You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Torsten Krah <kr...@gmail.com> on 2018/01/24 10:48:45 UTC
[users@httpd] [mod_lua] Successful arbitrary authentication with denied access on
the resource results in a core:error AH00571 message in the logs about a
missing AuthType
I am using an arbitrary authentication with mod_lua which works so far.
Authentication is done via mod_lua:
https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookcheckuserid
Authorization is done via mod_authz_svn.
I did that and set r.user = 'foo' to the request - just always the same
for this example, which is neither None, Form, Basic, or Digest
AuthType.
If a later authz_module in the stack, e.g. mod_authz_svn denies, based
on authorization rules in the authz access file, that request to the
user foo, you get the correct result (Forbidden):
[Wed Jan 24 10:46:27.544461 2018] [authz_svn:debug] [pid 7979:tid 140737136023296] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:19868] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz
[Wed Jan 24 10:46:34.792089 2018] [authz_core:debug] [pid 7979:tid 140737136023296] mod_authz_core.c(809): [client 127.0.0.1:19868] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 24 10:46:34.792152 2018] [authz_core:debug] [pid 7979:tid 140737136023296] mod_authz_core.c(809): [client 127.0.0.1:19868] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 24 10:46:34.792167 2018] [authz_core:debug] [pid 7979:tid 140737136023296] mod_authz_core.c(809): [client 127.0.0.1:19868] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 24 10:46:34.792176 2018] [authz_core:debug] [pid 7979:tid 140737136023296] mod_authz_core.c(809): [client 127.0.0.1:19868] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 24 10:46:34.792570 2018] [lua:debug] [pid 7979:tid 140737136023296] lua_request.c(1848): [client 127.0.0.1:19868] AH01487: request_rec->dispatching debug -> lua_CFunction
[Wed Jan 24 10:46:34.792586 2018] [lua:debug] [pid 7979:tid 140737136023296] @/etc/apache2/auth.lua(13): [client 127.0.0.1:19868] user foo: OK
[Wed Jan 24 10:46:34.792611 2018] [authz_svn:debug] [pid 7979:tid 140737136023296] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:19868] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz
[Wed Jan 24 10:46:34.792664 2018] [authz_svn:error] [pid 7979:tid 140737136023296] [client 127.0.0.1:19868] Access denied: 'foo' GET basic_tests-10:/iota
The problem in terms of log output is the next line in the log:
[Wed Jan 24 10:46:34.792675 2018] [core:error] [pid 7979:tid 140737136023296] [client 127.0.0.1:19868] AH00571: need AuthType to note auth failure: /svn-test-work/repositories/basic_tests-10/iota
For every denied request i get that - but AuthType is from here:
https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
I've implemented neither None, Basic, Digest or Form - so i did not set that on purpose, i just used the LuaHookCheckUserID directive to implement my arbitrary authentication hook - so its more something like AuthType == CUSTOM.
62 <Location /svn-test-work/repositories>
63 DAV svn
64 SVNParentPath "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/repositories"
65 LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook early
66 AuthzSVNAccessFile "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz"
67 Require valid-user
68 SVNAdvertiseV2Protocol on
69 SVNCacheRevProps off
70 </Location>
Can this check:
https://marc.info/?l=apache-httpd-dev&m=100690636419555&w=1
take into account that auth is configured via the mod_lua hooks and that AuthType is not set, authentication was done but it was denied to the user on purpose - this should not log a core:error in that case, opinions?
kind regards
Torsten
Re: [users@httpd] Re: [mod_lua] Successful arbitrary authentication
with denied access on the resource results in a core:error AH00571 message
in the logs about a missing AuthType
Posted by Torsten Krah <kr...@gmail.com>.
Am Donnerstag, den 15.03.2018, 14:50 +0100 schrieb Daniel Gruno:
> It would help if you elaborated more. A one-liner won't help us much
> in
> figuring out this issue.
>
> What are you trying, what happens, and what did you expect?
>
> With regards,
> Daniel
Hi Daniel,
this was just a short bump in the mail thread for the original e-mail
sent on:
Wed, 24 Jan 2018 11:48:45 +0100
So if you have a look in the first message please - it should have all
the infos you've asked for.
Cheers
Torsten
PS: Archive link is that:
http://mail-archives.apache.org/mod_mbox/httpd-users/201801.mbox/%
3C1516790925.12679.92.camel%40thorstenknbl1.mgm-edv.de%3E
Re: [users@httpd] Re: [mod_lua] Successful arbitrary authentication
with denied access on the resource results in a core:error AH00571 message in
the logs about a missing AuthType
Posted by Daniel Gruno <hu...@apache.org>.
On 03/15/2018 02:43 PM, Torsten Krah wrote:
> Opinions, anyone? Should i ask that on the dev list?
>
It would help if you elaborated more. A one-liner won't help us much in
figuring out this issue.
What are you trying, what happens, and what did you expect?
With regards,
Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: [mod_lua] Successful arbitrary authentication with denied
access on the resource results in a core:error AH00571 message in the logs
about a missing AuthType
Posted by Torsten Krah <kr...@gmail.com>.
Opinions, anyone? Should i ask that on the dev list?
