso2.system.user Action=Get-User-Claim-Values Target=wickrema Data={"Claims":{"http://wso2.org/claims/username":"wickrema","http://wso2.org/claims/userid":"ebdefe27-3912-4502-ad48-5b1a2ee30224","http://wso2.org/claims/created":"2020-04-11T20:53:00.424Z","http://wso2.org/claims/role":"Internal/everyone","http://wso2.org/claims/fullname":"wickrema","http://wso2.org/claims/modified":"2020-04-11T20:53:33.922Z","http://wso2.org/claims/emailaddress":"wickrema#abc.com","http://wso2.org/claims/lastname":"Edirisooriya","http://wso2.org/claims/givenname":"Wickrema","http://wso2.org/claims/resourceType":"User","http://wso2.org/claims/userprincipal":"wickrema"}} Outcome=Success
TID: [-1234] [2020-04-12 18:53:06,794] [http://localhost/drupal-8.8.5/en/saml_login] INFO {AUDIT_LOG} - Initiator : wickrema | Action : Login | Target : ApplicationAuthenticationFramework | Data : { "ContextIdentifier" : "4f08f619-e1dd-43be-8119-6cc7ea7238ee","AuthenticatedUser" : "wickrema","AuthenticatedUserTenantDomain" : "carbon.super","ServiceProviderName" : "simplesamlphp","RequestType" : "samlsso","RelyingParty" : "simplesaml","AuthenticatedIdPs" : "eyJ0eXAiOiJKV1QiLCAiYWxnIjoibm9uZSJ9.eyJpc3MiOiJ3c28yIiwiZXhwIjoxNTg2NzA2Nzg2NzcxMzAwMCwiaWF0IjoxNTg2NzA2Nzg2NzcxLCJpZHBzIjpbeyJpZHAiOiJMT0NBTCIsImF1dGhlbnRpY2F0b3IiOiJCYXNpY0F1dGhlbnRpY2F0b3IifV19." } | Result : Success
Images
More from the HTTP logs
0:0:0:0:0:0:0:1 - - [12/Apr/2020:20:04:20 +0300] GET /samlsso?SAMLRequest=fZJRT4MwEMe%2FCuk7a2EdyxpYMrcYl0wlG%2Frgi%2BlokSalxV5x%2Bu0FpnG%2B7KnN3f3%2B%2F7trU%2BCNbtmq87XZy%2FdOgg8%2BG22AjYkMdc4wy0EBM7yRwHzJDqv7HYsnhLXOeltajS6Q6wQHkM4ra1Cw3WTolc5oRZOjmJMpp1WViGRBovmUz%2BKSCCGiOJmRhSA0Iih4lg56MkO9UI8DdHJrwHPj%2BxCJSUhoGMVFNGeEspi8oGDTT6MM9yNVe98Cw1jbkuvagmcLSqd46BnAomD129raGuga6Q7SfahSPu13Z%2FiSxaCaVssBxo0VXX8dlTC04xmHvIRJW7f4BDYOoUVB%2FrOsG2WEMm%2FX93Q8FwG7K4o8zB8PBVqmgzAb53bLP%2F8UX8bT83s%2B9IrbTW61Kr%2BCW%2Bsa7q8bDhElwmosZd5xA0oa369Fa3taO8m9zJB3nUR4ebb8%2F2uW3w%3D%3D&RelayState=http%3A%2F%2Flocalhost%2Fdrupal-8.8.5%2Fen%2Fsaml_login HTTP/1.1 200 6020 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36 Edg/80.0.361.111 0.043
Below is the authsources and identity provider configuration
When I did a cookies check as suggested in the comments, this is what I found.
Adding answer as steps as requested
By design, domain names must have at least two dots; otherwise the browser will consider them invalid. (See reference on http://curl.haxx.se/rfc/cookie_spec.html)
When working on localhost, the cookie domain must be omitted entirely.
Modify the file /etc/hosts by adding the following entry
localhost.com 127.0.0.1
Then use the domain as localhost.com
For better cookie tracing in your browser, also follow the steps in the link https://brainshark.zendesk.com/hc/en-us/articles/205043644-Performing-a-Browser-Trace-Chrome

