Skip to content

reverseProxyAuth: If user has more groups than configured then login fails #2851

New issue
New issue
Open
Open
reverseProxyAuth: If user has more groups than configured then login fails#2851
Labels
feature requestLet's add something newxf:authentication
@brunnels

Description

@brunnels
brunnels
opened on Aug 17, 2024

I had this working well when my user was only a member of 2 groups and I configured the groups in initial-data.conf

{
    teams: [
        {
            subjectId: "Administrators",
            teamName: "Administrators",
            description: "Administrative access. Has all permissions.",
            permissions: [ "admin" ]
        },
        {
            subjectId: "Domain Users",
            teamName: "Domain Users",
            description: "All users, including anonymous.",
            permissions: [ ]
        }
    ]
}

When I added an additional group to the user in my upstream auth, causing the reverse proxy auth header to contain more groups, I was no longer able to login and was presented with this in the logs:

17-08-2024 15:16:17.672 [qtp1835713430-44] DEBUG i.c.service.auth.RPSessionHandler - Attempting to authenticate user 'cbtestuser' with teams [Domain Users, Administrators, Qsync] through reverse proxy
17-08-2024 15:16:17.695 [qtp1835713430-44] ERROR i.c.service.core.impl.WebServiceCore - Error calling session handler 'RPSessionHandler'
io.cloudbeaver.DBWebException: Error:
Error saving user teams in database
.....
Caused by: org.jkiss.dbeaver.model.exec.DBCException: Error saving user teams in database
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.setUserTeams(CBEmbeddedSecurityController.java:222)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.findOrCreateExternalUserByCredentials(CBEmbeddedSecurityController.java:2454)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.finishAuthentication(CBEmbeddedSecurityController.java:2160)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1565)
        at io.cloudbeaver.service.auth.RPSessionHandler.reverseProxyAuthentication(RPSessionHandler.java:130)
        ... 61 common frames omitted
Caused by: org.postgresql.util.PSQLException: ERROR: insert or update on table "cb_user_team" violates foreign key constraint "cb_user_team_team_id_fkey"
  Detail: Key (team_id)=(Qsync) is not present in table "cb_team".

Here's my auth config as well

        authConfigurations: [
          {
            id: "reverseProxy",
            provider: "reverseProxy",
            displayName: "Reverse Proxy",
            disabled: false,
            iconURL: "",
            description: "Authelia Reverse Proxy with ingress-nginx",
            parameters: {
              full-name-header: "Remote-Name",
              user-header: "Remote-User",
              team-header: "Remote-Groups",
              team-delimiter: ",",
              logout-url: "https://auth.${SECRET_DOMAIN}/logout?rd\u003dhttps://cloudbeaver.${SECRET_DOMAIN}"
            }
          }
        ]

I can resolve the issue by adding the qsync group to my config but I don't believe I should need to do this because cloudbeaver should be able to deal with a user being a member of a group it doesn't know about.

Metadata

Assignees

No one assigned

    Labels

    feature requestLet's add something newxf:authentication

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions