You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2018/04/06 19:50:35 UTC

[GitHub] eligorio opened a new issue #2548: Upgrade to 4.11 and pre-existent saml2 authentication settings

eligorio opened a new issue #2548: Upgrade to 4.11 and pre-existent saml2 authentication settings
URL: https://github.com/apache/cloudstack/issues/2548
 
 
   <!--
   Verify first that your issue/request is not already reported on GitHub.
   Also test if the latest release and master branch are affected too.
   Always add information AFTER of these HTML comments, but no need to delete the comments.
   -->
   
   ##### ISSUE TYPE
   <!-- Pick one below and delete the rest -->
    * Bug Report
   
   ##### COMPONENT NAME
   <!--
   Categorize the issue, e.g. API, VR, VPN, UI, etc.
   -->
   ~~~
   SAML2 Auth plugin
   ~~~
   
   ##### CLOUDSTACK VERSION
   <!--
   New line separated list of affected versions, commit ID for issues on master branch.
   -->
   
   ~~~
   4.11
   ~~~
   
   ##### CONFIGURATION
   <!--
   Information about the configuration if relevant, e.g. basic network, advanced networking, etc.  N/A otherwise
   -->
   Cloudstack 4.5.2 with SAML2 authentication working well on national federation.
   
   ##### OS / ENVIRONMENT
   <!--
   Information about the environment if relevant, N/A otherwise
   -->
   Clean install of Cloudstack 4.11 on Ubuntu 16.04.4 LTS pointing to a copy of 4.5.2 cloudstack production database.
   
   ##### SUMMARY
   <!-- Explain the problem/feature briefly -->
   After upgrade from 4.5.2 to 4.11 ([parallel build process](http://www.shapeblue.com/cloudstack-upgrades-best-practices/)) the http://IP:8080/client show an error (HTTP ERROR 503 -
   Problem accessing /client/. Reason: Service Unavailable) and UI does not load.
   
   It appears that pre-existent content of columns "key" and "certificate" of rows with "name" content "SAMLSP_X509CERT" and "SAMLSP_KEYPAIR" need some conversion, but the upgrade procedure did not made it.
   
   If we delete the old saml rows from cloud.keystore table, the /client works but https://IP:8080/client/api?command=getSPMetadata returns an certificate different from that registered on national federation. And so, the authentication fails for our web users.
   
   ##### STEPS TO REPRODUCE
   <!--
   For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate.
   
   For new features, show how the feature would be used.
   -->
   
   
   <!-- Paste example playbooks or commands between quotes below -->
   1-) Do a clean install of Cloudstack 4.11.
   2-) Point this install to a copy of 4.5.2 production database that has SAML2 authentication enabled and  working inside an federation.
   3-) Start cloudstack-management service and wait for completion of database upgrades.
   4-) Try to access the UI interface
   
   <!-- You can also paste gist.github.com links for larger files -->
   
   ##### EXPECTED RESULTS
   <!-- What did you expect to happen when running the steps above? -->
   
   ~~~
   Can access and use a fully functional Cloudstack UI.
   ~~~
   
   ##### ACTUAL RESULTS
   <!-- What actually happened? -->
   
   <!-- Paste verbatim command output between quotes below -->
   ~~~
   HTTP ERROR 503
   Problem accessing /client/. Reason:
   
       Service Unavailable
   ~~~
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services