Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-10327

SSO fails with error "Session Expired", except for root admin

Add voteWatch issue
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • 4.11.0.0
    • None
    • API
    • Security Level: Public (Anyone can view this level - this is the default.)
    • None

    Description

      CloudStack SSO (using security.singlesignon.key) does not work anymore with CloudStack 4.11, since commit 9988c26

      This commit introduced a new feature (the ability to limit admin API calls to a network CIDR), but also a regression due to a refactoring: every API request that is not "validated" generates the same error (401 - Unauthorized) and invalidates the session.

      However, during an SSO login, CloudStack executes (since ACS 4.7), a call to "listConfigurations", an API command reserved for root admins. When the user is not a root admin, he does not have the privileges for this command.

      With CloudStack up to 4.10, an error 432 was returned (and ignored):

      {"errorresponse":{"uuidList":[],"errorcode":432,"cserrorcode":9999,"errortext":"The user is not allowed to request the API command or the API command does not exist"}}
      

      With CloudStack 4.11, the error 432 is replaced by an error 401 and the session is invalidated. Then the next API calls lead to an error "Session Expired" and the user cannot log in.

      {"listconfigurationsresponse":{"uuidList":[],"errorcode":401,"errortext":"unable to verify user credentials and/or request signature"}}
      

      Attachments

        Issue Links

          Activity

            People

              olemasle Olivier Lemasle
              olemasle Olivier Lemasle

              Dates

                Created:
                Updated:

                Slack

                  Issue deployment