Closed ahelsing closed 9 years ago
A couple of suggestions --- maybe pick one that y'all like philosophically, and that's easy:
[Sun Sep 08 16:01:04 2013] [error] [client 128.89.254.98] DB ERROR: "connect failed" for query "SELECT * FROM idp_account_request WHERE request_state='DELETED'", referer: https://shib-idp1.gpolab.bbn.com/manage/acct_actions.php
could be fatal --- that error shows up in the apache error log when i browse to [https://shib-idp1.gpolab.bbn.com/manage/display_accounts.php], but it doesn't prevent me from loading that page or taking actions. It could.
COULD NOT CHANGE STATUS OF REQUEST FOR DELETED ACCOUNT WITH USERNAME=chaos
but that failure doesn't get logged at all as far as i can tell.
Trac comment by chaos on 09-08-2013 at 16:05
For approve/deny/delete, log first. If log fails, do not perform action. If log succeeds and action fails, add FAILED comment to log For all errors, print message in tool and in apache error log
Trac comment by phelinek on 09-09-2013 at 16:26
I'm still seeing this issue using the geni-ar-0.2 package:
aslund,[~],14:05(0)$ dpkg -l geni-ar
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii geni-ar 0.2 GENI account request management
aslund,[~],14:08(0)$
aslund,[~],14:08(0)$ sudo slapcat -F /etc/ldap/slapd.d | grep uid=chaos
dn: uid=chaos,ou=people,dc=shib-idp1,dc=gpolab,dc=bbn,dc=com
aslund,[~],14:08(0)$
/var/log/apache2/error.log
) shows:[Wed Sep 11 14:10:18 2013] [error] [client 128.89.73.13] DB ERROR: "connect failed" for query "SELECT * FROM idp_account_request WHERE request_state='DELETED'", referer: https://shib-idp1.gpolab.bbn.com/manage/
[Wed Sep 11 14:10:18 2013] [error] [client 128.89.73.13] PHP Warning: Invalid argument supplied for foreach() in /usr/share/geni-ar/protected/display_accounts.php on line 94, referer: https://shib-idp1.gpolab.bbn.com/manage/
[Wed Sep 11 14:11:51 2013] [error] [client 128.89.73.13] Failed to change request state for deleted account for chaos, referer: https://shib-idp1.gpolab.bbn.com/manage/display_accounts.php
[Wed Sep 11 14:11:51 2013] [error] [client 128.89.73.13] DB ERROR: "connect failed" for query "SELECT * FROM idp_account_request WHERE request_state='DELETED'", referer: https://shib-idp1.gpolab.bbn.com/manage/display_accounts.php
[Wed Sep 11 14:11:51 2013] [error] [client 128.89.73.13] PHP Warning: Invalid argument supplied for foreach() in /usr/share/geni-ar/protected/display_accounts.php on line 94, referer: https://shib-idp1.gpolab.bbn.com/manage/display_accounts.php
aslund,[~],14:12(0)$ sudo slapcat -F /etc/ldap/slapd.d | grep uid=chaos
aslund,[~],14:13(1)$
Trac comment by chaos on 09-11-2013 at 14:13
The function add_log()
in browser:geni-ar/protected/log_actions.php isn't returning a value so the check in browser:geni-ar/protected/acct_actions.php can't work.
Trac comment by tmitchel (github user: tcmitchell) on 09-11-2013 at 14:18
That was a bug - I added the return code to add_log_with_comment() and add_comment() but not to add_log(). It should be fixed now, but I'll hold off closing the ticket until Chaos verifies in her test environment
Trac comment by phelinek on 09-11-2013 at 15:18
I've tested this pretty thoroughly, turning postgres off, also tested with ldap off. So I'm closing the ticket.
Trac comment by phelinek on 09-12-2013 at 18:26
I agree, this is now fixed. Thanks!
Trac comment by chaos on 09-13-2013 at 13:15
If geni-ar is successfully talking to LDAP but not successfully talking to the postgresql database, it is still possible to take account actions, which are then not audited.
For instance, from
display_accounts.php
, it is possible to delete an account without postgresql configured correctly. The delete succeeds, but is not logged. This is bad, because it means that account modifications can happen without auditing if the system is in a bad state, and i think it would be easy to improve at least somewhat.Imported from trac ticket #22, created by chaos on 09-08-2013 at 16:01, last modified: 09-13-2013 at 16:07