Page MenuHomePhabricator
Create Task
Maniphest T154860

Keystone is weirdly case-sensitive when checking 2fa creds
Closed, ResolvedPublic
Actions

Description

I just get

An error occurred authenticating. Please try again later.

My 2fa is enabled on wikitech.

Details

SubjectRepoBranchLines +/-
Keystone 2fa: Use the wikitech API rather than checking the db directly.operations/puppetproduction+184 -68
Customize query in gerrit

Event Timeline

dschwen created this task.Jan 8 2017, 4:50 AM
Restricted Application added a project: Cloud-Services. · View Herald TranscriptJan 8 2017, 4:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Legoktm subscribed.Jan 8 2017, 4:53 AM

Using wrong pw or 2fa code gives "Invalid credentials" so this appears to be something different.

dschwen added a comment.Jan 8 2017, 4:59 AM

I tried disabling and re-enabling 2fa. Still the same error.

zhuyifei1999 subscribed.Jan 8 2017, 11:24 AM
Luke081515 subscribed.Jan 8 2017, 11:47 AM

Seems like a user-specific problem. Login works for me.

Paladox subscribed.Jan 8 2017, 12:38 PM
dschwen added a comment.Jan 9 2017, 12:14 AM

Yeah, well, still not working for me. Maybe somebody could take a look.

bd808 renamed this task from Unable to log into horizon.wikimedia.org to User dschwen unable to log into horizon.wikimedia.org (An error occurred authenticating. Please try again later.).Jan 22 2017, 1:00 AM
chasemp added subscribers: Andrew, chasemp.Mar 16 2017, 7:54 PM

@dschwen still happening? @Andrew ping if so

dschwen added a comment.Mar 16 2017, 8:01 PM

Yes, it is still happening.

chasemp added a comment.Mar 16 2017, 8:14 PM

@dschwen is 2fa working for you via wikitech currently? Can you disable and renable 2fa and see if it works in both venues?

Andrew added a comment.Mar 16 2017, 8:15 PM

Most often this is a result of clock drift on the device providing the 2fa code. Rebooting your phone might help.

dschwen added a comment.EditedMar 16 2017, 8:22 PM

I'll try that, but I seriously doubt this is the issue here. I use GA for a whole bunch of services and horizon is the only one that gives me grief. (and compared to https://time.is/ my phone is within one second)

Also, @Legoktm mentioned above:

Using wrong pw or 2fa code gives "Invalid credentials" so this appears to be something different.

dschwen added a comment.Mar 16 2017, 9:44 PM

Yeah, no change

dschwen added a comment.Mar 17 2017, 9:17 PM

Ok, up till now I had no pressure to get on horizon, but I need to rebuild an instance now, and being unable to log in is becoming a major showstopper for me now. I'd really appreciate some help on this.

Andrew added a comment.Mar 17 2017, 10:21 PM

This is because of a case mismatch between ldap and mediawiki. The mediawiki user_name table had the username 'Dschwen' but ldap had the cn as 'dschwen'.

Keystone was first looking the user up in ldap (case insensitive, as you might hope) but then our custom 2fa keystone plugin used the cn from the ldap record to do a query in the oathauth db. The ensuing case mismatch threw a 400.

I've changed dschwen's ldap cn to be 'Dschwen' and all is well. It appears that all semi-modern ldap records already have a cn that matches the mediawiki username, so probably this is a legacy of some tiny bug in OSM from many years ago.

NEVERTHELESS -- this is stupid and shouldn't happen. Keystone should either use bd808's 2fa auth plugin, or do something moderately smarter when searching for the 2fa token.

Andrew claimed this task.Mar 17 2017, 10:22 PM
chasemp closed this task as Resolved.Mar 21 2017, 12:05 PM
Andrew reopened this task as Open.Mar 21 2017, 1:41 PM

Fixing dschwen's login was a bit of a hack... I'd like to keep this open until the actual cause of the issue is addressed.

Andrew triaged this task as Medium priority.Mar 21 2017, 1:41 PM
gerritbot subscribed.Mar 28 2017, 9:03 PM

Change 345231 had a related patch set uploaded (by Andrew Bogott):
[operations/puppet@production] Keystone 2fa: Use the wikitech API rather than checking the db directly.

https://gerrit.wikimedia.org/r/345231

gerritbot added a project: Patch-For-Review.Mar 28 2017, 9:03 PM
Andrew renamed this task from User dschwen unable to log into horizon.wikimedia.org (An error occurred authenticating. Please try again later.) to Keystone is weirdly case-sensitive when checking 2fa creds.Mar 30 2017, 6:24 PM
gerritbot added a comment.Apr 3 2017, 3:51 PM

Change 345231 merged by Andrew Bogott:
[operations/puppet@production] Keystone 2fa: Use the wikitech API rather than checking the db directly.

https://gerrit.wikimedia.org/r/345231

Andrew closed this task as Resolved.Apr 3 2017, 5:26 PM

I believe this to be fixed.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL