[dev.icinga.com #6582] sso auth provider causing not null constraint violation w/ pgsql 'user_email' column

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/6582

Created by roberte on 2014-06-26 03:10:07 +00:00

Assignee: (none)
Status: New
Target Version: Backlog
Last Update: 2015-05-18 12:18:02 +00:00 (in Redmine)

Icinga Version: 1.11.5-0
Icinga Web Version: 1.11.1-1
IDO Version: 1.11.5-0
OS Version: fedcore20/3.14.8-200.fc20.x86_64
DB Type: PostgreSQL
DB Version: 9.3.4
Browser Version: FF 30.0 / mod_proxy

---

My system passes usernames to icinga-web via the REMOTE_USER http header. As documented in [3]. i.e. "auth_create = auth_update = true" set for http-basic-authentication in ./app/modules/AppKit/config/auth.xml

I get a stack trace when I hit the icinga-web page [1].

The issue seems to be that icinga-web is issuing a postgres insert statement that does not define a value for a field that is mandatory not-null on the nsm_user table.

ERROR:  null value in column "user_email" violates not-null constraint
DETAIL:  Failing row contains (36, 0, robert, robert, robert, redacted, redacted, null, null, null, 0, 2014-06-25 05:17:38, 2014-06-25 05:17:38, null).
STATEMENT:  INSERT INTO nsm_user (user_account, user_authsrc, user_disabled, user_firstname, user_lastname, user_name, user_salt, user_password, user_created, user_modified) VALUES ($1, $2, $3, ...

My workaround is;
Alter table nsm_user alter column user_email set default 'root@localhost.local';

This is always reproduceable.

[1]

Uncaught AppKitPHPError thrown:
PHP Error Undefined property: Doctrine_Connection_Pgsql_Exception::$getMessage (/usr/share/icinga-web/app/modules/AppKit/models/Auth/DispatchModel.class.php:363)
Stacktrace:

#0 /usr/share/icinga-web/app/modules/AppKit/models/Auth/DispatchModel.class.php(363): AppKitExceptionHandler::exceptionOnError(8, 'Undefined prope...', '/usr/share/icin...', 363, Array)
#1 /usr/share/icinga-web/app/modules/AppKit/models/Auth/DispatchModel.class.php(157): AppKit_Auth_DispatchModel->importUser('robert')
#2 /usr/share/icinga-web/app/modules/AppKit/lib/auth/AppKitSecurityUser.class.php(127): AppKit_Auth_DispatchModel->doAuthenticate('robert', NULL)
#3 /usr/share/icinga-web/app/modules/AppKit/actions/Login/SilentAuthAction.class.php(63): AppKitSecurityUser->doLogin('robert', NULL, false)
#4 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(949): AppKit_Login_SilentAuthAction->execute(Object(AgaviWebRequestDataHolder))
#5 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(1463): AgaviExecutionContainer->runAction()
#6 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(1255): AgaviExecutionFilter->execute(Object(AgaviFilterChain), Object(AgaviExecutionContainer))
#7 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(1700): AgaviFilter->executeOnce(Object(AgaviFilterChain), Object(AgaviExecutionContainer))
#8 /usr/share/icinga-web/lib/agavi/src/filter/AgaviSecurityFilter.class.php(61): AgaviFilterChain->execute(Object(AgaviExecutionContainer))
#9 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(1702): AgaviSecurityFilter->execute(Object(AgaviFilterChain), Object(AgaviExecutionContainer))
#10 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(870): AgaviFilterChain->execute(Object(AgaviExecutionContainer))
#11 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(900): AgaviExecutionContainer->execute()
#12 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(872): AgaviExecutionContainer->proceed()
#13 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(1266): AgaviExecutionContainer->execute()
#14 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(1255): AgaviDispatchFilter->execute(Object(AgaviFilterChain), Object(AgaviExecutionContainer))
#15 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(1700): AgaviFilter->executeOnce(Object(AgaviFilterChain), Object(AgaviExecutionContainer))
#16 /usr/share/icinga-web/lib/agavi/src/filter/AgaviFormPopulationFilter.class.php(78): AgaviFilterChain->execute(Object(AgaviExecutionContainer))
#17 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(1700): AgaviFormPopulationFilter->executeOnce(Object(AgaviFilterChain), Object(AgaviExecutionContainer))
#18 /var/cache/icinga-web/config/compile.xml_production__d41bc4e7416d79a2859fb497054ab4f5308e2df1.php(579): AgaviFilterChain->execute(Object(AgaviExecutionContainer))
#19 /usr/share/icinga-web/pub/index.php(49): AgaviController->dispatch()
#20 {main}

\[3\] https://wiki.icinga.org/display/howtos/Setting+up+Icinga+with+Kerberos+SSO

[icinga-migration]

Updated by mfriedrich on 2014-07-12 11:11:20 +00:00

• Subject changed from SSO seems to fail icinga-web/postgres to sso auth provider causing not null constraint violation w/ pgsql 'user_email' column
• Status changed from New to Assigned
• Assigned to set to mfrosch
• Priority changed from High to Normal
• Target Version set to 1.11.2

[icinga-migration]

Updated by mfriedrich on 2014-07-12 11:11:44 +00:00

• Description updated

[icinga-migration]

Updated by mfriedrich on 2014-08-13 08:33:24 +00:00

• Target Version changed from 1.11.2 to 1.11.3

[icinga-migration]

Updated by tgelf on 2014-09-02 16:41:22 +00:00

Please also fix the exception nonsense going on here. The exception tells you that Icinga-Web wasn't able to access an exception message. This happens because of line 363:

$this->log('Auth.Dispatch/import failed: Import failed: (provider=%s, msg=%s)',
    $provider->getProviderName(),$e->getMessage,AgaviLogger::ERROR);

This should read $e~~getMessage() and not $e~~>getMessage :p Then we would also get a more meaningful error message than "PHP Error Undefined property: Doctrine_Connection_Pgsql_Exception::$getMessage" ;-)

Cheers,
Thomas

[icinga-migration]

Updated by mfrosch on 2014-11-18 14:54:09 +00:00

• Status changed from Assigned to Feedback
• Assigned to deleted mfrosch
• Target Version changed from 1.11.3 to Backlog

This will also fail with MySQL... If someone want to do the required changes - including Frontend changes in User management, I'm open for patches.

There is even a warning in app/modules/AppKit/config/auth.xml

I usually set up environments like this with a combo of http and ldap auth:

...

false
false
...




...
true
true
...

I also noted this in the wiki page menitoned...

[icinga-migration]

Updated by mfriedrich on 2015-03-12 19:43:43 +00:00

• Status changed from Feedback to New

[icinga-migration]

Updated by mfriedrich on 2015-04-26 09:25:33 +00:00

tgelf wrote:

Please also fix the exception nonsense going on here. The exception tells you that Icinga-Web wasn't able to access an exception message. This happens because of line 363:

[...]

This should read $e~~getMessage() and not $e~~>getMessage :p Then we would also get a more meaningful error message than "PHP Error Undefined property: Doctrine_Connection_Pgsql_Exception::$getMessage" ;-)

Cheers,
Thomas

Eric fixed that in ce959b9 & #8301