Bug 1429650

Summary: External authentication works when logging into the Admin UI but doesn't work for the same user to get into the Service UI
Product: Red Hat CloudForms Management Engine Reporter: Satoe Imaishi <simaishi>
Component: UI - ServiceAssignee: Allen W <awight>
Status: CLOSED NOTABUG QA Contact: Matt Pusateri <mpusater>
Severity: high Docs Contact:
Priority: high    
Version: 5.7.0CC: awight, ckacergu, cpelland, dclarizi, jhardy, mpusater, obarenbo
Target Milestone: GAKeywords: ZStream
Target Release: 5.7.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:externalauth:ad:ssui
Fixed In Version: 5.7.2.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1422551 Environment:
Last Closed: 2017-03-30 20:39:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On: 1422551    
Bug Blocks:    

Comment 1 Matt Pusateri 2017-03-29 15:31:05 UTC 
Validated successful on AD and OpenLDAP

FreeIPA, I had some users that could log in, but I had a user(hutteggera) that couldn't.

[----] I, [2017-03-29T10:20:22.568835 #12008:d19e08]  INFO -- : <AuditSuccess> MIQ(Authenticator.authenticate) userid: [hutteggera] - User huttegge
ra successfully validated by External httpd
[----] I, [2017-03-29T10:20:22.603384 #11931:80113c]  INFO -- : MIQ(MiqQueue.put) Message id: [876],  id: [], Zone: [default], Role: [smartstate], 
Server: [], Ident: [generic], Target id: [], Instance id: [], Task id: [job_dispatcher], Command: [JobProxyDispatcher.dispatch], Timeout: [600], Pr
iority: [20], State: [ready], Deliver On: [], Data: [], Args: []
[----] I, [2017-03-29T10:20:22.623112 #12008:d19e08]  INFO -- : MIQ(MiqTask#update_status) Task: [14] [Active] [Ok] [Authorizing]
[----] I, [2017-03-29T10:20:22.774320 #12008:d19e08]  INFO -- : MIQ(Authenticator::Httpd#authorize) Authorized User: [hutteggera]
[----] I, [2017-03-29T10:20:22.774493 #12008:d19e08]  INFO -- : MIQ(MiqTask#update_status) Task: [14] [Finished] [Ok] [User authorized successfully
]
[----] I, [2017-03-29T10:20:22.808828 #12008:d19e08]  INFO -- : <AuditSuccess> MIQ(Authenticator.authenticate) userid: [hutteggera] - Authenticatio
n successful for user hutteggera
[----] E, [2017-03-29T10:20:22.892331 #12008:d19e08] ERROR -- : <API> MIQ(Api::SettingsController.api_error) API Error
[----] E, [2017-03-29T10:20:22.893201 #12008:d19e08] ERROR -- : <API> MIQ(Api::SettingsController.api_error) Api::ForbiddenError: Use of the read a
ction is forbidden
Comment 3 Chris Kacerguis 2017-03-29 16:10:59 UTC 
Matt can you please validate that the hutteggera user has the correct permissions / roles?
Comment 13 Allen W 2017-03-30 16:46:46 UTC 
this one is a doozy, almost a multi bug bz, the sui bug users no matter of if they are able to view or do anything should be let into the sui.

The NON sui bug part is it looks like when a user that belongs to multiple groups each with multiple roles with varying product features, attempts to login,is not returning all the product features from all the roles of all the groups.

gonna grab our api friend Tim to help with this one
Comment 14 Allen W 2017-03-30 20:39:29 UTC 
https://github.com/ManageIQ/manageiq-ui-service/pull/617

above doesn't really do much for this bz, as there wasn't much to do, but as a result of this bz, verbiage was updated for clarity

ends up the whole only returning product features for a users current group is by design, this can be closed! (right? )