Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64865

Add logging when auth config is automatically changed due to config/filesystem mismatch

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. As an admin, go to /admin/category.php?category=authsettings .
      2. Enable an extra authentication plugin (say) - "LDAP server".
      3. Review mdl_config auth record:

        SELECT * FROM mdl_config where name = 'auth'; 

        Notice that the record contains ldap, e.g. "email, ldap"

      1. Remove the `auth.php` file from the code directory auth/ldap.
      2. As a non logged user (e.g. use another browser) open the login page login/index.php
      3. Verify you see a debugging message on the page
      4. Log in as an admin
      5. Check report/configlog/index.php config logs page
      6. Verify the new entry in that table like:
        Date First name/Surname Plugin Setting New value Original value
        Monday, 23 November 2020, 2:28 AM CLI or install core auth email email,ldap

        Notice that "LDAP server" authentication was removed, on manage auths page admin/settings.php?section=manageauths and also mdl_config table, the "auth" row now just contains "email"

      Show
      As an admin, go to /admin/category.php?category=authsettings . Enable an extra authentication plugin (say) - "LDAP server". Review mdl_config auth record: SELECT * FROM mdl_config where name = 'auth' ; Notice that the record contains ldap, e.g. "email, ldap" Remove the `auth.php` file from the code directory auth/ldap. As a  non logged user  (e.g. use another browser) open the login page login/index.php Verify you see a debugging message on the page Log in as an admin Check report/configlog/index.php config logs page Verify the new entry in that table like: Date First name/Surname Plugin Setting New value Original value Monday, 23 November 2020, 2:28 AM CLI or install core auth email email,ldap Notice that "LDAP server" authentication was removed, on manage auths page admin/settings.php?section=manageauths and also mdl_config table, the "auth" row now just contains "email"
    • Affected Branches:
      MOODLE_310_STABLE, MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_311_STABLE
    • Pull Master Branch:
      master-MDL-64865

      Description

      Summary

      Authentication type is quietly disabled when it's code is not available on the server.

      To reproduce the issue:

      1. As an admin, go to /admin/category.php?category=authsettings .
      2. Enable an extra authentication plugin (say) - "LDAP server".
      3. Review mdl_config table, notice that row with name="auth" will contain the value "email,ldap".
      4. Remove from the code directory auth/ldap.
      5. As a non logged user (e.g. use another browser) open the login page login/index.php
      6. Notice that "LDAP server" authentication was quietly (no trace of disabling it anywhere) removed. To confirm, review mdl_config table, the "auth" row now just contains "email"

      You can bring the auth/ldap directory back now - but that will not re-enable LDAP authentication plugin.

      Story behind the issue

      The behavior above creates a condition race when some work is done on the backend server (Moodle code is updated,  moved, copied, etc). We have experienced that seemingly random disabling of the authentication plugins in our production systems. Each time there was no trace of why did this happen. And because it happened very rarely (we are talking about few times in the last 10 years) the issue was hard to pin-point. I suspect it was happening somewhere during our deployment process.

      What next?

      Some ideas:

      • Don't ever disable the plugin.
      • If we really should / need to disable it - then at least log it.

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              kristianr Kristian Ringer
              Reporter:
              tmuras Tomasz Muras
              Peer reviewer:
              Ferran Recio
              Integrator:
              Jake Dallimore
              Tester:
              Janelle Barcega
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
              Votes:
              7 Vote for this issue
              Watchers:
              22 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                17/May/21

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 53 minutes
                  1h 53m