Bug 1456873

Summary: Backend API doesn't authorize properly, SSUI works around it.
Product: Red Hat CloudForms Management Engine Reporter: Matt Pusateri <mpusater>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED WONTFIX QA Contact: Matt Pusateri <mpusater>
Severity: high Docs Contact:
Priority: high    
Version: 5.8.0CC: abellott, awight, ckacergu, dajohnso, gtanzill, jhardy, jvlcek, mpusater, obarenbo
Target Milestone: GAKeywords: Reopened
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:externalauth
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-09 21:30:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Pusateri 2017-05-30 15:09:46 UTC 
Description of problem:
The backend API shows users as authenticated and authorized, when they potentially shouldn't be and the SSUI team works around it. See bug: https://bugzilla.redhat.com/show_bug.cgi?id=1443800#c5

Version-Release number of selected component (if applicable):
5.8.0

How reproducible:


Steps to Reproduce:
1.Configure External Auth
2.Try to log in to SSUI with a user with invalid perms. 
3.

Actual results:
evm.log shows user as authorized

Expected results:
User shouldn't be authorized.

Additional info:
SSUI doesn't handle groups well which makes this problem hard to reproduce.
https://bugzilla.redhat.com/show_bug.cgi?id=1451891
https://bugzilla.redhat.com/show_bug.cgi?id=1452320
https://bugzilla.redhat.com/show_bug.cgi?id=1421878
https://bugzilla.redhat.com/show_bug.cgi?id=1437682
Comment 2 Gregg Tanzillo 2017-06-01 21:36:12 UTC 

*** This bug has been marked as a duplicate of bug 1391690 ***
Comment 3 Matt Pusateri 2017-06-02 14:04:31 UTC 
I'm not sure it's a duplicate, related but not necessarily a duplicate. BZ 1391690 says the logging is wrong.  This bug is to address the fact that the API doesn't authorize correctly.  Now maybe BZ1391690 needs more wording to reflect it's not a error in what we write to the logs.
Comment 4 Matt Pusateri 2017-06-02 14:13:11 UTC 
Per discussion with gtanzillo, this bug is still valid. It's to fix the issue where the API doesn't authorize properly. Where bug BZ1391690 is to fix incorrect logging.
Comment 5 Matt Pusateri 2017-06-02 14:28:57 UTC 
Chris, Can someone from SSUI add info about what they debugged with the API not working in bug https://bugzilla.redhat.com/show_bug.cgi?id=1443800 Alberto needs more info.
Comment 6 Chris Kacerguis 2017-06-02 14:43:30 UTC 
Allen - looks like you did the original fix for this, could you please provide the info for Matt?
Comment 7 Allen W 2017-06-02 14:52:06 UTC 
I wouldn't call it a fix... alls i did was say if the only product feature a user has is to see the sui dashboard they aren't logged in... even if the credentials are correct (as was requested by the powers that be) https://github.com/ManageIQ/manageiq-ui-self_service/commit/e93af55ec6b01e815dbd54d75c240754c83a0009
Comment 8 Joe Vlcek 2017-06-21 18:56:47 UTC 
When you reproduce this Matt please provide the api log.
Comment 9 Joe Vlcek 2017-06-21 19:00:16 UTC 
and a dump of the database
Comment 10 Joe Vlcek 2017-11-09 21:30:18 UTC 
There has been no activity on the NEEDINFO request for this BZ for months.
Additionally the SUI has been updated with new product features that change
how it works.

I'm going to close this as WILLNOTFIX

If this issue or anything similar is still observed please open a new BZ.
Comment 11 Matt Pusateri 2018-01-10 20:58:42 UTC 
clearing the needs info.