Hi Cyril, On Thu, May 10, 2012 at 12:15:14AM +0200, Cyril Bonté wrote: > >Some ACLs : > >acl AUTH http_auth(stats-auth) > >acl AUTH_ADMIN http_auth_group(stats-auth) admin > > http_auth_group is the culprit : with the new ACL management, haproxy > fully ignores the group(s) provided. > > acl_fetch_http_auth() unconditionally calls check_user() with a > group_mask of 0, whereas this call should be applied to each patterns, > with the mask provided with the pattern.
Good catch, fixed. In fact, it's not even the group_mask which causes the issue, but the fact that I made the function return a boolean while the group fetch must not return this. I'm wondering whether we should totally get rid of the check_user() in the fetch function, or split the check_user() in two and only recheck group ownership when iterating on the patterns. Anyway right now it's safe eventhough probably a bit overkill. > Other issues I encountered : > - A compilation error when DEBUG_AUTH is enabled (can easily be fixed by > replacing "user->group_mask" with "user->u.group_mask"). Fixed. > - A segfault when an unknown user list is provided in the > "http_auth_group" acl. > Ex: acl AUTH_ADMIN http_auth_group(unknown) admin Fixed. > I hope this gives you enough information to fix those issues, otherwise > I'll try to investigate more tomorrow evening. Yes this was really helpful, especially since I'm not used to userlists, I'm just a novice user in this area. I've pushed the fixes and will probably issue -dev10 this week-end if nothing else needs to delay it. Thanks, Willy
