Eucalyptus 4.4.4 Eucaconsole Immediate Logout of All Credentials

Question

I have a new Eucalyptus installation and new Eucaconsole installation. I have created users with login profiles and passwords assigned and verified them as not expired and enabled.

No matter what account/user/pass I log into the console with (even invalid accounts) I am delivered to a password reset page. The password reset appears to work but when I then click on any other part of the console or the generate keys button I am logged out and the whole problem starts again. The freshly changed password is asked to be changed again. I'm seeing errors nowhere in my logs. I see this in the eucaconsole_nginx_access.log each time this occurs.

10.0.0.7 - - [09/Nov/2018:13:14:58 -0500] "POST /login? 
login_type=Eucalyptus HTTP/1.1" 302 256 "https://cloud/" "Mozilla/5.0 
(Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0"

10.0.0.7 - - [09/Nov/2018:13:14:58 -0500] "GET /managecredentials? 
came_from=&expired=true&account=console&username=admin HTTP/1.1" 200 
4447 "https://cloud/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; 
rv:63.0) Gecko/20100101 Firefox/63.0"

10.0.0.7 - - [09/Nov/2018:13:14:59 -0500] "GET 
/static/4.4.4/html/help/console_manage_credentials.html HTTP/1.1" 304 0 
"https://cloud/managecredentials? 
came_from=&expired=true&account=console&username=admin" "Mozilla/5.0 
(Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0"

Did I miss an important piece in my setup or is this some kind of bug. The fact that it happens even for invalid credentials and nonsense users that don't exist is an interesting detail but I haven't been able to make sense of it in a useful way.

FINAL: I abandoned this and rebuilt after the 4.4.5 release and all is working.

Answer 1

For admin users in an account, setting a password (e.g. euare-usermodloginprofile or euare-useraddloginprofile) should be sufficient to allow console access.

When you add non-admin users to an account they will not have permission to perform any actions until you grant access via iam policy. Using the console you can access the details for a user and use ADD ACCESS POLICY under GENERAL / PERMISSIONS. You can pick a predefined policy such as User access or Monitor access to get started.

http://docs.eucalyptus.cloud/eucalyptus/4.4.4/index.html#shared/console_user_detail_general.html

Answer 2

Piggybacking on Steve's response, this is what I do for the admin group of the account. Save the file as admin-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Then import the policy for the group. For example, my accounting group is isp-services and my admin group is isp-services-admins. Be sure your user it part of the group.

euare-groupuploadpolicy --as-account "isp-services" -g isp-services-admins -p AccountAdminAccessPolicy-isp-services-admins -f admin-policy.json