Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: 6.18.1
Affects Version/s: stream, 6.18.0
Component/s: Authentication, RH Cloud
Labels:

Story Points:
3
Target Version:

6.18.1
Blocked:
False
Fixed in Build:
foreman-3.16.0.6
GitHub Issue:
https://github.com/theforeman/foreman/pull/10727
Release Blocker:
Proposed
AssignedTeam:
sat-endeavour

Release Note Type:
Known Issue
Release Note Text:

Hide
.Some endpoints bypass user authentication and fail to terminate user sessions

API endpoints that call the `add_smart_proxy_filters` function bypass user authentication.
This is due to improper session termination logic introduced in Satellite 6.18.
In addition, user sessions remain active beyond the period specified in the `idle_timeout` setting.
This affects the API endpoints related to the following resources:

* Organizations
* Repositories
* Config reports
* Hosts

As a consequence, removed and nonexistent users fail due to missing required permissions and not due to failed authentication.
In addition, user sessions are not terminated and can access endpoints without re-authentication.

No known workaround exists.

Show
.Some endpoints bypass user authentication and fail to terminate user sessions API endpoints that call the `add_smart_proxy_filters` function bypass user authentication. This is due to improper session termination logic introduced in Satellite 6.18. In addition, user sessions remain active beyond the period specified in the `idle_timeout` setting. This affects the API endpoints related to the following resources: * Organizations * Repositories * Config reports * Hosts As a consequence, removed and nonexistent users fail due to missing required permissions and not due to failed authentication. In addition, user sessions are not terminated and can access endpoints without re-authentication. No known workaround exists.
Release Note Status:
Done

PX Impact Score:
SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Test Coverage:

Automated
Regression:
Yes

Market:

Description of problem:

Idle timeout setting does not terminate cli session in specified time.

How reproducible:

Always

Is this issue a regression from an earlier version:

yes

Steps to Reproduce:

found by robottelo automation, using this test https://github.com/SatelliteQE/robottelo/blob/5bf229ccad326b9c83b9b37fb33d1bd763624818/tests/foreman/cli/test_auth.py#L90 (test_positive_create_session) – after the idle period passes, user can still list organizations without problem (I tried to increase the waiting time up to 5 times of the idle period, still the session was not terminated)

1. set up a cli session for a user

2. set idle timeout period for 1 minute

3. wait some time, try to list organization

Actual behavior:
session is not terminated

Expected behavior:
user should need to re-authenticate after the idle period passes

Business Impact / Additional info:

6.17 version of the test works as expected

clones

SAT-38951 idle timout setting acting strangely

Release Pending - Upstream

Assignee:: Jeremy Lenz

Reporter:: Peter Ondrejka

Doc Contact:: Jan Fiala

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/11/06 12:55 PM

Updated:: 2025/11/06 6:15 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates