dbeaver
reverseProxyAuth: If user has more groups than configured then login fails
I had this working well when my user was only a member of 2 groups and I configured the groups in initial-data.conf
{
teams: [
{
subjectId: "Administrators",
teamName: "Administrators",
description: "Administrative access. Has all permissions.",
permissions: [ "admin" ]
},
{
subjectId: "Domain Users",
teamName: "Domain Users",
description: "All users, including anonymous.",
permissions: [ ]
}
]
}
When I added an additional group to the user in my upstream auth, causing the reverse proxy auth header to contain more groups, I was no longer able to login and was presented with this in the logs:
17-08-2024 15:16:17.672 [qtp1835713430-44] DEBUG i.c.service.auth.RPSessionHandler - Attempting to authenticate user 'cbtestuser' with teams [Domain Users, Administrators, Qsync] through reverse proxy
17-08-2024 15:16:17.695 [qtp1835713430-44] ERROR i.c.service.core.impl.WebServiceCore - Error calling session handler 'RPSessionHandler'
io.cloudbeaver.DBWebException: Error:
Error saving user teams in database
.....
Caused by: org.jkiss.dbeaver.model.exec.DBCException: Error saving user teams in database
at io.cloudbeaver.service.security.CBEmbeddedSecurityController.setUserTeams(CBEmbeddedSecurityController.java:222)
at io.cloudbeaver.service.security.CBEmbeddedSecurityController.findOrCreateExternalUserByCredentials(CBEmbeddedSecurityController.java:2454)
at io.cloudbeaver.service.security.CBEmbeddedSecurityController.finishAuthentication(CBEmbeddedSecurityController.java:2160)
at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1565)
at io.cloudbeaver.service.auth.RPSessionHandler.reverseProxyAuthentication(RPSessionHandler.java:130)
... 61 common frames omitted
Caused by: org.postgresql.util.PSQLException: ERROR: insert or update on table "cb_user_team" violates foreign key constraint "cb_user_team_team_id_fkey"
Detail: Key (team_id)=(Qsync) is not present in table "cb_team".
Here's my auth config as well
authConfigurations: [
{
id: "reverseProxy",
provider: "reverseProxy",
displayName: "Reverse Proxy",
disabled: false,
iconURL: "",
description: "Authelia Reverse Proxy with ingress-nginx",
parameters: {
full-name-header: "Remote-Name",
user-header: "Remote-User",
team-header: "Remote-Groups",
team-delimiter: ",",
logout-url: "https://auth.${SECRET_DOMAIN}/logout?rd\u003dhttps://cloudbeaver.${SECRET_DOMAIN}"
}
}
]
I can resolve the issue by adding the qsync group to my config but I don't believe I should need to do this because cloudbeaver should be able to deal with a user being a member of a group it doesn't know about.
Hi @brunnels We'll add the ability to create teams via proxy. Thank you for your request!
@EvgeniaBzzz I'm not sure I would want it to create the teams. I just want it to ignore any groups sent in the proxy header that don't exist in the cloudbeaver config.
Let me ask, what is the purpose of adding additional non-existent groups to the upstream auth?
@EvgeniaBzzz It's a standard thing. The upstream reverse proxy is backed by ldap. This would automatically send any groups the user is a member of in the Remote-Groups header. There's no way to filter or modify this. Cloudbeaver should only care about groups/teams it knows about so I think it's a bug for it to raise an exception in this case.
Hey, I struggel with the same issue, but for me it would nice to have the teams automatically created as I filter the forwarded groups already in keycloak. Maybe a configuration like „createUnkownTeams“ would be nice! :)
@elixxx thanks for your comment, we will try to come up with a solution that will suit everyone