Security

Describes how to identify and debug issues related to security.

Internal Network Connection Issue

SPIRE is currently implemented to rotate the certificates that secure mTLS traffic internally. An internal network connection issue can arise if SPIRE elements go down.

To troubleshoot internal network connection issues, run the following commands to get the logs from the spire-controller-manager container in the SPIRE server pods:
kubectl -n spire logs spire-server-0 -c spire-controller-manager

kubectl -n spire logs spire-server-1 -c spire-controller-manager

Oauth2-Proxy Pod in CrashLoopBackOff Error State

The container in the oauth2-proxy pod started, but crashes and repeatedly restarts incorrectly. To resolve this issue, update the DNS A record with the node IP address where the Istio Ingress gateway pod was deployed. You can get the node IPs on the Status page of the HPE Ezmeral Unified Analytics Software installer.

Authentication

If authentication is not working, check to see if pods are running and check pod logs. You may just need to kill a pod and restart it on a healthy node. For more complicated issues, you may need to collect some logs and talk to HPE support.

The following table provides pod information and commands you may want to run if authentication is not working:
Component Information
Internal OpenLDAP server The server runs the ldap-0 pod in the hpe-ldap namespace. You can access the ldap-0 pod with the following internal service DNS name:
ldap-svc.hpe-ldap.svc.cluster.local:389
If you need to bind it to read some users, use the following DN and password:
cn=readonly,dc=example,dc=com
password: mapr
Search from the following base:
ldapsearch -Y EXTERNAL -Q -H ldapi:/// -b ou=users,dc=example,dc=com

You can also exec into the ldap-0 pod and use ldap * local utilities like ldap search to investigate what the internal LDAP server looks like.

Oauth-2 proxy

 HPE Ezmeral Unified Analytics Software uses Oauth2 proxy for authentication. Oauth2 runs in the oauth2-proxy namespace.

To get the pod logs, run the following command:

kubectl -n oauth2-proxy logs -l app=oauth2-proxy
Keycloak HPE Ezmeral Unified Analytics Software uses a local instance of Keycloak as its OIDC provider. Keycloak runs in the keycloak namespace in the keycloak-0 pod. There is also a PostgreSQL pod running in the namespace that stores the configuration and current known user information. Keycloak pod logs show login attempts and any AD/LDAP integration errors.
To view the Keycloak logs, run:
kubectl -n keycloak logs keycloak-0

Keycloak/LDAP User Authentication Test

Use a direct grant endpoint to see if a user can authenticate to Keycloak. Run this test on the command line to verify that the AD/LDAP integration is working for a particular user and that the password is correct. This test hits a client in Keycloak that allows the direct grant on the authentication flow. This test is not doing a web-based redirect flow; it is just saying give me your credentials for a token in return.

Run this test on the command line and then go to https://jwt.io/: 
USER=<username>
PASS=<password>
DOMAIN=<your-domain>.com
RESULT=$(curl -k --data "username=$USER&password=$PASS&grant_type=password&client_id=ua-grant" https://keycloak.$DOMAIN/realms/UA/protocol/openid-connect/token)
ACCESS_TOKEN=$(echo $RESULT | sed 's/.*access_token":"//g' | sed 's/".*//g')

You can also use the direct grant endpoint for REST API endpoints that must accept and validate username and password credentials. The direct grant endpoint can validate the incoming username and password and get an access token. The remainder of the flow inside HPE Ezmeral Unified Analytics Software is based on the access token.

Keycloak Admin Web Console

The Keycloak Admin Web Console is useful for finding and resolving issues. To access the Keycloak Admin Web Console, you will need the system master's kubectl privileges that you got when you first installed and created the HPE Ezmeral Unified Analytics Software cluster. This is required to get the password for the keycloak administrator.

