Bug 1133947

Summary: Unregistered LDAP user without role can login to CLI
Product: [JBoss] JBoss Operations Network Reporter: Sunil Kondkar <skondkar>
Component: CLIAssignee: Jirka Kremser <jkremser>
Status: CLOSED CURRENTRELEASE QA Contact: Sunil Kondkar <skondkar>
Severity: high Docs Contact:
Priority: unspecified    
Version: JON 3.3.0CC: lzoubek, myarboro
Target Milestone: ER04   
Target Release: JON 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-11 14:00:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1070277    

Description Sunil Kondkar 2014-08-26 13:58:19 UTC 
Description of problem:

If a LDAP user who is not a member of any LDAP group and is not registered to JBoss ON, trying to login with CLI is successful.

Note: If the same user is registered to JBoss ON, trying a CLI login gives correct results. ( A message: There are no preconfigured roles for user )

Version-Release number of selected component (if applicable):

Version : 3.3.0.ER01 Build Number : 23b3476:f3aa7e7
LDAP: Windows server 2008 Active Directory

How reproducible:

Always

Steps to Reproduce:

1. Create a LDAP user who is not member of any ldap group on Windows active directory  ( Ex: sachin )
2. Configure LDAP properties in JBoss ON Administration UI and save
3. Do not register the ldap user 'sachin' to JBoss ON.
4. Login with the ldap user 'sachin' to CLI.
5. Login is successful.

./rhq-cli.sh -u sachin -p <password> -s 10.65.201.174 -t 7080

[root@dhcp201-174 bin]# ./rhq-cli.sh -u sachin -p Redhat123 -s 10.65.201.174 -t 7080
RHQ Enterprise Remote CLI 4.12.0.JON330ER01
Remote server version is: 3.3.0.ER01 (23b3476:f3aa7e7)
Login successful

6. Now login to JBOSS ON UI and register the ldap user 'sachin'.
7. After registering the ldap user, try to login to CLI

[root@dhcp201-174 bin]# ./rhq-cli.sh -u sachin -p Redhat123 -s 10.65.201.174 -t 7080
RHQ Enterprise Remote CLI 4.12.0.JON330ER01
Login failed: There are no preconfigured roles for user [sachin]
Usage: login username password [host port [transport]]
unconnected$ 

8. Observe that after registering the ldap user, the cli won't allow user to login which is correct.


Actual results:

Unregistered LDAP user without role can login to CLI

Expected results:

Unregistered LDAP user without role should not be able to login to CLI.

Additional info:
Comment 2 Jirka Kremser 2014-09-26 13:12:47 UTC 
It now works also for CLI. If it is the very first login of LDAP user, in CLI and REST the message is shown that he/she should go through web UI first and register.

It is still possible to log in to the "/rest" endpoint event if the "Enable Login Without Roles" is set to "No" and LDAP user has no roles. However there is nothing he can do. It would be too much effort (with necessity to "uglify" the code) to make it working also for REST endpoint, so I've decided not to do that.

branch:  master
link:    https://github.com/rhq-project/rhq/commit/61bc3cebe
time:    2014-09-26 15:11:38 +0200
commit:  61bc3cebe032ac1bcdb8906d302d976d73ab3cdf
author:  Jirka Kremser - jkremser
message: [BZ 1133947] - Unregistered LDAP user without role can login to CLI -
         introducing loginLocal() method to be able to find out that
         user is comming from CLI (the case when
         SubjectManagerRemote.login() is called) and let him fail if it
         is LDAP user and is not registered in the system. This is now
         consistent with the REST endpoint, where we assume the
         registered LDAP user as well.
Comment 3 Libor Zoubek 2014-09-26 14:27:51 UTC 
branch:  release/jon3.3.x
link:    https://github.com/rhq-project/rhq/commit/b18999965
time:    2014-09-26 16:27:19 +0200
commit:  b1899996541837efbeeb1895d7e4d730cb9124fd
author:  Jirka Kremser - jkremser
message: [BZ 1133947] - Unregistered LDAP user without role can login to CLI -
         introducing loginLocal() method to be able to find out that
         user is comming from CLI (the case when
         SubjectManagerRemote.login() is called) and let him fail if it
         is LDAP user and is not registered in the system. This is now
         consistent with the REST endpoint, where we assume the
         registered LDAP user as well.
         (cherry picked from commit
         61bc3cebe032ac1bcdb8906d302d976d73ab3cdf) Signed-off-by: Libor
         Zoubek <lzoubek>
Comment 4 Simeon Pinder 2014-10-01 21:33:02 UTC 
Moving to ON_QA as available for test with build:
https://brewweb.devel.redhat.com/buildinfo?buildID=388959
Comment 5 Sunil Kondkar 2014-10-07 11:44:18 UTC 
Verified on JON 3.3 ER04

Trying to login with unregistered LDAP user without role to CLI fails and shows the message:

[root@dhcp201-204 bin]# ./rhq-cli.sh -u sachin -p Redhat123 -s 10.65.201.204 -t 7080
RHQ Enterprise Remote CLI 4.12.0.JON330ER04
Login failed: java.lang.IllegalStateException: Use the web UI for the first log in and fill all the necessary information.
Usage: login username password [host port [transport]]

-----

Trying to login with unregistered LDAP user without role to rest shows the message:

Error
User was authorized, but has no rights for the operation. If this is an LDAP user, the user needs to log in to the UI and complete registration.