Bug 1531658
| Summary: | Auth MIQLDAP AD - SSUI - When switching groups in SSUI to a user with group/role EvmGroup-desktop, user is logged out. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Matt Pusateri <mpusater> | ||||
| Component: | UI - Service | Assignee: | Allen W <awight> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Landon LaSmith <llasmith> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 5.9.0 | CC: | awight, cpelland, lavenel, mpusater, obarenbo, sdoyle | ||||
| Target Milestone: | GA | Keywords: | Regression, TestOnly | ||||
| Target Release: | 5.10.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | auth:miqldap:ad:rbac | ||||||
| Fixed In Version: | 5.10.0.0 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1533222 (view as bug list) | Environment: | |||||
| Last Closed: | 2019-02-11 14:01:24 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | CFME Core | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1533222 | ||||||
| Attachments: |
|
||||||
|
Description
Matt Pusateri
2018-01-05 17:08:17 UTC
Can you retest it without using MiqLDAP? In CF 4.6, you can add multiple Groups to one user Ok I totally understand whats going on here. The product features that role has assigned to it (as they pertain to the sui) include: - sui_vm_details_view - sui_vm_console - sui_vm_web_console - sui_vm_start - sui_vm_stop - sui_vm_suspend - sui_orders_show - sui_orders_operations Last release we decided that if a user couldn't view anything (either services, service catalogs, or orders) that they shouldn't be able to log in, because they couldn't view anything. Seeing as this particular role is using the leaves of both the Services and Orders tab, I propose we add the following to the role - sui_services_view - sui_orders_show Loic, as this modifies a role, need your ok to move forward with this plaaaaaaaan. https://github.com/ManageIQ/manageiq/pull/16788 Well here's a pr to fix it. (In reply to Allen W from comment #4) > Ok I totally understand whats going on here. The product features that role > has assigned to it (as they pertain to the sui) include: > > - sui_vm_details_view > - sui_vm_console > - sui_vm_web_console > - sui_vm_start > - sui_vm_stop > - sui_vm_suspend > - sui_orders_show > - sui_orders_operations > > Last release we decided that if a user couldn't view anything (either > services, service catalogs, or orders) that they shouldn't be able to log > in, because they couldn't view anything. Seeing as this particular role is > using the leaves of both the Services and Orders tab, I propose we add the > following to the role > > - sui_services_view > - sui_orders_show > > > Loic, as this modifies a role, need your ok to move forward with this > plaaaaaaaan. I am good with the change here... BUT I think also we have to rework with UX about what is happening when user changes to a Role without SUI privileges. I think it will be much better to show a "Warning" screen with a message, you have no privileges and offering the option to select another group... Also, we may simply greyed out group who have no privileges. @Serena, help? I think one of the other issues, is that when you switch to a user with no perms, there's no notifcation to the user either. A better user experience would be to give a flash message that the group has no permissions, and then maybe log you out? Pr has been merged! Created attachment 1379623 [details]
Proposal
I've attached a proposal ... essentially if a group does not have SUI access: - menu option is disabled - warning icon is placed to the right of the group - change the tooltip Love it! The tricky part is going to be knowing the product features of those other roles 🤔 So we have a call in place that would yield this information (for posterity):
`GET /api/roles?attributes=miq_product_features&expand=resources`
BUT there is an issue. I am a user whose current group has lesser permissions, I see this error
`{
"error": {
"kind": "forbidden",
"message": "Use of the read action is forbidden",
"klass": "Api::ForbiddenError"
}
}`
So I am unable to see the product features of other groups/roles. SUI would need help with this issue, or maybe there is another avenue through which this information can be communicated? (I know on auth we get the list of all a user's groups, maybe product features of those groups could be included)
Also, are we disabling the button entirely? As in, even if a user wants to switch to that group they are unable to?
VERIFIED in 5.10.0.2. I was able to enable ldap authentication and login to the SSUI with a user that is a member of multiple groups (including evmgroup-desktop). Changing the active group to/from evmgroup-desktop did not cause a logout and the nav menu was updated accordingly |