To access the Keycloak Admin Web Console:

  1. Go to keycloak.<your-UA-domain>.
  2. Enter admin as the user.
  3. Enter the password. You can get the password with kubectl and kube.config:
     kubectl -n keycloak get secret admin-pass -o jsonpath="{.data.password}" | base64 -D​
    NOTE
    For Linux, use base64 -d. For Mac, use base64 -D​.
  4. In the left navigation bar of the Keycloak UI, switch over to the UA realm.

To find all users:

  1. In the left navigation bar, select Users.
  2. On the User list tab, enter * in the search field to see all known users.
To modify roles for a particular user:
NOTE
This process can be useful if someone deletes the HPE Ezmeral Unified Analytics Software admin users in the AD server. The user whose role you modify may need to sign out of HPE Ezmeral Unified Analytics Software, and sign back in for the change to take effect.
  1. On the Users page, search for the user and click on the username.
  2. Select the username in the User list.
  3. On the user's page, select Role Mapping.
  4. Select the role that you want to assign to the user.

To change how users sign in (email vs username):

  1. In the left navigation bar, go to Realm Settings > Login tab.
  2. On the Login tab, select the Login with email switch.

    Duplicate emails turns off automatically when you do this. This is safe to do for external AD/LDAP servers. For internal AD/LDAP servers, you can also turn this on, but there are no guard rails on the internal user management to prevent duplicate emails. If this happens, one of the users will not be able to log in.

To manually grant or remove the ua-enabled role:
NOTE
The ua-enabled role is the internal role that grants access to HPE Ezmeral Unified Analytics Software. If the user object does not have this role in Keycloak, they cannot authenticate and get access to HPE Ezmeral Unified Analytics Software applications. However, this does not do all the user onboarding and offboarding that the user management operator does; it merely prevents access to HPE Ezmeral Unified Analytics Software. Setting this role in Keycloak should only be used in special or emergency circumstances.
  1. In the left navigation bar, select Users.
  2. Search for the user and select the user.
  3. On the user's page, select the Role Mapping tab.
  4. Select ua-enabled.
To see the LDAP settings that identify the source of the HPE Ezmeral Unified Analytics Software user directory:
  1. In the left navigation bar, select User federation.
  2. On the LDAP page, select the Settings tab.

You can change the following settings:

  • How Keycloak batch requests to the remote server.
  • How often Keycloak synchs users from the server; the default is hourly.
    NOTE
    You should not modify the settings you entered through the HPE Ezmeral Unified Analytics Software installer, such as the server address. Changing those settings here can have negative consequences because this is not the only place that those settings are stored. Keycloak uses the LDAP information, but so do some of the other HPE Ezmeral Unified Analytics Software applications. Currently, it is best not to change LDAP settings because it can break applications that depend on them.

Bad HTTP Request

When a custom framework expects HTTPS traffic, the following error displays when you try to access the service in the browser:
400 Bad Request - The plain HTTP request was sent to HTTPS port.
To resolve this issue, add a DestinationRule in addition to the VirtualService, as shown in the following examples.
DestinationRule Example
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: {{ include "test-app.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "test-app.labels" . | nindent 4 }}

 #The URL should point to the corresponding service. 
 #Kubernetes provides an internal DNS mapping for services using the format <ServiceName>.<ServiceNamespace>.svc.cluster.local. 
spec:
  host: {{ include "test-app.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
  trafficPolicy:
    tls:
      mode: SIMPLE
VirtualService Example
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: {{ include "test-app.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "test-app.labels" . | nindent 4 }}
spec:
  gateways:
    - {{ .Values.ezua.VirtualService.istioGateway }}
  hosts:
    - {{ .Values.ezua.VirtualService.endpoint }}
  #The following VirtualService options are specific and depend on the application implementation.
  #This example is a simple application with single service and simple match routes.
  #The URL should point to the corresponding service. 
  #Kubernetes provides an internal DNS mapping for services using the format <ServiceName>.<ServiceNamespace>.svc.cluster.local. 
  http:
    - match:
        - uri:
            prefix: /
      rewrite:
        uri: /
      route:
        - destination:
            host: {{ include "test-app.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
            port:
              number: {{ .Values.service.port }}