Bug 1466514

Summary: Auth - MIQLDAP External Auth - SSUI web interface hangs when switching to group that doesn't have SSUI permissions
Product: Red Hat CloudForms Management Engine Reporter: Matt Pusateri <mpusater>
Component: UI - ServiceAssignee: Allen W <awight>
Status: CLOSED ERRATA QA Contact: Matt Pusateri <mpusater>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.8.0CC: awight, dclarizi, jhardy, mpusater, obarenbo, saali, simaishi
Target Milestone: GA   
Target Release: 5.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:miqldap:externalauth
Fixed In Version: 5.9.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-01 13:14:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Pusateri 2017-06-29 21:08:49 UTC 
Description of problem:
Auth - MIQLDAP External Auth - SSUI web interface hangs when switching to group that doesn't have SSUI permissions

Version-Release number of selected component (if applicable):
5.8.1.0 

How reproducible:


Steps to Reproduce:
1. Configure either MIQLDAP or External Auth for any provider. I tested MIQLDAP(AD, FreeIPA, Openldap)
2. You need a user with 2 groups. One group with SSUI permissions set as your current group, Another group without SSUI permissions (evm-Operator as an example)
3.Log into the SSUI with the user who's current group has permissions
4. Try to switch to the other group that doesn't have permissions

Actual results:
Page reloads and a thin blue line loads across the top of the page and then the page hangs. 

Expected results:
User should get a better page telling them that the group doesn't have perms, or that group with invalid perms should be grayed out and the user prevented from trying to switch.  I'm not sure what workflow is better.

Additional info:

Found testing: https://bugzilla.redhat.com/show_bug.cgi?id=1459257
Comment 2 Chris Kacerguis 2017-06-29 21:15:57 UTC 
Can you please provide an appliance where we can see this behavior?
Comment 4 Allen W 2017-07-03 13:44:19 UTC 
Verified, thinking if a user doesn't have permissions we log them out throw the "you don't have permissions"  alert. This might be a UX question?
Comment 5 Allen W 2017-07-03 14:52:13 UTC 
Discussion here going down a little bit is indicating desired behavior be not showing groups who cannot use SUI, gonna be course of action for this bz: https://gitter.im/ManageIQ/manageiq-ui-service?at=595a4a7b329651f46e4ad9ec
Comment 6 Chris Kacerguis 2017-07-03 16:58:10 UTC 
A Pivotal Tracker story has been created for this Bug: https://www.pivotaltracker.com/story/show/148246535
Comment 7 Allen W 2017-07-05 18:21:07 UTC 
OK SO update on this... I understand the original issue, we don't handle state changes that aren't the result of a 401 gracefully (this is a 403) BUT found a new issue, sui isn't actually changing the group, ya can click that button all ya want, but we're keeping the same user group, looks to be there is a client side header modification, but no actually api talkly talky happening... looking into how we can fix group switching in addition to handling the original bz
Comment 8 Matt Pusateri 2017-07-05 19:46:06 UTC 
While you're looking at group switching, I'll add that I've run across (but wanted to test more), that if a user has two different groups, but those groups map to the same role, they can't switch groups.  Probably related to what you've mentioned in Comment 7.
Comment 9 Allen W 2017-07-05 20:50:44 UTC 
This gets super tricky, users who have multiple groups but no edit user permission? SUPER tricky... not going to be the quick fix I had hoped for.
Comment 10 Allen W 2017-07-06 13:03:12 UTC 
Ok so after doing some intense watching... it appears that the group DOES in fact change, just not at the expected pace (on value select) so gonna refocus these efforts, take the easy way out and fix that poorly handled unsupported group transition
Comment 11 Allen W 2017-07-06 14:07:26 UTC 
https://github.com/ManageIQ/manageiq-ui-service/pull/833
Comment 12 Chris Kacerguis 2017-07-06 14:29:13 UTC 
Chris Kacerguis added a comment in Pivotal Tracker:   
   
Commit by Allen Wight
https://github.com/ManageIQ/manageiq-ui-service/commit/032881c15983d2440cde7bab91f14055a06fe968

On statechange 401 or 403 we now logout user [Fixes #148246535]
Comment 13 Chris Kacerguis 2017-08-03 19:43:09 UTC 
*** Bug 1478170 has been marked as a duplicate of this bug. ***
Comment 14 Matt Pusateri 2017-10-11 20:05:09 UTC 
I need a list of roles that have SSUI perms, initial testing fails and without a list of valid roles, I'm blocked.
Comment 15 Allen W 2017-11-13 17:50:53 UTC 
Work to make the roles that have sui access more explicit is here: https://github.com/ManageIQ/manageiq/pull/16329

current state, which is not accurate as the sui product features map to their own product feature subset is here: https://github.com/ManageIQ/manageiq/blob/master/db/fixtures/miq_user_roles.yml
Comment 16 Matt Pusateri 2017-12-06 20:34:53 UTC 
Verified on 5.9.0.11 Ext Auth FreeIPA/AD/OpenLDAP
Comment 19 errata-xmlrpc 2018-03-01 13:14:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0380