Bug 1533222
| Summary: | Auth MIQLDAP AD - SSUI - When switching groups in SSUI to a user with group/role EvmGroup-desktop, user is logged out. | ||
|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Satoe Imaishi <simaishi> |
| Component: | UI - Service | Assignee: | Allen W <awight> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Landon LaSmith <llasmith> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.9.0 | CC: | awight, bascar, cpelland, dclarizi, lavenel, mpusater, obarenbo, sdoyle |
| Target Milestone: | GA | Keywords: | Regression |
| Target Release: | 5.9.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | auth:miqldap:ad:rbac | ||
| Fixed In Version: | 5.9.0.20 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1531658 | Environment: | |
| Last Closed: | 2018-03-06 15:18:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | CFME Core | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1531658 | ||
| Bug Blocks: | |||
|
Comment 3
CFME Bot
2018-01-10 19:07:34 UTC
Tested this using database auth This yaml update doesn't enable SSUI access for EvmRole-desktop because the role doesn't have access to Services in the OPS UI. You'll need to add service_view to the product features for EvmRole-desktop which might be outside of the scope for that role. Enable Services->My Services->All Services->View All Services product feature, at a minimum, because SSUI access isn't granted if the corresponding OPS product feature isn't accessible. With the default permissions, you can still login to the SSUI w/ EvmRole-user_self_service and attempt to switch to EvmRole-desktop which will immediately log you out. Ok ok ok ok so secretly that was part 1 of the fix 😏.. WHAT dont believe me? Well I can't blame you... anywho... here's whats going on now.. the issue is with each of these three functions: https://github.com/manageiq/manageiq-ui-service/blob/1d46737e05d4d403cba736f9d5dd200897ae25f3/client/app/states/dashboard/dashboard.state.js#L21-L24 tl;dr when any one of the above mentioned functions returns a 403 we get kicked back to login 😭 working on a fix, inc soon Ok, as promised, this time with 📹 proof, just so you keep me honest. Landon, thanks for sticking with us during this multi-part mayhem <3 Woops, forgot to include the pr link https://github.com/ManageIQ/manageiq-ui-service/pull/1372 Ok so pr for the fix got merged, but want to let yah know, a *more complete fix* is in the works here: https://github.com/ManageIQ/manageiq-ui-service/pull/1373 The fix merged resolves the issue with login, but if you switch groups from say desktop to admin, you'll be logged out. The aforementioned pr will fix this and a number of other itty bitty bugs (sadly its still a wip). New commit detected on ManageIQ/manageiq-ui-service/gaprindashvili: https://github.com/ManageIQ/manageiq-ui-service/commit/aaaaa5d46db0fa2269712afa0171a5e3a89eb911 commit aaaaa5d46db0fa2269712afa0171a5e3a89eb911 Author: Martin Hradil <himdel> AuthorDate: Fri Jan 26 16:31:30 2018 +0100 Commit: Satoe Imaishi <simaishi> CommitDate: Fri Jan 26 12:30:24 2018 -0500 Merge pull request #1372 from AllenBW/BZ/MASTER/#1533222-dashboard-state-resolve Refactors dashboard state resolve to return true on failed query (cherry picked from commit d60f84003472182d5645a99f4920277b8a890d8f) Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1533222 client/app/states/dashboard/dashboard.state.js | 45 +++++++++++++------------- 1 file changed, 23 insertions(+), 22 deletions(-) VERIFIED in 5.9.0.20. I was able to login to the SSUI with external auth enabled (MIQLDAP) and change to/from the EVMGroup-desktop group without being logged out. |