Hi again,
I couldn't find time to find a fix, but i could isolate the behaviour
change...and also discovered other issues :-(
See below.
Le 09/05/2012 20:33, Cyril Bonté a écrit :
Hi Willy,
Just after your announce, I've upgraded from haproxy 1.4.20 to 1.5-dev9
on a test machine. Today, I suddenly realize that the stats web page
allows to disable/enable servers (and the result message is a bit weird,
as the action is applied but it gives an "Unexpected result" message).
I quickly tried is 1.5-dev8 and the issue is not there anymore.
I don't have time to make more tests now as I must leave but I prefer to
inform the mailing list immediatly.
I'll try to extract a minimal configuration later.
FYI, I'm using user lists :
userlist stats-auth
group admin users admin
group readonly users haproxy
user admin ..
user haproxy ...
Some ACLs :
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
http_auth_group is the culprit : with the new ACL management, haproxy
fully ignores the group(s) provided.
acl_fetch_http_auth() unconditionally calls check_user() with a
group_mask of 0, whereas this call should be applied to each patterns,
with the mask provided with the pattern.
and :
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
I'll post as soon as I can track the issue precisely.
Other issues I encountered :
- A compilation error when DEBUG_AUTH is enabled (can easily be fixed by
replacing "user->group_mask" with "user->u.group_mask").
- A segfault when an unknown user list is provided in the
"http_auth_group" acl.
Ex: acl AUTH_ADMIN http_auth_group(unknown) admin
I hope this gives you enough information to fix those issues, otherwise
I'll try to investigate more tomorrow evening.
--
Cyril Bonté
