search

OpenUnison / openunison-k8s

Access portal for Kubernetes
Apache License 2.0
92 stars 5 forks source link

Could not load chain azuread-load-groups #107

Closed dlorent closed 3 months ago

dlorent commented 3 months ago

Running on-prem using the argo install example, configured to use oidc/azure, followed the guide i get

Invalid Login
You are not authorized for failed authentication. If you feel you received this message in error, please contact your system administrator or help desk.

If i remove the "include_auth_chain: azuread-load-groups" everyting seems to work if the ClusterRoleBinding is set up to kind: User with a specific user. setting it to Group prevents me from accessing it. (tried with both group name and group ID)

Did i miss a step regarding the azuread-load-groups ? 

/usr/local/openunison/work/webapp/WEB-INF/lib/*:/usr/local/openunison/work/webapp/WEB-INF/classes:/tmp/quartz
[2024-04-11 11:28:33,791][main] WARN  OpenUnisonServletFilter - No context paths present, assuming the config path is WEB-INF/unison.xml
[2024-04-11 11:28:37,564][main] WARN  BrokerRegistry - Broker localhost not started so using local instead
[2024-04-11 11:28:37,760][main] WARN  BrokerRegistry - Broker localhost not started so using local instead
[2024-04-11 11:28:38,076][main] WARN  OpenShiftTarget - gitUrl not found
  Scheduler class: 'org.quartz.core.QuartzScheduler' - running locally.
  NOT STARTED.
  Currently in standby mode.
  Number of jobs executed: 0
  Using thread pool 'org.quartz.simpl.SimpleThreadPool' - with 3 threads.
  Using job-store 'org.quartz.simpl.RAMJobStore' - which does not support persistence. and is not clustered.

[2024-04-11 11:28:38,755][main] WARN  ProvisioningEngineImpl - No listeners defined
[2024-04-11 11:28:38,812][main] WARN  AzRule - Custom rule 'require-session' not referenced by any authorization rules
[2024-04-11 11:28:38,935][main] WARN  UrlHolder - Could not process url : ''
java.net.MalformedURLException: no protocol:
        at java.base/java.net.URL.<init>(URL.java:645) ~[?:?]
        at java.base/java.net.URL.<init>(URL.java:541) ~[?:?]
        at java.base/java.net.URL.<init>(URL.java:488) ~[?:?]
        at com.tremolosecurity.config.util.UrlHolder.<init>(UrlHolder.java:125) [unison-sdk-1.0.40.jar:?]
        at com.tremolosecurity.config.util.UnisonConfigManagerImpl.addAppInternal(UnisonConfigManagerImpl.java:882) [unison-server-core-1.0.40.jar:?]
        at com.tremolosecurity.config.util.UnisonConfigManagerImpl.addApplication(UnisonConfigManagerImpl.java:799) [unison-server-core-1.0.40.jar:?]
        at com.tremolosecurity.proxy.dynamicconfiguration.LoadApplicationsFromK8s.addObject(LoadApplicationsFromK8s.java:476) [unison-applications-k8s-1.0.40.jar:?]
        at com.tremolosecurity.k8s.watch.K8sWatcher.initalRun(K8sWatcher.java:154) [unison-applications-k8s-1.0.40.jar:?]
        at com.tremolosecurity.proxy.dynamicconfiguration.LoadApplicationsFromK8s.loadDynamicApplications(LoadApplicationsFromK8s.java:447) [unison-applications-k8s-1.0.40.jar:?]
        at com.tremolosecurity.config.util.UnisonConfigManagerImpl.initialize(UnisonConfigManagerImpl.java:587) [unison-server-core-1.0.40.jar:?]
        at com.tremolosecurity.filter.UnisonServletFilter.init(UnisonServletFilter.java:369) [unison-server-core-1.0.40.jar:?]
        at com.tremolosecurity.openunison.OpenUnisonServletFilter.init(OpenUnisonServletFilter.java:118) [open-unison-classes-1.0.40.jar:?]
        at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:111) [undertow-servlet-2.3.12.Final.jar:2.3.12.Final]
        at io.undertow.servlet.core.ManagedFilter.createFilter(ManagedFilter.java:86) [undertow-servlet-2.3.12.Final.jar:2.3.12.Final]
        at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:598) [undertow-servlet-2.3.12.Final.jar:2.3.12.Final]
        at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:559) [undertow-servlet-2.3.12.Final.jar:2.3.12.Final]
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) [undertow-servlet-2.3.12.Final.jar:2.3.12.Final]
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-2.3.12.Final.jar:2.3.12.Final]
        at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:605) [undertow-servlet-2.3.12.Final.jar:2.3.12.Final]
        at com.tremolosecurity.openunison.undertow.OpenUnisonOnUndertow.main(OpenUnisonOnUndertow.java:357) [openunison-on-undertow-1.0.40.jar:?]
[2024-04-11 11:28:39,063][main] WARN  ScaleToken - QR Code Attribute not found
[2024-04-11 11:28:39,150][main] WARN  ScaleMain - requireReason not found
[2024-04-11 11:28:39,152][main] WARN  ScaleMain - jitWorkflow not found
[2024-04-11 11:28:39,153][main] WARN  ScaleMain - sub Required not found
[2024-04-11 11:28:39,153][main] WARN  ScaleMain - sub Reg Ex not found
[2024-04-11 11:28:39,153][main] WARN  ScaleMain - sub Reg Ex Failed Message not found
[2024-04-11 11:28:39,154][main] WARN  ScaleMain - sub Minimum Characters not found
[2024-04-11 11:28:39,154][main] WARN  ScaleMain - sub Maximum Characters not found
[2024-04-11 11:28:39,154][main] WARN  ScaleMain - sub Attribute Type not found
[2024-04-11 11:28:39,172][main] WARN  ScaleToken - QR Code Attribute not found
[2024-04-11 11:28:43,873][Thread-21] WARN  SessionManagerImpl - Clearing 0 sessions
[2024-04-11 11:29:00,053][local_Worker-1] WARN  OpenShiftTarget - Unexpected result calling 'https://kubernetes.default.svc/apis/openunison.tremolo.io/v3/namespaces/infrastructure/oidc-sessions' - 404 / 404 page not found

