应用管理页面点击仓库地址,跳转到gitlab提示422


#1
  • Choerodon平台版本:0.16.0

  • 运行环境:自主搭建

  • 问题描述:

    请尽量详细的描述您遇到的问题,以便我们能更快速的提供解决办法。

    如:在猪齿鱼上创建应用之后,点击应用里的仓库,提示如下

  • 执行的操作:
    如:点击应用后的仓库地址,跳转到gitlab时提示oauth2_generic auth failed。

org.springframework.ldap.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:194) ~[spring-ldap-core-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]
	at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:355) ~[spring-ldap-core-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]
	at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:139) ~[spring-ldap-core-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]
	at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:158) ~[spring-ldap-core-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357) ~[spring-ldap-core-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309) ~[spring-ldap-core-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642) ~[spring-ldap-core-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:578) ~[spring-ldap-core-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:1617) ~[spring-ldap-core-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]
	at io.choerodon.oauth.infra.common.util.ChoerodonAuthenticationProvider.ldapAuthentication(ChoerodonAuthenticationProvider.java:232) [classes!/:0.9.0.RELEASE]
	at io.choerodon.oauth.infra.common.util.ChoerodonAuthenticationProvider.checkPassword(ChoerodonAuthenticationProvider.java:199) [classes!/:0.9.0.RELEASE]
	at io.choerodon.oauth.infra.common.util.ChoerodonAuthenticationProvider.additionalAuthenticationChecks(ChoerodonAuthenticationProvider.java:192) [classes!/:0.9.0.RELEASE]
	at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:166) [spring-security-core-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) [spring-security-core-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) [spring-security-core-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.0.9.RELEASE.jar!/:5.0.9.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:147) [spring-session-core-2.0.7.RELEASE.jar!/:2.0.7.RELEASE]
	at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:81) [spring-session-core-2.0.7.RELEASE.jar!/:2.0.7.RELEASE]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:120) [spring-boot-actuator-2.0.6.RELEASE.jar!/:2.0.6.RELEASE]
	at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108) [spring-boot-actuator-2.0.6.RELEASE.jar!/:2.0.6.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.10.RELEASE.jar!/:5.0.10.RELEASE]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:65) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) [undertow-servlet-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:336) [undertow-core-1.4.26.Final.jar!/:1.4.26.Final]
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) [undertow-core-1.4.26.Final.jar!/:1.4.26.Final]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_202]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_202]
	at java.lang.Thread.run(Thread.java:813) [na:1.8.0_202]
Caused by: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3145) ~[na:1.8.0_202]
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) ~[na:1.8.0_202]
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886) ~[na:1.8.0_202]
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800) ~[na:1.8.0_202]
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[na:1.8.0_202]
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[na:1.8.0_202]
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[na:1.8.0_202]
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[na:1.8.0_202]
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[na:1.8.0_202]
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[na:1.8.0_202]
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[na:1.8.0_202]
	at javax.naming.InitialContext.init(InitialContext.java:244) ~[na:1.8.0_202]
	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) ~[na:1.8.0_202]
	at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42) ~[spring-ldap-core-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]
	at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:343) ~[spring-ldap-core-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]
	... 85 common frames omitted


  • 报错信息(请尽量使用代码块的形式展现):
  • 建议:

    提出您认为不合理的地方,帮助我们优化用户操作


#2

平台所有用户跳转过去都报这个错吗?


#3

猪齿鱼的admin账号不会报错,其他ldap同步过来的账号都会报错。


#4

我的操作步骤如下:
1、重新安装猪齿鱼0.16.0版本,从ldap同步账户到猪齿鱼。
2、给用户分配项目权限,然后新建应用。
3、再将gitlab的备份数据恢复到gitlab中。


#5

意思是ldap用户同步了2次?


#6

不是,gitlab的数据之前是猪齿鱼同步过去的,后来是从备份数据恢复出来的。这个问题会不会是gitlab的用户id等信息发生变化了导致oauth_client校验失败?


#7

这个问题能否解决?


#8

应该是的 gitlab的数据库里面有一个identitity表,用于存放choerodon平台用户和gitlab用户的对应授权关系的,可以检查下id是否对应。


#9
Server version: 5.7.23 MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+---------------------+
| Database            |
+---------------------+
| information_schema  |
| gitlabhq_production |
| mysql               |
| performance_schema  |
| sys                 |
+---------------------+
5 rows in set (0.00 sec)

mysql> use gitlabhq_production;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed


mysql> select * from identities;
+----+------------+----------------+---------+---------------------+---------------------+
| id | extern_uid | provider       | user_id | created_at          | updated_at          |
+----+------------+----------------+---------+---------------------+---------------------+
| 36 | 1          | oauth2_generic |       1 | 2019-05-11 19:46:56 | 2019-05-11 19:46:56 |
+----+------------+----------------+---------+---------------------+---------------------+
1 row in set (0.00 sec)

其他用户的数据有办法重新生成一次到这个表里么?


#10

这个表里面是通过choerodon创建用户,或者ldap同步用户时,会同步在gitlab的 user表 和identity表里面新增数据, 那你gitlab用户表(user)里面有多少个user?


#11
mysql> select count(1) from users;
+----------+
| count(1) |
+----------+
|       23 |
+----------+
1 row in set (0.00 sec)

gitlab有23个用户


#12

如果重新删除gitlab的user,choerodon里的iam_service和devops里的iam_service里的用户数据,重新从ldap里同步数据,gitlab里的identities表里的数据也会重新生成么?


#13

会的,删除iam服务的user表(除了admin) 删除devops服务的devops-user(除了第一条),删除gitlab的user(除了admin) identity不动 然后在重新同步ldap


#14

好的,我找个时间试试,谢谢!


#15
mysql> delete from users where name like '%@fr-inc.cn';
ERROR 1451 (23000): Cannot delete or update a parent row: a foreign key constraint fails (`gitlabhq_production`.`personal_access_tokens`, CONSTRAINT `fk_rails_08903b8f38` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`))

这个personal_access_tokens的数据可以清理掉么?


#16

gitlab数据库中的identities表里的extern_uid ,对应的是哪个库里那张表的id?我手动插入数据看看。


#17

对应的是iam-user表里面的id


#18

这个我已经猜测出来了,手动做了gitlab-mysql中的 gitlabhq_production.identities和c7n-mysql中的iam_service.iam_user之间的关联,现在从应用管理中的仓库地址,点击可以正常跳转到gitlab里了,422的问题解决了。但是出现了一个新的问题如下:
创建应用的时候


提示
image

在猪齿鱼上,所有的账号同时是项目成员和项目所有者,


提示:此用户不是项目所有者,使用admin账号也有这个提示。

这种情况是什么关联信息丢失了?


#19

在devops-service的数据库中 有一个devops-user表,里面存的也是gitlab和iam 用户的关联。用来校验授权校验操作的


#20

好的,我去对比下关联关系。