Upgrade to 4.11 and pre-existent saml2 authentication settings

[eligorio]

ISSUE TYPE

• Bug Report

COMPONENT NAME

SAML2 Auth plugin

CLOUDSTACK VERSION

4.11

CONFIGURATION

Cloudstack 4.5.2 with SAML2 authentication working well on national federation.

OS / ENVIRONMENT

Clean install of Cloudstack 4.11 on Ubuntu 16.04.4 LTS pointing to a copy of 4.5.2 cloudstack production database.

SUMMARY

After upgrade from 4.5.2 to 4.11 (parallel build process) the http://IP:8080/client show an error (HTTP ERROR 503 -
Problem accessing /client/. Reason: Service Unavailable) and UI does not load.

It appears that pre-existent content of columns "key" and "certificate" of rows with "name" content "SAMLSP_X509CERT" and "SAMLSP_KEYPAIR" need some conversion, but the upgrade procedure did not made it.

If we delete the old saml rows from cloud.keystore table, the /client works but https://IP:8080/client/api?command=getSPMetadata returns an certificate different from that registered on national federation. And so, the authentication fails for our web users.

STEPS TO REPRODUCE

1-) Do a clean install of Cloudstack 4.11.
2-) Point this install to a copy of 4.5.2 production database that has SAML2 authentication enabled and working inside an federation.
3-) Run cloudstack-setup-databases.
4-) Run cloudstack-setup-management and wait for upgrade completion and cloudstack-management service start.
5-) Try to access the UI interface

EXPECTED RESULTS

Can access and use a fully functional Cloudstack UI.

ACTUAL RESULTS

HTTP ERROR 503
Problem accessing /client/. Reason:

    Service Unavailable

[yadvr]

Hi @eligorio, I've received a similar email privately. The upgrade steps can be amended to not run cloudstack-setup-databases. Instead, shutdown old mgmt server(s), take db backup for cloud, cloud_usage tables, run cloudstack-setup-databases without --deploy-as (i.e. to add a new management server, without deploying a new database), and start new mgmt server. See if can still reproduce the issue. The upgrade process should not alter the SAMLSP_KEYPAIR and SAMLSP_X509CERT keys/certs in the cloud.keystore table. On new installations, this is only created when SAML plugin is enabled.

If the proposed upgrade process was indeed used, and in case this is a bug I can test this and get back to you after next week.

[eligorio]

We reproduced the issue using the recipe of your last comment.

[borisstoyanov]

Is there anyone working on this issue in order get it 4.11.1?

[yadvr]

Looks like this is a regression, I'll handle it after next week. I think I know the cause @borisstoyanov. As you can see I've already assigned the issue to myself.

[yadvr]

@eligorio I could reproduce and I've fixed the issue. You may test upgrade+saml2 login using this PR: #2616
If you're looking for a rpm repo to test against, I'll share that next week on dev ML. I'll close the PR, thanks.