[2024-04-11 11:29:43,873][Thread-21] WARN  SessionManagerImpl - Clearing 0 sessions
[2024-04-11 11:30:40,078][XNIO-1 task-1] WARN  AuthManager - Could not load chain 'azuread-load-groups', forcing to fail
[2024-04-11 11:30:43,874][Thread-21] WARN  SessionManagerImpl - Clearing 1 sessions
[2024-04-11 11:30:54,088][XNIO-1 task-2] WARN  AuthManager - Could not load chain 'azuread-load-groups', forcing to fail
[2024-04-11 11:30:54,340][XNIO-1 task-2] WARN  AuthManager - Could not load chain 'azuread-load-groups', forcing to fail
[2024-04-11 11:30:54,342][XNIO-1 task-2] WARN  AuthManager - Could not load chain 'azuread-load-groups', forcing to fail
[2024-04-11 11:30:54,342][XNIO-1 task-2] WARN  AuthManager - Authentication mechanism 'fail' does not exist, will always fail
[2024-04-11 11:30:54,342][XNIO-1 task-2] WARN  AlwaysFail - In AlwaysFail authentication mechanism
[2024-04-11 11:30:54,342][XNIO-1 task-2] WARN  AuthManager - Could not load chain 'azuread-load-groups', forcing to fail

argocd-application.yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: openunison
  namespace: argocd
spec:
  project: default
  ignoreDifferences:
  - group: "admissionregistration.k8s.io"
    kind: "ValidatingWebhookConfiguration"
    jsonPointers:
    - /webhooks/0/clientConfig/caBundle
    - /webhooks/1/clientConfig/caBundle
    - /webhooks/2/clientConfig/caBundle
    - /webhooks/3/clientConfig/caBundle
    - /webhooks/4/clientConfig/caBundle
  syncPolicy:
    syncOptions:
    - RespectIgnoreDifferences=true
  source:
    repoURL: 'https://nexus.tremolo.io/repository/helm'
    targetRevision: 2.3.54
    helm:
      values: |-
        network:
          openunison_host: "k8s-ou.xxxx"
          dashboard_host: "k8s-dash.xxxxx"
          api_server_host: "k8s-api.xxxx"
          session_inactivity_timeout_seconds: 900
          k8s_url: https://xxxxxxx:6443
          force_redirect_to_tls: false
          createIngressCertificate: false
          ingress_type: nginx
          ingress_annotations:
            external-dns.alpha.kubernetes.io/target: xxxxxx
            cert-manager.io/cluster-issuer: nginx-http01

        myvd_config_path: "WEB-INF/myvd.conf"
        k8s_cluster_name: xxxxxxxxx
        enable_impersonation: true

        impersonation:
          use_jetstack: true
          explicit_certificate_trust: true

        dashboard:
          namespace: "kubernetes-dashboard"
          cert_name: "kubernetes-dashboard-certs"
          label: "k8s-app=kubernetes-dashboard"
          service_name: kubernetes-dashboard
          require_session: true

        certs:
          use_k8s_cm: false

        trusted_certs: []

        monitoring:
          prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s

        oidc:
          client_id: xxxxxxxx
          issuer: https://login.microsoftonline.com/xxxxxxx/v2.0/
          user_in_idtoken: true
          domain: ""
          scopes: openid email profile
          claims:
            sub: upn
            email: email
            given_name: given_name
            family_name: family_name
            display_name: name
            groups: roles
          azure:
            tennant_id: xxxxxxxxx

        network_policies:
          enabled: false
          ingress:
            enabled: true
            labels:
              kubernetes.io/metadata.name: ingress-nginx-internet
          monitoring:
            enabled: true
            labels:
              kubernetes.io/metadata.name: monitoring
          apiserver:
            enabled: true
            labels:
              kubernetes.io/metadata.name: kube-system

        services:
          enable_tokenrequest: false
          token_request_audience: api
          token_request_expiration_seconds: 600
          node_selectors: []

        openunison:
          replicas: 1
          non_secret_data:
            K8S_DB_SSO: oidc
            PROMETHEUS_SERVICE_ACCOUNT: system:serviceaccount:monitoring:prometheus-k8s

          secrets: []
          html:
            prefix: openunison
          enable_provisioning: false
          include_auth_chain: azuread-load-groups
    chart: orchestra-login-portal-argocd
  destination:
    server: 'https://xxxxxxx:6443'
    namespace: infrastructure
mlbiam commented 3 months ago

[2024-04-11 11:30:54,342][XNIO-1 task-2] WARN AuthManager - Could not load chain 'azuread-load-groups', forcing to fail [2024-04-11 11:30:54,342][XNIO-1 task-2] WARN AuthManager - Authentication mechanism 'fail' does not exist, will always fail [2024-04-11 11:30:54,342][XNIO-1 task-2] WARN AlwaysFail - In AlwaysFail authentication mechanism

it looks like the additional chart orchestra-login-azuread wasn't deployed. You'll need to create a new Application that includes this chart and sync it after the application that deploys orchestra-login-portal-argocd. (The latest RC for ArgoCD includes the ability to have multiple sources. I haven't tried it yet but this will hopefully eliminate the need for multiple Application objects

dlorent commented 3 months ago

That makes sense.

I just tested it, and everything seems to be working now.

Thanks for the help & thumbs up for the quick response