Re: [users@httpd] [mod_lua] Successful arbitrary authentication
with denied access on the resource results in a core:error AH00571 message
in the logs about a missing AuthType
Posted by Torsten Krah <kr...@gmail.com>.
> Lots of things could be better. To me it is clear that the overall
> system expects an AuthType to be set if you will be doing authn and
> authz.
Thx for clarification - this was at least not clear to me.
>
> The error message is one indication of that
But it appears only if the authorization backend does deny the access -
if it let you pass, you won't get any error message.
So its difficult to "know" that you should configure it.
>
> IIUC, a normal authentication provider would check the configured
> authtype. So it would not be ideal for Lua to programatically
> configure it just because the hook has been implemented by a script.
Hm - the lua authz provider here:
https://httpd.apache.org/docs/trunk/mod/mod_lua.html#luaauthzprovider
does not check that, neither any of the other examples there.
So if i use that *normal* one from the example there and tweak it to my
needs i would not know what other providers in general would do -
*normal* makes assumptions about httpd internals on other places which
not anyone has.
Coming from a user perspective which wants to use the things there its
hard to *know* such things - if you're a familiar httpd developer of
cause it seems clear to you.
...
This can be used to implement arbitrary authentication and authorization
checking.
...
To sum it up:
I should set AuthType if i am using some of those handlers, correct?
And do we agree that the docs should mention that?
>
> > And i am curious - why its dangerous? If it is dangerous - shouldn't the
> > docs have some note about this added?
> > Reading them i was under the impression - and because httpd does not
> > bail about it - that its not needed using the lua handlers.
>
> To me It's dangerous because to me it looks like
> unintended/undesigned/undefined config/behavior in the area of access
> control and that error message is the hint.
That sounds feasible - but to users of httpd + mod_lua which just read
the docs and does not study the code of other providers - how should
they know that this is a undefined config / behaviour.
The examples and docs imho should mention that, shouldn't it?
And wouldn't it be a good idea to let httpd configtest fail if those
auth handlers are used but no AuthType is set - just to omit undefined
behaviour?
kind regards
Torsten
Re: [users@httpd] [mod_lua] Successful arbitrary authentication with
denied access on the resource results in a core:error AH00571 message in the
logs about a missing AuthType
Posted by Eric Covener <co...@gmail.com>.
On Thu, Mar 15, 2018 at 10:50 AM, Torsten Krah <kr...@gmail.com> wrote:
> Am Donnerstag, den 15.03.2018, 10:44 -0400 schrieb Eric Covener:
>> I think you should be setting it to a customized string or an existing
>> one if you want a fallthrough behavior. Anything else seems
>> undefined/dangerous.
>
> lua docs does not tell that i should set AuthType anywhere searching for
> it on:
>
> https://httpd.apache.org/docs/trunk/mod/mod_lua.html
>
> So is this a *must* have to set additionally? Shouldn't it be better
> than if either httpd errors out if it finds one of those lua auth
> handler directives without an AuthType? Or maybe just set one implicitly
> to e.g. AuthType LUA when configuration is parsed?
Lots of things could be better. To me it is clear that the overall
system expects an AuthType to be set if you will be doing authn and
authz.
The error message is one indication of that
IIUC, a normal authentication provider would check the configured
authtype. So it would not be ideal for Lua to programatically
configure it just because the hook has been implemented by a script.
> And i am curious - why its dangerous? If it is dangerous - shouldn't the
> docs have some note about this added?
> Reading them i was under the impression - and because httpd does not
> bail about it - that its not needed using the lua handlers.
To me It's dangerous because to me it looks like
unintended/undesigned/undefined config/behavior in the area of access
control and that error message is the hint.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] [mod_lua] Successful arbitrary authentication
with denied access on the resource results in a core:error AH00571 message
in the logs about a missing AuthType
Posted by Torsten Krah <kr...@gmail.com>.
Am Donnerstag, den 15.03.2018, 10:44 -0400 schrieb Eric Covener:
> I think you should be setting it to a customized string or an existing
> one if you want a fallthrough behavior. Anything else seems
> undefined/dangerous.
lua docs does not tell that i should set AuthType anywhere searching for
it on:
https://httpd.apache.org/docs/trunk/mod/mod_lua.html
So is this a *must* have to set additionally? Shouldn't it be better
than if either httpd errors out if it finds one of those lua auth
handler directives without an AuthType? Or maybe just set one implicitly
to e.g. AuthType LUA when configuration is parsed?
And i am curious - why its dangerous? If it is dangerous - shouldn't the
docs have some note about this added?
Reading them i was under the impression - and because httpd does not
bail about it - that its not needed using the lua handlers.
kind regards
Torsten
Re: [users@httpd] [mod_lua] Successful arbitrary authentication with
denied access on the resource results in a core:error AH00571 message in the
logs about a missing AuthType
Posted by Eric Covener <co...@gmail.com>.
> I've implemented neither None, Basic, Digest or Form - so i did not set that on purpose, i just used the LuaHookCheckUserID directive to implement my arbitrary authentication hook - so its more something like AuthType == CUSTOM.
I think you should be setting it to a customized string or an existing
one if you want a fallthrough behavior. Anything else seems
undefined/dangerous.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org