New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSO authenticated users not shown as active #2620

Closed
hc4 opened this Issue Aug 5, 2016 · 10 comments

Comments

Projects
None yet
4 participants
@hc4
Contributor

hc4 commented Aug 5, 2016

Expected Behavior

Should be real remote IP of client

Current Behavior

For me it shows 127.0.0.1
image

Context

Maybe the problem caused by proxy.
Client actualy connects to proxy, and proxy to graylog.
Can graylog support X-Forwarded-For header?

Your Environment

  • Graylog Version: 2.1.0-beta2
@kroepke

This comment has been minimized.

Member

kroepke commented Aug 5, 2016

Have you set the trusted_proxies option?

The default is not to trust any subnets when it comes to the X-Forwarded-For header, but you can add it in the config file, e.g. for localhost:
trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128

@hc4

This comment has been minimized.

Contributor

hc4 commented Aug 5, 2016

Configured:
trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128, 0.0.0.0/0

but still no joy.
When does this client address get refreshed?

@hc4 hc4 closed this Aug 5, 2016

@hc4 hc4 reopened this Aug 5, 2016

@garybot2 garybot2 closed this Aug 5, 2016

@garybot2 garybot2 reopened this Aug 5, 2016

@hc4

This comment has been minimized.

Contributor

hc4 commented Aug 5, 2016

It seems sessions not refreshing at all.
Entered under another user from another PC - and even no green light

@joschi

This comment has been minimized.

Contributor

joschi commented Aug 5, 2016

@hc4 Are you using a reverse proxy in front of Graylog?

@kroepke

This comment has been minimized.

Member

kroepke commented Aug 5, 2016

The session should be updated every time the user interacts with Graylog, I'll double check.

@hc4

This comment has been minimized.

Contributor

hc4 commented Aug 5, 2016

Yes, I'am using squid on same server with graylog.
And graylog hosted at 127.0.0.1

@hc4

This comment has been minimized.

Contributor

hc4 commented Aug 5, 2016

I think the problem is in SSO auth.
If I login throught login screen - session info (including IP) updates correctly

@hc4

This comment has been minimized.

Contributor

hc4 commented Aug 5, 2016

My auth config:

{
    "realm_order": 
    [
      "mongodb-session", 
      "access-token", 
      "sso", 
      "legacy-ldap", 
      "mongodb-password", 
      "root-user"
    ],
    "disabled_realms": ["legacy-ldap"]
}
@kroepke

This comment has been minimized.

Member

kroepke commented Aug 5, 2016

I can confirm that, looks like somehow the session isn't created as it should.
Works via normal login, doesn't work via SSO-created session.

kroepke added a commit that referenced this issue Aug 5, 2016

use default session attribute for principal
the SessionResource set a custom session attribute to find the name of the user owning the session, but the if auth plugins forced a session creation that wasn't set.
Instead of trying to fix the auth plugins, rely on a shiro framework attribute to get the principal

fixes #2620
@kroepke

This comment has been minimized.

Member

kroepke commented Aug 5, 2016

@hc4 Thanks for the report, the issue should be fixed in the next release!

@kroepke kroepke referenced this issue Aug 5, 2016

Merged

use default session attribute for principal #2621

4 of 9 tasks complete

@kroepke kroepke added bug S3 P2 labels Aug 5, 2016

@kroepke kroepke self-assigned this Aug 5, 2016

@kroepke kroepke added this to the 2.1.0 milestone Aug 5, 2016

@kroepke kroepke changed the title from Incorrect client address on Users page to SSO authenticated users not shown as active Aug 5, 2016

@bernd bernd closed this in #2621 Aug 8, 2016

bernd added a commit that referenced this issue Aug 8, 2016

Use default session attribute for principal (#2621)
The SessionResource set a custom session attribute to find the name of the user owning the session, but the if auth plugins forced a session creation that wasn't set.
Instead of trying to fix the auth plugins, rely on a shiro framework attribute to get the principal

fixes #2620

@kroepke kroepke added triaged and removed triaged labels Sep 21, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment