Bug 1475891

Summary: [Authentication] Rename Get Roles from Home Forest
Product: Red Hat CloudForms Management Engine Reporter: Tsai Li Ming <ltsai>
Component: UI - OPSAssignee: Joe Vlcek <jvlcek>
Status: CLOSED ERRATA QA Contact: Mike Shriver <mshriver>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.8.0CC: abellott, hkataria, jhardy, jvlcek, lavenel, ltsai, mpovolny, mpusater, obarenbo, simaishi, smallamp
Target Milestone: GA   
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:miqldap:ad
Fixed In Version: 5.10.0.11 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-07 23:02:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tsai Li Ming 2017-07-27 14:40:41 UTC 
Description of problem:
It is confusing when there are 2 similar options:
Get User Groups from LDAP ==> LDAP
Get Roles from Home Forest ==> This only applies to AD

What happens if the user checks both? 

Is this really "Get Roles from Home Forest" or "Get User Groups from Home Forest"?

Are both check boxes mutually exclusive? Can we improve the UI? 

Documentation is confusing too:
1. Check Get User Groups from LDAP to retrieve the user’s group membership from LDAP. This is used for mapping a user’s authorization to a Red Hat CloudForms role. This requires group names on the LDAP server to match Red Hat CloudForms group names.

2. Check Get Roles from Home Forest to use the LDAP roles from the LDAP user’s home forest. This will allow you to discover groups on your LDAP server and create Red Hat CloudForms groups based on your LDAP server’s group names. Any user logging in will be assigned to that group. This option is only displayed when Get User Groups from LDAP is checked.

Version-Release number of selected component (if applicable):
CF 4.5
Comment 4 Matt Pusateri 2017-09-06 14:15:20 UTC 
Actually, CFME, uses the term "Forest" to mean another LDAP domain, regardless of LDAP provider and it's not specific to AD. Or at least that is what Development has told me.  I want to open a bug to reword the use of the term "Forest"  Also in 5.8.2.0 this check box seems to have disappeared, which I may be writing a bug on as soon as I debug it more.
Comment 5 Joe Vlcek 2017-11-15 15:05:18 UTC 
The term "Forest", although a bit misleading to AD purists, was likely chosen initially due to the similarity to the functionality.

Because MiqLdap (mode: LDAPs) is being deprecated the auth team does not see a lot of value from updating the long standing wording used by the UI.
Comment 6 Dayle Parker 2018-08-04 13:00:57 UTC 
Hi all,
I came across this bug while researching for a current blocker on the same topic - https://bugzilla.redhat.com/show_bug.cgi?id=1602845

I'm going to update the docs to explain what these checkboxes do, individually, and together in BZ1602845.

However, I was also going to suggest in that bug that we clarify the wording in the UI. I like where Loic's suggestions are going here, but am wondering:

@Li Ming, @Matt, @Joe - do you have any more ideas for a clearer name for these checkboxes, since this is still confusing to customers and support?
Comment 8 CFME Bot 2018-08-07 21:42:12 UTC 
https://github.com/ManageIQ/manageiq-ui-classic/pull/4425
Comment 9 CFME Bot 2018-08-08 07:17:29 UTC 
New commit detected on ManageIQ/manageiq-ui-classic/master:

https://github.com/ManageIQ/manageiq-ui-classic/commit/64d01df692037c4b3d7719d33f7f83404549bb1c
commit 64d01df692037c4b3d7719d33f7f83404549bb1c
Author:     Joe VLcek <jvlcek>
AuthorDate: Tue Aug  7 17:19:30 2018 -0400
Commit:     Joe VLcek <jvlcek>
CommitDate: Tue Aug  7 17:19:30 2018 -0400

    Reword Get Roles to Get Groups from Home Forest.

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1475891

 app/views/ops/_settings_authentication_tab.html.haml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 10 Mike Shriver 2019-01-09 17:59:49 UTC 
Tested in CFME 5.10.0.30.20181218191323_900a416

The form field during MIQLDAP(S) setup uses the checkbox label "Get Groups from Home Forest".  This matches the scope of the intended change discussed here, only modifying the use of Roles/Groups, but not the term 'Forest'
Comment 11 errata-xmlrpc 2019-02-07 23:02:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0212