Troubleshooting ingress on kubernetes

I deployed ingress controller to my kubernetes cluster. However when i'm trying to access the pod i get HTTP 503. So i've tried to find the problem by accessing ingress controller's logs:
kubectl logs controllername-nginx-ingress-controller-6f486779b5-dnm8k -n kube-system
the piece of the log file that i'm interested in, looks like this:
10.244.0.1 - [10.244.0.1] - - [10/Dec/2018:16:54:12 +0000] "GET /identity HTTP/2.0" 503 599 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" 271 0.000 [] - - - - d7f7ffd22d584e4a5da2b0fa2fae5665
as you can see i see absolutely nothing interesting there. I'm wondering if it's the entire log message as i see a bunch of dashes and a guid value at the end.
Next i decided to enrich ingress' logfiles:
kubectl edit deploy -n kube-system controllername-nginx-ingress-controller
deployment document shows up and i want to add extra line to args section:
spec:
containers:
- args:
- /nginx-ingress-controller
- --v=5 < ------------ this line
- other arguments here
once i close the deployment document i see this message:
error: deployments "misty-marmot-nginx-ingress-controller" is invalid
so what i'm doing wrong? is the log message really complete, in the current form it doesn't describe the error one bit. also why i can't change the logging level?
The problem has appeared due to a formatting issue of editing nginx-ingress-controller Kubernetes resource and was successfully fixed as well. However, even though for the common researches by the community contributors I would recommend to take a look at the general Troubleshooting guideline for any related Kubernetes cluster issues and steps how to resolve them.

Fail2ban for nginx post flood ignores time intervals

I'm trying to create a fail2ban filter that is going to ban the host when it sends over 100 POST requests over 30 seconds interval.
jail.local:
[nginx-postflood]
enabled = false
filter = nginx-postflood
action = myaction
logpath = /var/log/nginx/access.log
findtime = 30
bantime = 100
maxretry = 100
nginx-postflood.conf
[Definition]
failregex = ^<HOST>.*"POST.*
ignoreregex =
Using GREP i was able to test the regular expressions and indeed it matches Host and POST requests.
Problem is that it bans any Host that performs at least one POST request. This means likely that it's not taking findttime or maxretry options into consideration. In my opinion it's timestamp issue.
Sample line of nginx log:
5.5.5.5 - user [05/Aug/2014:00:00:09 +0200] "POST /auth HTTP/1.1" 200 6714 "http://referer.com" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0"
Any help?
I guess it maybe to late for the answer but anyway...
The excerpt you have posed has the filter disabled.
enabled = false
As there is not mentioning of Fail2Ban version and syslog/fail2ban logs are missing for this jail.
I tested your Filter on fail2ban 0.9.3-1 and it works fine although I had to enable it and had to drop the line with action = myaction as you have not provided what you are expecting fail2ban to do.
Therefore this filter should work fine, based that it's enabled and the action is correct as well.
What is happening in the provided example is that Your Filter is disabled and fail2ban is using another Filter which checks the same log file and matches your regex but has more restrictive rules i.e ban after 1 request.

Confused with syslog message format

I am a bit confused about syslog message format. I have to write a program that parses syslog messages. When I read what I get in my syslog-ng instance I get messages like this:
Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
I can clearly determine the real message (which is, in this case an Apache access log message) The rest is metadata about the syslog message itself.
However when I read the RFC 5424 the message examples look like:
without structured data
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
or with structured data
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID#32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry...
So now I am a bit confused. What is the correct syslog message format ? It is a matter of spec version where RFC 5424 obsoleted RFC 3164 ?
The problem in this case is that apache is logging via the standard syslog(3) or via logger. This only supports the old (RFC3164) syslog format, i.e. there is no structured data here.
In order to have the fields from the apache log show up as RFC5424 structured data, apache would need to format the log that way.
The first example is not proper RFC3164 syslog, because the priority value is stripped from the header. Proper RFC3164 format would look like this:
<34>Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
Traditionally rfc3164 syslog messages are saved to files with the priority value removed.
The other two are in RFC5424 format.
If you have access to the installed syslog-daemon on the system you could configure it to write the logs (received both locally or via network) in a different format. rsyslogd for instance allows to configure your own format (just write a template) and also if I remember correctly has a built-in template to store in json format. And there are libraries in almost any language to parse json.
EDIT: You could also make rsyslogd part of your program. rsyslog is very good in reading incoming syslogs in either of the two RFC formats. You can then use rsyslog to output the message in JSON. This way rsyslog does all the decompositioning of the message for you.

Resources