-
Type: Bug
-
Resolution: Fixed
-
Priority: Major
-
Affects Version/s: VOMS Admin server v. 3.5.1
-
Component/s: admin-server
-
Security Level: Public (Visbile by non-authn users.)
-
None
While trying to reproduce the strange behaviour in this ticket:
https://ggus.eu/index.php?mode=ticket_info&ticket_id=124163
I noticed that I could not reproduce it in any version starting from a clean installation.
By looking in the DB I noticed that the strange behaviour is caused by a row missing in the admins table, the:
/O=VOMS/O=System/CN=Unauthenticated Client
admin, that is used to refer to clients without a certificate.
When this row is missing in the admins table, the lookup of the admin in the db fails, and VOMS Admin falls back into thinking that the admin is "any authenticated user", i.e. someone with a certificate that is not registered in the VO or is not listed in the VO admins certificate table.
This is wrong. When the admin is not found, VOMS Admin should consider the client as an "Unauthenticated client".
The cause for this problem is likely the fact that the database upgrade procedure does not enforce the presence of the "Unauthenticated client" row in the admins table.
The fix for this should:
1. ensure the admins table always contains the "Unauthenticated client" row: a database integrity check task that is run at service startup and that fixes the problem should be provided;
2. ensure that when the admin lookup fails, the client is considered an "Unauthenticated client"
For this there's an easy workaround: just insert the "Unauthenticated client" row in the admins table. We should probably provide a simple script that automates the check and the fix.