Page MenuHomePhabricator
Create Task
Maniphest T275920

icinga login case mismatch
Open, MediumPublic
Actions

Description

About half the time I try to ack something in icinga I get a permission denied error. That is because for some reason I have two icinga accounts, one is "Andrew Bogott" and one is "andrew bogott".

"Andrew Bogott" is the account name I use on every other wmf website but that account does not have the access rights to do anything in icinga. "andrew bogott" has the rights I need on icinga but I never remember to log in that way.

Also, icinga sessions are long-lived and icinga doesn't present a 'log out' button so once I've logged in as Andrew Bogott I have to live with it for weeks or do some kind of fancy thing to clear my cookies.

I know I am not the only person suffering from this issue and it is extremely annoying and disruptive, causing many mistaken pages and delayed acks.

Details

SubjectRepoBranchLines +/-
icinga: Added Camel Case version of my name as authorized useroperations/puppetproduction+4 -4
Customize query in gerrit

Related Objects

Event Timeline

Andrew created this task.Feb 26 2021, 9:14 PM
Restricted Application added a project: cloud-services-team (Kanban). · View Herald TranscriptFeb 26 2021, 9:14 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Andrew added a comment.Feb 26 2021, 9:18 PM

To clarify: it seems that if I log in to icinga with a MiXEd but inCORreCt case username icinga cheerfully creates me an account with that name and my actual sso password, then logs me in as that user, but provides no actual access rights. It needs to pick a lane and either apply rights or not log me in at all.

Peachey88 added a project: LDAP.Feb 27 2021, 1:13 PM
Peachey88 updated the task description. (Show Details)
Peachey88 removed a project: LDAP.
Phamhi edited projects, added SRE; removed cloud-services-team (Kanban).Mar 9 2021, 5:23 PM
Dzahn subscribed.Mar 9 2021, 7:24 PM

T256656 T165795

Dzahn added a comment.EditedMar 9 2021, 7:30 PM

Icinga itself can't be blamed because the login in front of Icinga does not come from Icinga. It's us who slapped that in front of it at one point in the past because of some security vulnerability and then we never questioned if it can be removed again. Before that Icinga used to be public (to read, not to run commands on it).

That login is not case-sensitive and allows both versions.

Icinga itself just knows one user name ("contact"), the one that has privileges and is case sensitive. Any user has the right to view everything but not to run commands.

Some users have solved this by simply adding both capitalized and non-capitalized versions to the Icinga config. See modules/icinga/files/cgi.cfg and authorized_for_system_information.

examples:

Razzi,razzi
arielglenn,ArielGlenn

etc

jijiki added a project: observability.Mar 29 2021, 5:26 PM
jijiki triaged this task as Medium priority.Mar 29 2021, 9:18 PM
fgiunchedi moved this task from Inbox to Backlog on the observability board.Apr 6 2021, 3:19 PM
Huji mentioned this in T279974: Investigate making cas capable of handling case insensitive usernames.Apr 13 2021, 12:15 AM
lmata edited projects, added SRE Observability; removed observability.Jul 12 2021, 2:21 AM
Maintenance_bot added a project: observability.Jul 12 2021, 2:50 AM
lmata moved this task from Inbox to Backlog on the SRE Observability board.Jul 15 2021, 4:08 AM
lmata edited projects, added Observability-Alerting; removed SRE Observability.Jan 31 2022, 1:37 PM
RhinosF1 subscribed.Apr 11 2022, 4:56 PM
gerritbot added a comment.May 17 2022, 1:21 PM

Change 792613 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] icinga: Added Camel Case version of my name as authorized user

https://gerrit.wikimedia.org/r/792613

gerritbot added a project: Patch-For-Review.May 17 2022, 1:21 PM
Andrew added a comment.May 17 2022, 1:43 PM

One proposal (which may or may not be possible) would be to standardize on all-lowercase logins in icinga config, and then have our login frontend force everything to lowercase before passing to the backend.

I'm tempted to say we should do that with EVERY tool that is fronted by the SSO UI but maybe that's overkill.

It's also possible that we should just close this as invalid and accept that the correct solution is to fix the capitalization of usernames in the icinga config.

fgiunchedi subscribed.May 17 2022, 1:46 PM

I'm ok to stick with capitalized names since that's the convention and AFAICT the default / expected format.

gerritbot added a comment.May 17 2022, 1:48 PM

Change 792613 merged by Andrew Bogott:

[operations/puppet@production] icinga: Added Camel Case version of my name as authorized user

https://gerrit.wikimedia.org/r/792613

Maintenance_bot removed a project: Patch-For-Review.May 17 2022, 2:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL