Bug 1335638

Summary: Groups resolution shouldn't be done on authn stage
Product: Red Hat Enterprise Virtualization Manager Reporter: Anitha Udgiri <audgiri>
Component: ovirt-engineAssignee: Martin Perina <mperina>
Status: CLOSED ERRATA QA Contact: Gonza <grafuls>
Severity: high Docs Contact:
Priority: high    
Version: 3.6.0CC: bugs, grafuls, gscott, jentrena, lsurette, mkalinin, mperina, omachace, pbrilla, pstehlik, rbalakri, Rhev-m-bugs, sherold, srevivo, ykaul, ylavi
Target Milestone: ovirt-3.6.7Keywords: Regression, ZStream
Target Release: 3.6.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1335488 Environment:
Last Closed: 2016-06-29 16:20:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1335488    
Bug Blocks:    
Attachments:
Description Flags
login log none

Description Anitha Udgiri 2016-05-12 18:03:51 UTC 
+++ This bug was initially created as a clone of Bug #1335488 +++

For kerbldap we are resolving groups also in authn stage, not only in authz stage.
This was caused in 3.5 when we moved to using extensions, as before authz + authn was done in one stage in 
LdapAuthenticateUserCommand.java and in 3.5 it was split into two stages, but code unfortunatelly preserved.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2016-05-12 06:14:31 EDT ---

This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.

--- Additional comment from Ondra Machacek on 2016-05-12 06:15:56 EDT ---

The result is that login time is ~two times longer.
Comment 6 Martin Perina 2016-05-16 07:08:09 UTC 
Removing rhevm-4.0-ga as kerberos/ldap module (engine-manage-domains) has been removed in 4.0 completely and 3.6 is the last version which includes it.
Comment 8 Gonza 2016-06-09 08:18:10 UTC 
Created attachment 1166196 [details]
login log

Verified with:
rhevm-3.6.7.2-0.1.el6.noarch

Log attached.
Comment 10 errata-xmlrpc 2016-06-29 16:20:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1364