Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Web UI only works on leader server #3697

Closed
hynek opened this issue Dec 28, 2017 · 4 comments · Fixed by #3722
Closed

Web UI only works on leader server #3697

hynek opened this issue Dec 28, 2017 · 4 comments · Fixed by #3722
Labels
theme/security theme/ui type/bug

Comments

@hynek
Copy link
Contributor

hynek commented Dec 28, 2017
edited

Nomad version

Nomad v0.7.1 (0b295d399d00199cfab4621566babd25987ba06e)

Operating system and Environment details

Ubuntu Xenial on AMD64.

Issue

I’m using ACLs.

I’m trying to access the Web UI but on every server and client except for the leader, the UI flashes shortly and then I get a

Server Error

A server error prevented data from being sent to the client.

nomad 2017-12-28 19-43-45

error message before being able to enter a token. I’ve tried Safari, Chrome, and Firefox.

The browser console looks like this:

nomad 2017-12-28 19-40-58

The only relevant log messages on the server side is these two:

Dec 28 19:48:03 c-0175 nomad-server[232]:     2017/12/28 19:48:03.879031 [ERR] http: Request /v1/nodes, error: rpc error: Permission denied
Dec 28 19:48:03 c-0175 nomad-server[232]:     2017/12/28 19:48:03.879388 [DEBUG] http: Request /v1/nodes (1.565328ms)
Dec 28 19:48:03 c-0175 nomad-server[232]:     2017/12/28 19:48:03.879815 [ERR] http: Request /v1/agent/members, error: Permission denied
Dec 28 19:48:03 c-0175 nomad-server[232]:     2017/12/28 19:48:03.880152 [DEBUG] http: Request /v1/agent/members (472.674µs)

It’s unfortunate because I would like to use https://nomad.service.consul:4646 as the canonical URL (AFAIK, it’s impossible to determine the leader using a tag like with Vault?).

Interestingly, the API works just fine – I’m not getting any errors when using the nomad CLI client with NOMAD_ADDR set to https://nomad.service.consul:4646

Is this behaviour intended or documented? I don’t seem to be able to find anything on Google or GitHub which is deeply confusing me.

FTR, a successful request looks like this:
nomad 2017-12-28 19-52-59

in the browser.

Reproduction steps

  • have more than 1 nomad server
  • activated ACLs
  • anonymous has no policy
  • try to access web ui on a server that isn’t the leader
@ashald
Copy link

ashald commented Dec 28, 2017
edited

We've ran into the same issue. Interestingly enough, injecting a proper X-Nomad-Token header actually "fixes" the error.

P.S.: We didn't modify the anonymous user's permissions so it cannot see anything. Maybe when it has some access this issue won't show up? Not sure about that though.

@pznamensky
Copy link

I can confirm, that ui works fine when anonymous user is allowed to read everything .

schmichael added a commit that referenced this issue Jan 5, 2018
@schmichael
Fix HTTP code for permission denied errors
c42c780 
Fixes #3697

The existing code and test case only covered the leader behavior. When
querying against non-leaders the error has an "rpc error: " prefix.

To provide consistency in HTTP error response I also strip the "rpc
error: " prefix for 403 responses as they offer no beneficial additional
information (and in theory disclose a tiny bit of data to unauthorized
users, but it would be a pretty weird bit of data to use in a malicious
way).
@schmichael schmichael mentioned this issue Jan 5, 2018
Merged
schmichael added a commit that referenced this issue Jan 5, 2018
@schmichael
Fix HTTP code for permission denied errors
08594b4 
Fixes #3697

The existing code and test case only covered the leader behavior. When
querying against non-leaders the error has an "rpc error: " prefix.

To provide consistency in HTTP error response I also strip the "rpc
error: " prefix for 403 responses as they offer no beneficial additional
information (and in theory disclose a tiny bit of data to unauthorized
users, but it would be a pretty weird bit of data to use in a malicious
way).
@schmichael
Copy link
Member

Thanks for the bug report @hynek! PR is up and will be in the next release. No easy workaround in the meantime unfortunately.

schmichael added a commit that referenced this issue Jan 9, 2018
@schmichael
Fix HTTP code for permission denied errors
ae61f73 
Fixes #3697

The existing code and test case only covered the leader behavior. When
querying against non-leaders the error has an "rpc error: " prefix.

To provide consistency in HTTP error response I also strip the "rpc
error: " prefix for 403 responses as they offer no beneficial additional
information (and in theory disclose a tiny bit of data to unauthorized
users, but it would be a pretty weird bit of data to use in a malicious
way).
@github-actions
Copy link

github-actions bot commented Dec 4, 2022

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 4, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
theme/security theme/ui type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix HTTP code for permission denied errors hashicorp/nomad
4 participants
@hynek @schmichael @ashald @pznamensky