[Bug 1820279] Re: [FFe] [SRU] build mellon with --enable-diagnostics to ease up SSO debugging
Corey Bryant
corey.bryant at canonical.com
Fri Mar 29 17:50:02 UTC 2019
** Description changed:
+ FFE Section
+ -----------
[Rationale]
This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module:
https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753
It is available as of v0.14.0 (present in Cosmic):
git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753
v0.14.0
v0.14.1
This is generally useful for field engineering and operations teams and
other users as SAML exchanges are difficult to debug.
[Build Verification]
https://paste.ubuntu.com/p/2kt3BsxJKn/
[Installation]
https://paste.ubuntu.com/p/VcfcgyPHqH/
-
- "MellonDiagnosticsEnable Off" is the default setting and it results in am_diag_open_log returning 1 which does NOT result in an error returned from am_diag_log_init. Also installed a package and verified that setting this to off explicitly or implicitly (default) does not result in errors on startup or page access.
+ "MellonDiagnosticsEnable Off" is the default setting and it results in
+ am_diag_open_log returning 1 which does NOT result in an error returned
+ from am_diag_log_init. Also installed a package and verified that
+ setting this to off explicitly or implicitly (default) does not result
+ in errors on startup or page access.
https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-
mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311
int am_diag_log_init(apr_pool_t *pc, apr_pool_t *p, apr_pool_t *pt, server_rec *s)
{
- for ( ; s ; s = s->next) {
- if (!am_diag_open_log(s, p)) {
- return HTTP_INTERNAL_SERVER_ERROR;
- }
- }
+ for ( ; s ; s = s->next) {
+ if (!am_diag_open_log(s, p)) {
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ }
// ...
- static int am_diag_open_log(server_rec *s, apr_pool_t *p) {
+ static int am_diag_open_log(server_rec *s, apr_pool_t *p) {
// ...
- if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "mellon diagnostics disabled for %s", server_desc);
- return 1;
+ if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "mellon diagnostics disabled for %s", server_desc);
+ return 1;
// ...
[Upgrades]
No impact
+
+
+ SRU section
+ -----------
+ [Impact]
+ See FFE Rationale above.
+
+ [Test Case]
+
+ [Regression Potential]
+ As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this.
** Description changed:
- FFE Section
- -----------
+ FFE Section for disco
+ ---------------------
[Rationale]
This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module:
https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753
It is available as of v0.14.0 (present in Cosmic):
git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753
v0.14.0
v0.14.1
This is generally useful for field engineering and operations teams and
other users as SAML exchanges are difficult to debug.
[Build Verification]
https://paste.ubuntu.com/p/2kt3BsxJKn/
[Installation]
https://paste.ubuntu.com/p/VcfcgyPHqH/
"MellonDiagnosticsEnable Off" is the default setting and it results in
am_diag_open_log returning 1 which does NOT result in an error returned
from am_diag_log_init. Also installed a package and verified that
setting this to off explicitly or implicitly (default) does not result
in errors on startup or page access.
https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-
mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311
int am_diag_log_init(apr_pool_t *pc, apr_pool_t *p, apr_pool_t *pt, server_rec *s)
{
for ( ; s ; s = s->next) {
if (!am_diag_open_log(s, p)) {
return HTTP_INTERNAL_SERVER_ERROR;
}
}
// ...
static int am_diag_open_log(server_rec *s, apr_pool_t *p) {
// ...
if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"mellon diagnostics disabled for %s", server_desc);
return 1;
// ...
[Upgrades]
No impact
-
SRU section
-----------
[Impact]
See FFE Rationale above.
[Test Case]
[Regression Potential]
As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this.
** Also affects: libapache2-mod-auth-mellon (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: libapache2-mod-auth-mellon (Ubuntu Disco)
Importance: Undecided
Status: New
** Also affects: libapache2-mod-auth-mellon (Ubuntu Cosmic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to libapache2-mod-auth-mellon in Ubuntu.
https://bugs.launchpad.net/bugs/1820279
Title:
[FFe] [SRU] build mellon with --enable-diagnostics to ease up SSO
debugging
Status in libapache2-mod-auth-mellon package in Ubuntu:
New
Status in libapache2-mod-auth-mellon source package in Bionic:
New
Status in libapache2-mod-auth-mellon source package in Cosmic:
New
Status in libapache2-mod-auth-mellon source package in Disco:
New
Bug description:
FFE Section for disco
---------------------
[Rationale]
This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module:
https://github.com/Uninett/mod_auth_mellon/commit/e8579f6387d9841ce619d836110050fb18117753
It is available as of v0.14.0 (present in Cosmic):
git --no-pager tag --contains=e8579f6387d9841ce619d836110050fb18117753
v0.14.0
v0.14.1
This is generally useful for field engineering and operations teams
and other users as SAML exchanges are difficult to debug.
