Bug 1400349

Summary: [RFE] Central Admin - create users in lower region when required - MIQ LDAP
Product: Red Hat CloudForms Management Engine Reporter: bascar
Component: ApplianceAssignee: abellott
Status: CLOSED CURRENTRELEASE QA Contact: Alex Newman <anewman>
Severity: high Docs Contact:
Priority: high    
Version: 5.7.0CC: abellott, anewman, cpelland, jhardy, jvlcek, obarenbo
Target Milestone: GAKeywords: FutureFeature, TestOnly
Target Release: 5.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.8.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1404256 (view as bug list) Environment:
Last Closed: 2017-06-12 17:03:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1404256    

Description bascar 2016-11-30 23:49:35 UTC 
Description of problem: For Central Admin to work properly, the users logging into the global region also need to exist in the lower region if the user needs to order anything that requires ownership relationships. If the user doesn't exist the newly ordered objects cannot be assigned to that user. As there is not any user syncing mechanisms or centralized identity in CF multi-region setups currently this makes it burdensome to customers to require either:

A, all users must log into all down-level regions so the user records will exist

B, some sort of automated user creation and maintenance scripts or routines.

Version-Release number of selected component (if applicable): 5.7 GA

Expected results: When a user is logged into the global region and executes an action such as an ad-hoc provision or provisioning through the service catalog (or any other action that requires the user account exists) the user is created in the lower region so that the newly provisioned items can have their ownership assigned to the owning user account.


Additional info: this is 1 of 2 requests for the functionality. Integration with MIQ LDAP is first priority.
Comment 2 CFME Bot 2016-12-08 19:46:19 UTC 
https://github.com/ManageIQ/manageiq/pull/13068
Comment 3 CFME Bot 2016-12-12 22:01:25 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/3a3b835bc8efca391eea6c34960b743a62b0c2bb

commit 3a3b835bc8efca391eea6c34960b743a62b0c2bb
Author:     Alberto Bellotti <abellott>
AuthorDate: Wed Nov 30 18:36:14 2016 -0500
Commit:     Alberto Bellotti <abellott>
CommitDate: Thu Dec 8 14:38:10 2016 -0500

    Enhance API to authorize users with system token authenticated requests.
    
    This capability is needed for MiqLdap and External Authentication
    Authentication Modes so users are authorized and auto-created
    with system token authenticated requests.
    
    - Added a User.admin?(userid) method
    - Added a User.authorize_by_userid method
    - Add support for authorize_user_by_userid for ldap, ldaps
    - Add support for authorize_user_by_userid for httpd
    - Add support to fetch user attrs for httpd
    
    This solves the following BZ's:
    https://bugzilla.redhat.com/show_bug.cgi?id=1400349
    https://bugzilla.redhat.com/show_bug.cgi?id=1400350

 .../api/base_controller/authentication.rb          |  4 +-
 app/models/authenticator.rb                        | 20 +++++++--
 app/models/authenticator/amazon.rb                 |  2 +-
 app/models/authenticator/httpd.rb                  | 51 ++++++++++++++++++----
 app/models/authenticator/ldap.rb                   |  6 ++-
 app/models/user.rb                                 |  9 ++++
 6 files changed, 78 insertions(+), 14 deletions(-)
Comment 4 CFME Bot 2016-12-13 00:01:00 UTC 
New commit detected on ManageIQ/manageiq/euwe:
https://github.com/ManageIQ/manageiq/commit/766e56776d716f151ee23ccec9c3c46d3cdc3c37

commit 766e56776d716f151ee23ccec9c3c46d3cdc3c37
Author:     Gregg Tanzillo <gtanzill>
AuthorDate: Mon Dec 12 16:58:10 2016 -0500
Commit:     Oleg Barenboim <chessbyte>
CommitDate: Mon Dec 12 18:57:16 2016 -0500

    Merge pull request #13068 from abellotti/api_sys_auth_authorize_user
    
    Enhance API to authorize users with system token authenticated requests.
    (cherry picked from commit fadf640a190c8d6dc97a84e3143163a07e5ef2c6)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1400349
    https://bugzilla.redhat.com/show_bug.cgi?id=1400350

 .../api/base_controller/authentication.rb          |  4 +-
 app/models/authenticator.rb                        | 19 +++++--
 app/models/authenticator/amazon.rb                 |  2 +-
 app/models/authenticator/httpd.rb                  | 62 +++++++++++++++++++---
 app/models/authenticator/ldap.rb                   |  6 ++-
 app/models/user.rb                                 |  9 ++++
 spec/models/authenticator/httpd_spec.rb            | 44 +++++++++++++++
 spec/models/authenticator/ldap_spec.rb             |  6 +++
 spec/models/user_spec.rb                           | 20 +++++++
 9 files changed, 157 insertions(+), 15 deletions(-)