On Thu, May 10, 2012 at 12:15:14AM +0200, Cyril Bonté wrote: > Hi again, > > I couldn't find time to find a fix, but i could isolate the behaviour > change...and also discovered other issues :-( > > See below. > > Le 09/05/2012 20:33, Cyril Bonté a écrit : > >Hi Willy, > > > >Just after your announce, I've upgraded from haproxy 1.4.20 to 1.5-dev9 > >on a test machine. Today, I suddenly realize that the stats web page > >allows to disable/enable servers (and the result message is a bit weird, > >as the action is applied but it gives an "Unexpected result" message). > > > >I quickly tried is 1.5-dev8 and the issue is not there anymore. > > > >I don't have time to make more tests now as I must leave but I prefer to > >inform the mailing list immediatly. > > > >I'll try to extract a minimal configuration later. > >FYI, I'm using user lists : > >userlist stats-auth > >group admin users admin > >group readonly users haproxy > > > >user admin .. > >user haproxy ... > > > >Some ACLs : > >acl AUTH http_auth(stats-auth) > >acl AUTH_ADMIN http_auth_group(stats-auth) admin > > http_auth_group is the culprit : with the new ACL management, haproxy > fully ignores the group(s) provided. > > acl_fetch_http_auth() unconditionally calls check_user() with a > group_mask of 0, whereas this call should be applied to each patterns, > with the mask provided with the pattern. > > >and : > >stats http-request auth unless AUTH > >stats admin if AUTH_ADMIN > > > >I'll post as soon as I can track the issue precisely. > > Other issues I encountered : > - A compilation error when DEBUG_AUTH is enabled (can easily be fixed by > replacing "user->group_mask" with "user->u.group_mask"). > > - A segfault when an unknown user list is provided in the > "http_auth_group" acl. > Ex: acl AUTH_ADMIN http_auth_group(unknown) admin > > I hope this gives you enough information to fix those issues, otherwise > I'll try to investigate more tomorrow evening.
Yes, that's very kind you could identify this. I did very minor tests on http_auth after the conversion, basically I just checked that I could get a password popup when I entered a wrong user/pass and that I could get past when providing a user/pass that matched a group. I didn't try the corner cases above. I'll look at this when I'm in the train. Thanks for the useful feedback, as usual ! Willy
