Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User cannot use or log out of web UI after enabling pin_source_ip #41651

Open
webvictim opened this issue May 16, 2024 · 0 comments · May be fixed by #42470
Open

User cannot use or log out of web UI after enabling pin_source_ip #41651

webvictim opened this issue May 16, 2024 · 0 comments · May be fixed by #42470
Labels
bug ip-pinning rbac Issues related to Role Based Access Control ui ux

Comments

@webvictim
Copy link
Contributor

Expected behavior

After enabling spec.options.pin_source_ip: true in a Teleport role, the user should be able to log out of the web UI and re-login to get a certificate with a pinned IP.

Current behavior

The web UI displays an error on refresh as soon as pin_source_ip is enabled, and the user is unable to even log out.

Screenshot 2024-05-16 at 13 09 38

The root cause seems to be a 500 response to the DELETE call when trying to log the user out:

Screenshot 2024-05-16 at 13 14 37

Additionally, as soon as a renewal of the bearer token is attempted, the renew operation fails and then plunges the browser into a redirect loop of doom:

Screenshot 2024-05-16 at 13 15 17

The auth server also repeatedly displays an error whenever an operation is denied. Auth server logs here:

May 16 16:14:58 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:14:58Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:14:59 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:14:59Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:01 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:01Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:03 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:03Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:04 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:04Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:05 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:05Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:07 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:07Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:08 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:08Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:10 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:10Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:11 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:11Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:13 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:13Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:14 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:14Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:15 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:15Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:16 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:16Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:17 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:17Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:19 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:19Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:20 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:20Z WARN [AUTH:1]    pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562

Workarounds

  • Clear cookies
  • Use a different browser or incognito window

Bug details

  • Teleport version: 15.3.4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug ip-pinning rbac Issues related to Role Based Access Control ui ux
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Web: Fix not being able to logout from session invalidation error gravitational/teleport
1 participant
@webvictim