Comments (6)
This is the test code I'm talking about: https://github.com/AdRoll/hologram/blob/master/server/usercache_test.go#L154-L178.
from hologram.
The intended behaviour of the server should be that when a signature comes in that cannot be verified with any of the keys that Hologram has in its cache, it will silently fail, re-load its cache from the backing store (in this case LDAP), and then try signature verification again.
If this pass fails, then it will emit a failure message back to the client.
For debugging purposes, I added signal support to Hologram before we released it: You can send SIGUSR1
to the server to make it emit debug logging, and SIGHUP
will force a re-load of the cache (which, when debug logging is on, will tell you exactly what keys it has loaded for which users). SIGUSR2
will make the server stop debug logging once you're done.
Including this information would help us figure out what's going on here. I know that the system works properly at AdRoll, at least insofar as I haven't heard about it not working. 😺
from hologram.
Interesting. This is what I found with debug logging and a failed auth:
May 17 23:54:59 ip-10-60-31-104.qafire.com hologram[16371]: (/tmp/nix-build-go1.4-hologram-2bf08f0.drv-0/go/src/github.com/AdRoll/hologram/server/server.go:99) Handling an assumeRole request.
May 17 23:54:59 ip-10-60-31-104.qafire.com hologram-server[16371]: [DEBUG ] 2015-05-17T23:54:59Z (/tmp/nix-build-go1.4-hologram-2bf08f0.drv-0/go/src/github.com/AdRoll/hologram/server/server.go:99) Handling an assumeRole request.
May 17 23:54:59 ip-10-60-31-104.qafire.com hologram[16371]: (/tmp/nix-build-go1.4-hologram-2bf08f0.drv-0/go/src/github.com/AdRoll/hologram/server/usercache.go:178) Could not find derp in the LDAP cache; updating from the server.
May 17 23:54:59 ip-10-60-31-104.qafire.com hologram-server[16371]: [DEBUG ] 2015-05-17T23:54:59Z (/tmp/nix-build-go1.4-hologram-2bf08f0.drv-0/go/src/github.com/AdRoll/hologram/server/usercache.go:178) Could not find derp in the LDAP cache; updating from the server.
Even more oddly, sending SIGHUP
to the running process emits:
May 17 23:58:46 ip-10-60-31-104.qafire.com hologram[16371]: (/tmp/nix-build-go1.4-hologram-2bf08f0.drv-0/go/src/github.com/AdRoll/hologram/cmd/hologram-server/main.go:205) Force-reloading user cache.
May 17 23:58:46 ip-10-60-31-104.qafire.com hologram-server[16371]: [INFO ] 2015-05-17T23:58:46Z (/tmp/nix-build-go1.4-hologram-2bf08f0.drv-0/go/src/github.com/AdRoll/hologram/cmd/hologram-server/main.go:205) Force-reloading user cache.
But doesn't say anything else beyond that (no list of users that I normally see on startup) and still fails authenticating me. Of course, reloading the service fixes the problem.
The one odd thing about my setup is that I'm running my simple authorization code. I wonder if perhaps that's obstructing my usercache updates. Will check up and report back on anything I find!
from hologram.
Hmm, now that I look more carefully I think that this
if retUser == nil {
log.Debug("Could not find %s in the LDAP cache; updating from the server.", username)
luc.stats.Counter(1.0, "ldapCacheMiss", 1)
// We should update LDAP cache again to retry keys.
luc.Update()
return luc._verify(username, challenge, sshSig)
}
needs error handling on the luc.Update()
call. My hypothesis is that my LDAP server kills the connection (which Hologram only dials once at startup) after a while, and the LDAP calls die quickly returning an error, which then gets ignored above. I'm tempted to just have the user cache updater dial the connection on demand and then close it when it's done if that ends up being the case.
from hologram.
Yep, pretty sure the connection just drops after a while. I started a new server and sending it SIGHUP
worked for a bit. Then I left it overnight and SIGHUP
ped it again, and it worked as before. Does anyone see any issues with just dialing LDAP with every call to the usercache update? There doesn't seem to be much benefit to keeping a long-lived connection there.
I'm guessing the AdRoll LDAP server is friendlier to long-lived connections.
from hologram.
That's fine by me. Or keep a long-running connection going and if it died,
then
re-dial.
from hologram.
Related Issues (20)
- Support for WSL? HOT 1
- Consider ECS Task role support
- Install is broken HOT 1
- mTLS support would be nice
- M1 chip support
- Receiving panic when trying to run hologram-agent in a Kubernetes pod
- No ability to easily open AWS console using hologram credentials HOT 5
- Provide better error message when hologram-agent is not running HOT 1
- hologram-ping can not connect to hologram-server
- Insecure default connection to hologram server? HOT 3
- Occasional DNS lookup failures when calling hologram agent HOT 5
- Go 1.4 builds as specified in the Dockerfile fail on macOS Sierra HOT 3
- Sierra issues HOT 3
- The hologram roles feature doesn't work with AD servers HOT 1
- hologram-boot process uses 60%+ CPU on macOS Sierra HOT 6
- Error reading data from stream HOT 6
- Support for iam/info endpoint? HOT 1
- gpg-agent managed SSH_AUTH_SOCK encounters signing error HOT 1
- Metadata available on network HOT 6
- Not able to getHologram working because userPassword field does not exist in the LDAP user entry.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hologram.