Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

che-server returns 500 when OpenShift token expires in nativeUserMode #20304

Closed
Tracked by #20444
, #20553
...
sparkoo opened this issue Aug 17, 2021 · 0 comments
Closed
Tracked by #20444
, #20553
...

che-server returns 500 when OpenShift token expires in nativeUserMode #20304

sparkoo opened this issue Aug 17, 2021 · 0 comments
Assignees
@sparkoo
Labels
area/che-server kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.

Comments

@sparkoo
Copy link
Member

sparkoo commented Aug 17, 2021

Describe the bug

In nativeUserMode, when OpenShift token expires, che-server returns 500 on all requests with expired token. Dashboard can't properly react to that. Che-server should return 401.

Issue in code is in OpenshiftTokenInitializationFilter at https://github.com/eclipse-che/che-server/blob/main/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/multiuser/oauth/OpenshiftTokenInitializationFilter.java#L87 where we throw RuntimeException, which is evaluated as code 500 in response. Few lines above we detect 401 response from Kubernetes API, but only to log.

Che version

7.34@latest

Steps to reproduce

  1. deploy with nativeUserMode enabled (default on current main on openshift with devworkspaces)
  2. set openshift token lifetime to some short time with oc edit oauth cluster and set
spec:
  tokenConfig:
    accessTokenMaxAgeSeconds: 120
  1. wait for few minutes until openshift reconciles new configuration
  2. login to Che
  3. wait until token expires
  4. open dashboard again, you'll see error as in screenshot
  5. Check browser network traffic, it gets 500 on all requests to che-server

Expected behavior

Che-server should return 401, same as kubernetes API.

Runtime

OpenShift

Screenshots

No response

Installation method

chectl/next

Environment

other (please specify in additional context)

Eclipse Che Logs

2021-08-09 11:29:53,121[nio-8080-exec-9]  [ERROR] [shiftTokenInitializationFilter 84]   - Unauthorized when getting current user. Invalid OpenShift token, probably expired. Re-login? Re-request the token?
2021-08-09 11:29:53,122[nio-8080-exec-9]  [ERROR] [o.a.c.c.C.[.[.[/api].[default] 175]  - Servlet.service() for servlet [default] in context with path [/api] threw exception
java.lang.RuntimeException: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.30.0.1/apis/user.openshift.io/v1/users/~. Message: Unauthorized! Configured service account doesn't have access. Service account may have been revoked. Unauthorized.
	at org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter.getUserId(OpenshiftTokenInitializationFilter.java:87)
	at org.eclipse.che.multiuser.api.authentication.commons.filter.MultiUserEnvironmentInitializationFilter.doFilter(MultiUserEnvironmentInitializationFilter.java:117)
	at org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter.doFilter(RequestIdLoggerFilter.java:50)
	at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
	at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:194)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:167)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:624)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1651)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.30.0.1/apis/user.openshift.io/v1/users/~. Message: Unauthorized! Configured service account doesn't have access. Service account may have been revoked. Unauthorized.
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:681)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:618)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:560)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:521)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:488)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:470)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:827)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.getMandatory(BaseOperation.java:197)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:164)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:88)
	at io.fabric8.openshift.client.DefaultOpenShiftClient.currentUser(DefaultOpenShiftClient.java:663)
	at org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter.getCurrentUser(OpenshiftTokenInitializationFilter.java:113)
	at org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter.getUserId(OpenshiftTokenInitializationFilter.java:81)
	... 23 common frames omitted

Additional context

#20275
@sparkoo sparkoo added kind/bug Outline of a bug - must adhere to the bug report template. area/che-server labels Aug 17, 2021
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Aug 17, 2021
@sparkoo sparkoo mentioned this issue Aug 17, 2021
Closed
@skabashnyuk skabashnyuk added severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Aug 17, 2021
@skabashnyuk skabashnyuk mentioned this issue Sep 8, 2021
Closed
14 tasks
@skabashnyuk skabashnyuk mentioned this issue Sep 19, 2021
Closed
@metlos metlos mentioned this issue Sep 23, 2021
Merged
9 tasks
@skabashnyuk skabashnyuk mentioned this issue Sep 29, 2021
Closed
15 tasks
@metlos metlos mentioned this issue Sep 30, 2021
Merged
11 tasks
@metlos metlos closed this as completed Oct 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sparkoo sparkoo

Labels
area/che-server kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@metlos @sparkoo @skabashnyuk @che-bot