Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot log in to Lagoon logs UI

See original GitHub issue

Describe the bug

The Lagoon logs UI (Kibana or Opensearch Dashboards) gets a cookie from Keycloak which passes role information to the logs UI in order to enforce index viewing permissions.

If the user is in too many groups, this cookie can get so large that it reaches the de facto browser limit of 4096 bytes and is rejected by the browser.

This causes a redirect loop when trying to log in to the logs UI.

To Reproduce

Steps to reproduce the behavior:

  1. Add a user to lots of projects in Lagoon
  2. User visits the logs UI
  3. User cannot login and encounters a “too many redirects” error.

Expected behavior

Lagoon should avoid creating such a large cookie.

Screenshots

n/a

Additional context

In order to add users to a project a user must be OWNER within a project group. This means that a Lagoon user who is OWNER in their main customer group which contains all their projects will often also want to be OWNER in individual project groups which will increase the likelihood of hitting this bug.

The code creating the cookie looks roughly like this:

var ArrayList = Java.type("java.util.ArrayList");
var groupsAndRoles = new ArrayList();
var forEach = Array.prototype.forEach;
// add all groups the user is part of
forEach.call(user.getGroups().toArray(), function(group) {
	// remove the group role suffixes
	// lets check if the group has a parent if this is a child
	if(group.getFirstAttribute("type") == "role-subgroup") {
		var parent = group.getParent();
		if(parent.getFirstAttribute("type") == "project-default-group") {
			var projectIds = parent.getFirstAttribute("lagoon-projects");
			if(projectIds !== null) {
				forEach.call(projectIds.split(","), function(g) {
					groupsAndRoles.add("p" + g);
				});
				return;
			}
		}
	}
	var groupName = group.getName().replace(/-owner|-maintainer|-developer|-reporter|-guest/gi,"");
	groupsAndRoles.add(groupName);
	return;
});
// add all roles the user is part of
forEach.call(user.getRoleMappings().toArray(), function(role) {
	var roleName = role.getName();
	groupsAndRoles.add(roleName);
});
exports = groupsAndRoles;

This adds roles for all the projects that the user is an OWNER of even if the user is already an OWNER of a group that contains the project.

Could this code be improved to inspect the lagoon-projects annotation on the group and avoid adding the individual project roles where the user already has index view permissions for the project via a group? That would significantly reduce the cookie size in the common case outlined above.

Issue Analytics

  • State:open
  • Created a year ago
  • Comments:7 (7 by maintainers)

github_iconTop GitHub Comments

1reaction
shreddedbaconcommented, May 31, 2022

I have something that appears to work, it’s in the test infrastructure now and playing around with groups/clearing cookies etc returns the expected results.

it creates 2 maps

  • one map is projectid:custom-group (all the user created groups)
  • one map is projectid:project-group (all the project default groups)

it removes all the custom-group projectids from the project-group map so that only unique ungrouped project roles remain

then goes over the remaining 2 maps to add all the unique roles for the user to the exported array

var ArrayList = Java.type("java.util.ArrayList");
var HashMap = Java.type("java.util.HashMap");
var HashSet = Java.type("java.util.HashSet");

var groupsAndRoles = new ArrayList();
var groupProjectIds = new HashMap();
var projectGroupProjectIds = new HashMap();

var forEach = Array.prototype.forEach;
// add all groups the user is part of
forEach.call(user.getGroups().toArray(), function(group) {
	// remove the group role suffixes
	// lets check if the group has a parent if this is a child
	var groupName = group.getName().replace(/-owner|-maintainer|-developer|-reporter|-guest/gi,"");
	if(group.getFirstAttribute("type") == "role-subgroup") {
		var parent = group.getParent();
		var projectIds = parent.getFirstAttribute("lagoon-projects");
		if(parent.getFirstAttribute("type") == "project-default-group") {
			if(projectIds !== null) {
				forEach.call(projectIds.split(","), function(g) {
					projectGroupProjectIds.put(g, groupName)
				});
				return;
			}
		} else {
			if(projectIds !== null) {
				forEach.call(projectIds.split(","), function(g) {
					groupProjectIds.put(g, groupName)
				});
				return;
			}
		}
	}
	return;
});

// add all the unique project ids roles the user has, that aren't in an already existing group
projectGroupProjectIds.keySet().removeAll(groupProjectIds.keySet());
for each (var e in projectGroupProjectIds.keySet()) groupsAndRoles.add("p"+e);

// now add all the users groups
var uniqueGroups = new HashSet(groupProjectIds.values());
for each (var e in uniqueGroups) groupsAndRoles.add(e);

// add all roles the user is part of
forEach.call(user.getRoleMappings().toArray(), function(role) {
	var roleName = role.getName();
	groupsAndRoles.add(roleName);
});
exports = groupsAndRoles;
0reactions
tobybellwoodcommented, May 31, 2022

This would have to be done in hand with removing the project-specific roles. The only personalised tenant+roles created would be for those people who don’t use a group currently, so the numbers of roles shouldn’t explode (in fact, they should reduce).

Not creating an alternative to the project-groups would render those users unable to view anything in kibana, hence this idea?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Change access to Lagoon logs settings UI [#3240629] - Drupal
Start within a Git clone of the project using the version control instructions. Add & fetch this issue fork's repository. Copy to clipboard....
Read more >
Logging - Lagoon Documentation
Lagoon provides access to the following logs via Kibana: Logs from the Kubernetes Routers, including every single HTTP and HTTPS request with: Source...
Read more >
Automated Creation of Restore Links Broken After v2.2.2 · Issue ...
Describe the bug The Lagoon API fails to create a RabbitMQ message for a ... Send to lagoon-logs: Restore not initiated, reason: TypeError:...
Read more >
New Lagoon UI and Logging Systems - amazee.io
Since our last blog about Lagoon, we are excited to announce some new features, and more are coming every day. Lagoon UI The...
Read more >
Soracom Lagoon User Preferences - Developers
Changing Preferences · UI Theme - The Lagoon console interface style. · Home Dashboard - The dashboard that will be shown when you...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Feature Request: Allow Ribbon to be applied other icons

Next page

Elasticsearch unable to start because of java.lang.IllegalStateException: Failed to create node environment