Jitsi doesn't assign moderator role to any user when internal auth is enabled

[aine-etke]

Describe the bug
Once you enable jitsi internal auth, no one can get moderator permissions anymore

To Reproduce
My vars.yml file looks like this:

matrix_jitsi_enabled: yes
matrix_jitsi_enable_auth: yes
matrix_jitsi_enable_guests: yes
matrix_jitsi_jvb_auth_password: REDACTED
matrix_jitsi_jibri_xmpp_password: REDACTED
matrix_jitsi_jibri_recorder_password: REDACTED
matrix_jitsi_jicofo_auth_password: REDACTED
matrix_jitsi_prosody_auth_internal_accounts:
 - username: REDACTED
   password: REDACTED

1. Enable jitsi internal auth (the config above)
2. Start a meeting
3. Login with the credentals from matrix_jitsi_prosody_auth_internal_accounts
4. Notice you are not moderator and you can't set meeting password anymore

Expected behavior
Once you login with the credentials from matrix_jitsi_prosody_auth_internal_accounts, you should have full access to moderator tools, the same way as it was before enabling jitsi internal auth

Matrix Server: Unrelated

Ansible: Unrelated

Client: Unrelated

Additional context
Moderator role assignment works without internal auth

[patrickstump]

This is happening to me as well with LDAP authentication.

[patrickstump]

Looks like this may be an issue in jicofo
Here are the logs from that container after I authenticate and join the room as the first person.

Jicofo 2023-04-01 15:10:06.767 INFO: [43] ConferenceIqHandler.handleConferenceIq#75: Focus request for room: [email protected]
Jicofo 2023-04-01 15:10:06.769 INFO: [43] AbstractAuthAuthority.authenticateJidWithSession#431: Authenticated jid: [email protected]/L2dvZBbtWHhY with session: AuthSession[[email protected], [email protected]/L2dvZBbtWHhY, SID=8c7796b5-c2c7-42d5-b03f-285d529ea447, MUID=dbd9a74fa5ce6f266264fa38f4862666, LIFE_TM_SEC=1324, [email protected]]@973150139
Jicofo 2023-04-01 15:10:06.769 INFO: [43] AbstractAuthAuthority.notifyUserAuthenticated#339: Jid [email protected]/L2dvZBbtWHhY authenticated as: [email protected]
Jicofo 2023-04-01 15:10:06.770 SEVERE: [43] ConferenceIqHandler.handleConferenceIq#92: No XmppConnectionConfig for vnode=null
Jicofo 2023-04-01 15:10:06.772 INFO: [43] [[email protected]] JitsiMeetConferenceImpl.<init>#264: Created new conference.
Jicofo 2023-04-01 15:10:06.773 INFO: [43] [[email protected]] JitsiMeetConferenceImpl.joinTheRoom#446: Joining [email protected]
Jicofo 2023-04-01 15:10:06.821 INFO: [20] [[email protected] meeting_id=6a23b985-6e83-4b33-85ce-e4daa6a1485d] JitsiMeetConferenceImpl.onMemberJoined#632: Member joined:d04c9173 stats-id=Eino-4S2 region=null audioMuted=true videoMuted=true role=PARTICIPANT isJibri=false isJigasi=false
Jicofo 2023-04-01 15:10:06.824 SEVERE: [20] ChatRoomRoleManager.grantOwner#45: Failed to grant owner status to [email protected]/L2dvZBbtWHhY
java.lang.RuntimeException: Failed to grant owner: <iq xmlns='jabber:client' to='[email protected]/focus' from='[email protected]' id='C6WKW-306' type='error'><error type='modify'><not-acceptable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/></error></iq>
	at org.jitsi.impl.protocol.xmpp.ChatRoomImpl.grantOwnership(ChatRoomImpl.java:529)
	at org.jitsi.jicofo.xmpp.muc.ChatRoomRoleManager.grantOwner(ChatRoomRoleManager.kt:42)
	at org.jitsi.jicofo.xmpp.muc.AuthenticationRoleManager.memberJoined(ChatRoomRoleManager.kt:155)
	at org.jitsi.impl.protocol.xmpp.ChatRoomImpl.lambda$processOtherPresence$12(ChatRoomImpl.java:856)
	at org.jitsi.utils.event.SyncEventEmitter$fireEvent$1$1.invoke(EventEmitter.kt:64)
	at org.jitsi.utils.event.SyncEventEmitter$fireEvent$1$1.invoke(EventEmitter.kt:64)
	at org.jitsi.utils.event.BaseEventEmitter.wrap(EventEmitter.kt:49)
	at org.jitsi.utils.event.SyncEventEmitter.fireEvent(EventEmitter.kt:64)
	at org.jitsi.impl.protocol.xmpp.ChatRoomImpl.processOtherPresence(ChatRoomImpl.java:855)
	at org.jitsi.impl.protocol.xmpp.ChatRoomImpl.processPresence(ChatRoomImpl.java:909)
	at org.jivesoftware.smackx.muc.MultiUserChat$3.processStanza(MultiUserChat.java:309)
	at org.jivesoftware.smack.AbstractXMPPConnection.lambda$invokeStanzaCollectorsAndNotifyRecvListeners$8(AbstractXMPPConnection.java:1619)
	at org.jivesoftware.smack.AsyncButOrdered$Handler.run(AsyncButOrdered.java:151)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:829)

I am thinking it has something to do with jicofo assigning me as into the guest domain.