[Build Verification]
https://paste.ubuntu.com/p/2kt3BsxJKn/
[Installation]
https://paste.ubuntu.com/p/VcfcgyPHqH/
"MellonDiagnosticsEnable Off" is the default setting and it results in
am_diag_open_log returning 1 which does NOT result in an error
returned from am_diag_log_init. Also installed a package and verified
that setting this to off explicitly or implicitly (default) does not
result in errors on startup or page access.
https://git.launchpad.net/ubuntu/+source/libapache2-mod-auth-
mellon/tree/auth_mellon_diagnostics.c?h=ubuntu/disco&id=49c8ccfedca2db17d76348573e6daa862e104f6d#n311
int am_diag_log_init(apr_pool_t *pc, apr_pool_t *p, apr_pool_t *pt, server_rec *s)
{
for ( ; s ; s = s->next) {
if (!am_diag_open_log(s, p)) {
return HTTP_INTERNAL_SERVER_ERROR;
}
}
// ...
static int am_diag_open_log(server_rec *s, apr_pool_t *p) {
// ...
if (!(diag_cfg->flags & AM_DIAG_FLAG_ENABLED)) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"mellon diagnostics disabled for %s", server_desc);
return 1;
// ...
[Upgrades]
No impact
SRU section for cosmic and bionic
---------------------------------
[Impact]
See FFE Rationale above.
[Test Case]
[Regression Potential]
As mentioned above in the FFE section, "MellonDiagnosticsEnable Off" can be set in the apache configuration to disable diagnostics. This is also the default setting, so regression potential is certainly limited by this.
[Discussion]
For the cosmic SRU this will be a fairly straight forward and trivial update to the package to run configure with "--enable-diagnostics". Cosmic is already at version 0.14.0 which has the diagnostics support.
For the bionic SRU, things are more complicated as bionic is at
version 0.13.1 which does not include diagnostics support. I've
analyzed the delta between 0.13.1 and 0.14.0 and I'm seeing mostly bug
fixes and 2 new features (1 for diagnostics support, and 1 for
MellonSignatureMethod support). Here's the full commit summary between
0.13.1 and 0.14.0:
/tmp/mod_auth_mellon$ git remote -v
origin https://github.com/UNINETT/mod_auth_mellon (fetch)
origin https://github.com/UNINETT/mod_auth_mellon (push)
/tmp/mod_auth_mellon$ git log --no-merges --date-order --pretty=oneline --format=" - [%h] %s" v0.13.1..v0.14.0
- [29d2872] Bump version to 0.14.0.
- [21f78ab] Add release notes for version 0.14.0.
- [262768a] NEWS: Add consistent whitespace between releases.
- [7bb98cf] Fix config.h.in missing in .tar.gz.
- [aee068f] Fix typos in the user guide
- [8abbcf9] Update User Guide on error responses and ADFS issues
- [9b17e5c] Add MellonSignatureMethod to control signature algorithm
- [582f283] Log SAML status response information
- [524d558] convert README to README.md
- [0851045] Fix consistency, grammar, and usage in user guide
- [70e8abc] Give clear error if building with diagnostics support on old Apache
- [15fcbf7] Fix build error on Apache 2.2.
- [fe8b978] Add example for dual auth support.
- [f865919] Add clarification on using info vs auth
- [5927b5c] Fix Mellon user guide typos
- [86eb344] Fix conditional build of auth_mellon_diagnostics.c
- [89a3c81] Add NameID discussion to User Guide
- [93faba4] Update log msg for Invalid Destination and Invalid Audience to show both the expected and received values.
- [de853e1] Add user_guide to distribution, use AC_DEFINE instead of CFLAGS
- [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR
- [e8579f6] Add diagnostic logging
- [6d2ee84] Track file information
- [ee97812] Add Mellon User Guide
- [daa5d1e] If no IdP's are defined explicitly log that fact
- [119cbdd] modify cache functions to take request_rec parameter instead of server_rec
- [c291232] Make MellonUser case-insensitive.
- [2c2e19d] Fix incorrect error check for many `lasso_*`-functions.
- [5c5ed1d] Fix segmentation fault with POST field without a value.
- [4c924d9] Fix some log message typos
Of the commits above, those required for diagnostics support include:
- [582f283] Log SAML status response information
- [70e8abc] Give clear error if building with diagnostics support on old Apache
- [86eb344] Fix conditional build of auth_mellon_diagnostics.c
- [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR
- [e8579f6] Add diagnostic logging
- [6d2ee84] Track file information
And the MellonSignatureMethod support is provided in a single commit:
- [9b17e5c] Add MellonSignatureMethod to control signature algorithm
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-mellon/+bug/1820279/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list