Bug 1437682

Summary: [RFE] SSUI - External Auth - FreeIPA:AD:OpenLDAP Any valid group should be able to login in
Product: Red Hat CloudForms Management Engine Reporter: Matt Pusateri <mpusater>
Component: ApplianceAssignee: John Hardy <jhardy>
Status: CLOSED WONTFIX QA Contact: Mike Shriver <mshriver>
Severity: high Docs Contact:
Priority: high    
Version: 5.6.0CC: abellott, dajohnso, jhardy, ncatling, obarenbo, simaishi
Target Milestone: GAKeywords: FutureFeature
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ssui:auth:externalauth:freeipa:ad:openldap
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-18 14:31:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Pusateri 2017-03-30 21:45:51 UTC 
Description of problem:

Any valid group should be able to login in.  Currently SSUI login fails to allow a user to log in, if their primary group does not have a role that permits ssui features. Even if the user has secondary groups that do have permissions, only the primary role is evaluated. See bug: https://bugzilla.redhat.com/show_bug.cgi?id=1429650 

Version-Release number of selected component (if applicable):
5.6.2, 5.7.2.0, 5.8.0

How reproducible:


Steps to Reproduce:
1.Configure external auth
2. Setup user that has 2 groups evmgroup-operator and evmgroup-user
3. Log into classic UI to ensure primary group is set. This may not be necessary depending on how the API set's the primary group.
4. Log into ssui and it fails. 

Actual results:
User fails to log in as evmgroup-operator gets assigned to be the primary group, and has no SSUI feature permissions. evmgroupo-user is not evaluated as a secondary group even though that user has permissions

Expected results:
Any valid group that has ssui feature permissions should be allowed to login. 

Additional info:
Comment 3 Matt Pusateri 2017-04-26 19:43:05 UTC 
To complicate this even more, if a user is a member of multiple groups, and logs into the classic UI.  When they log out, what their last current group is/was affects whether they can log into the SSUI.  So they can get a successful login one time only to be told they don't have enough permissions another time.
Comment 4 Matt Pusateri 2017-04-26 20:51:16 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1445939  is a new related bug.
Comment 5 Chris Kacerguis 2017-09-22 13:15:14 UTC 
*** Bug 1486234 has been marked as a duplicate of this bug. ***