AuthSession[[email protected], [email protected]/L2dvZBbtWHhY

[patrickstump]

This is happening even with auth turned off now.
Settings

matrix_jitsi_enabled: true
matrix_jitsi_enable_guests: true
matrix_jitsi_enable_lobby: false

Also no moderator for

matrix_jitsi_enabled: true
matrix_jitsi_enable_guests: false
matrix_jitsi_enable_lobby: false

[patrickstump]

I have turned off LDAP and set AUTH_TYPE back to the default of internal.
Same result.
I also setup the docker install of stock jitsi with the same docker container version and it works "as expected". Trying to narrow down settings until it figure out why this is happening.

Just to recap:

• LDAP auth working fine
• Guest join after LDAP user logs in (host) working fine
• Same issue of no one being moderator with error shown above regardless of if authentication is turned on or off.

[ragnarblackmane]

I have turned off LDAP and set AUTH_TYPE back to the default of internal. Same result. I also setup the docker install of stock jitsi with the same docker container version and it works "as expected". Trying to narrow down settings until it figure out why this is happening.

Just to recap:

• LDAP auth working fine
• Guest join after LDAP user logs in (host) working fine
• Same issue of no one being moderator with error shown above regardless of if authentication is turned on or off.

Did you ever find a solution to this?

I can't get a moderator with or without authentication (tried internal, no moderator, rolled back the server, tried matrix auth, no moderator, rolled back the server to no authentication, no moderator).

I can see this in the Prosody logs:
matrix-jitsi-prosody[101141]: 2023-08-30 07:50:09 muc.meet.jitsi:matrix_power_sync info Setting [email protected] as owner of room [email protected] based on Matrix power levels
and this in the Jicofo logs:
matrix-jitsi-jicofo[1868]: Jicofo 2023-08-29 19:34:31.336 WARNING: [50] [[email protected] meeting_id=71e62af0-cd8b-4711-aea2-ff8eb3885849] ChatRoomImpl.grantOwnership#313: Failed to grant ownership: <iq xmlns='jabber:client' to='[email protected]/focus' from='[email protected]' id='VRARD-1243' type='error'><error type='modify'><not-acceptable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/></error></iq>
(ok, it's from 2 different tests, still, when I create and enter the conference I can see Prosody setting [email protected] as owner and Jicofo spits that warning "Failed to grant ownership...")

[ragnarblackmane]

To get the moderator assignment back (with no authentication) I had to edit /matrix/jitsi/prosody/config/conf.d/jitsi-meet.cfg.lua
and delete/comment "matrix_power_sync" module. (on restart that line is regenerated, now I'll check how to keep it disabled without making that file immutable)

[bacanol]

To get the moderator assignment back (with no authentication) I had to edit /matrix/jitsi/prosody/config/conf.d/jitsi-meet.cfg.lua
and delete/comment "matrix_power_sync" module. (on restart that line is regenerated, now I'll check how to keep it disabled without making that file immutable)

Works also for LDAP authentication, thank you! ;-)

[ragnarblackmane]

To get the moderator assignment back (with no authentication) I had to edit /matrix/jitsi/prosody/config/conf.d/jitsi-meet.cfg.lua
and delete/comment "matrix_power_sync" module. (on restart that line is regenerated, now I'll check how to keep it disabled without making that file immutable)

Works also for LDAP authentication, thank you! ;-)

You can add the following line to your vars.yml:
jitsi_prosody_auth_matrix_uvs_sync_power_levels: false

Then cleanup and reinstall the jitsi role to be sure:

To rebuild your Jitsi configuration:

• ask Ansible to stop all Jitsi services: just run-tags stop-group --extra-vars=group=jitsi
• SSH into the server and do this and remove all Jitsi configuration & data (rm -rf /matrix/jitsi)
• ask Ansible to set up Jitsi anew and restart services (just install-service jitsi)

That did the trick for me.

Also I've read that if you use Matrix authentication you can't login in Jitsi directly (by going to your custom jitsi domain), so for me it's either:
-no auth;
-internal auth (but it's bad for the user experience when launching jitsi through element since it's another credential and also there is no integrated way for the user to change that credential);
-LDAP (haven't tried yet, but I will).

[aine-etke]

@spantaleev for visibility