search

nerc-project / operations

Issues related to the operation of the NERC OpenShift environment
1 stars 0 forks source link

bug: prod log in with github user schwesig creates error #583

Closed schwesig closed 1 month ago

schwesig commented 1 month ago

Steps to recreate

  1. go to https://console.apps.shift.nerc.mghpcc.org/dashboards
  2. Log in with menu, select github
  3. error message: Could not create user.

Screenshots

image image

additional information

  1. login with mss-keycloak, my redhat google user works
  2. github user schwesig is part of nerc-ops
  3. also checking cluster console: schwesig is part of the nerc-ops group in the prod cluster
schwesig commented 1 month ago

@larsks @jtriley can you help? or who can? cc/fyi @Milstein @computate

larsks commented 1 month ago

The issue here was that there was an existing user named schwesig on nerc-ocp-prod, but it was linked a keycloak identity rather than a github identity. This suggests that at some point in the past @schwesig logged in via keycloak but used GitHub rather than Google as the IDP. This resulted in a User object that looked like:

apiVersion: user.openshift.io/v1
fullName: /Thor(sten)?/ Schwesig
groups: null
identities:
- mss-keycloak:schwesig
kind: User
metadata:
  name: schwesig

After deleting the existing user and identity...

k delete user schwesig
k delete identity mss-keycloak:schwesig

Thorsten was able to log in. The new User object looks like:

apiVersion: user.openshift.io/v1
fullName: /Thor(sten)?/ Schwesig
groups: null
identities:
- github:89909507
kind: User
metadata:
  name: schwesig

Part of the issue here is that we have the oauth mapping method for the github oauth provider configured to the default value, claim:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - mappingMethod: claim
    name: github
    type: GitHub
    ...

From the documentation, this means:

Provisions a user with the identity’s preferred user name. Fails if a user with that user name is already mapped to another identity.

If we wanted someone to log in using a GitHub identify via both GitHub and Keycloak, we could change the mappingMethod to add:

Provisions a user with the identity’s preferred user name. If a user with that user name already exists, the identity is mapped to the existing user, adding to any existing identity mappings for the user. Required when multiple identity providers are configured that identify the same set of users and map to the same user names.

But since we're only using GitHub for operator logins, the number of people potentially impacted by this behavior is small, and as I've said previously I think we should probably simplify our authentication configuration.

schwesig commented 1 month ago

Thanks @larsks for our call, solving this, and putting the solution in here ❤️