Bug 1421878

Summary: API request is not returning expected result for LDAP user
Product: Red Hat CloudForms Management Engine Reporter: myoder
Component: APIAssignee: Tim Wade <twade>
Status: CLOSED ERRATA QA Contact: Martin Kourim <mkourim>
Severity: high Docs Contact:
Priority: high    
Version: 5.6.0CC: jhardy, mkourim, mpusater, myoder, obarenbo, simaishi, twade
Target Milestone: GA   
Target Release: 5.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:miqldap:ad:api
Fixed In Version: 5.9.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-01 13:09:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: Bug
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:

Description myoder 2017-02-13 23:04:42 UTC 
Description of problem:

When using the Rest API as the local admin user I can use this url to retrieve the request.
https://hostname/api/requests/11000000007200

When using the Rest API as an active directory user using this url i get a 404
https://hostname/api/requests/11000000007200
404 Not Found

however, as the same active directory user i can use this url to get the same data returned
https://hostname/api/provision_requests/11000000007200

I would expect both api/provision_requests and api/requests to behave the same way.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Dave Johnson 2017-03-01 21:35:11 UTC 
Matt, could you retest this please in 5.6.4?
Comment 6 Tim Wade 2017-05-18 17:39:35 UTC 
Matt,

Were you able to retest as per https://bugzilla.redhat.com/show_bug.cgi?id=1421878#c3 ?

It looks like there are a couple of things going on here:

1. In the requests API, we limit GETs to either the requester if they are not admin. We don't do this for provision requests, hence the inconsistency in results. IMO we should fix this, but it's a separate issue - fixing it would only make the core issue here more apparent

2. In order to do (1), we ask the current user if they are admin. This must be returning true (as expected) if you are signing in locally, and returning false when using LDAP. If this is the case we need to address that, but it's not specifically an API issue.
Comment 7 Tim Wade 2017-05-18 18:15:48 UTC 
Fixed in https://github.com/ManageIQ/manageiq/pull/15151

Matt, I have addressed (2) above, so cancelling needinfo request
Comment 9 Tim Wade 2017-05-19 15:01:19 UTC 
Note: This will also require https://github.com/ManageIQ/manageiq/pull/15163 to fix, I'll move this to POST when that gets merged.
Comment 10 Martin Kourim 2017-10-24 15:57:36 UTC 
Verified that the LDAP admin user (with EvmGroup-super_administrator group) can access both /api/requests and /api/provision_requests.
Comment 14 errata-xmlrpc 2018-03-01 13:09:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0380
Comment 15 Red Hat Bugzilla 2023-09-15 00:01:18 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days