Bug 1647169
| Summary: | Requests made within Global region are not being generated in the global request queue | |||
|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Tuan <tuado> | |
| Component: | Appliance | Assignee: | Brandon Dunne <bdunne> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Niyaz Akhtar Ansari <nansari> | |
| Severity: | high | Docs Contact: | Red Hat CloudForms Documentation <cloudforms-docs> | |
| Priority: | high | |||
| Version: | 5.9.4 | CC: | abellott, akarol, bdunne, bmidwood, dmetzger, gtanzill, hkataria, jprause, kbrock, lavenel, mpovolny, nansari, obarenbo, simaishi, tuado | |
| Target Milestone: | GA | Keywords: | Reopened, TestOnly, ZStream | |
| Target Release: | 5.10.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | 5.10.0.29 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1656170 (view as bug list) | Environment: | ||
| Last Closed: | 2019-02-12 16:49:45 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | Bug | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | CFME Core | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1656170 | |||
I created a catalog, catalog item and dialog in the remote region. They replicated up to the global as expected. I added the user in the remote region to a group that has permissions to see requests (previously this user didn't have the permission, so API calls would fail). Now from the global, the user can order the service and will be redirected to the requests page where they can see the newly created request. Did I miss anything? At this point we were trying to mimic the customer's environment and users. Based on the fact the customer is saying they are on the request screen and they do not see the request, I am assuming they are within a group that has these permissions. I am requesting a remote sessions with the customer to verify the information they are giving us about the user and groups is correct. Tuan Hi Tuan, Any luck reproducing the customers problem? I am still waiting on customer for a reproducer and remote session. New commits detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/c7d2cdc1622ad8bf4191ae2120fc438e189fecb9 commit c7d2cdc1622ad8bf4191ae2120fc438e189fecb9 Author: Gregg Tanzillo <gtanzill> AuthorDate: Wed Nov 28 17:02:47 2018 -0500 Commit: Gregg Tanzillo <gtanzill> CommitDate: Wed Nov 28 17:02:47 2018 -0500 Support multiple regions querying user and group owned miq_requests Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1647169 app/models/miq_group.rb | 8 + app/models/miq_request.rb | 4 +- app/models/user.rb | 8 + 3 files changed, 18 insertions(+), 2 deletions(-) https://github.com/ManageIQ/manageiq/commit/b1f7a3d49464a1b1ed5691594c5e1043c4b27287 commit b1f7a3d49464a1b1ed5691594c5e1043c4b27287 Author: Keenan Brock <keenan> AuthorDate: Mon Dec 3 12:00:33 2018 -0500 Commit: Keenan Brock <keenan> CommitDate: Mon Dec 3 12:00:33 2018 -0500 Specs for multiple regions querying user and group owned miq_requests Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1647169 spec/models/miq_group_spec.rb | 13 + spec/models/miq_request_spec.rb | 28 + spec/models/user_spec.rb | 13 + 3 files changed, 54 insertions(+) New commit detected on ManageIQ/manageiq/hammer: https://github.com/ManageIQ/manageiq/commit/740e6b551760f071217fe25b5ad1296a2a3d9d37 commit 740e6b551760f071217fe25b5ad1296a2a3d9d37 Author: Gregg Tanzillo <gtanzill> AuthorDate: Mon Dec 3 14:50:54 2018 -0500 Commit: Gregg Tanzillo <gtanzill> CommitDate: Mon Dec 3 14:50:54 2018 -0500 Merge pull request #18257 from kbrock/fix-miq_request-ownership Fix miq request ownership (cherry picked from commit aa6fba547ce4fc19e58869e282f836eeb08c44ec) Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1647169 app/models/miq_group.rb | 8 + app/models/miq_request.rb | 4 +- app/models/user.rb | 8 + spec/models/miq_group_spec.rb | 13 + spec/models/miq_request_spec.rb | 28 + spec/models/user_spec.rb | 13 + 6 files changed, 72 insertions(+), 2 deletions(-) Hello Niyaz,
The high level of the issue:
An MiqRequest is made in the global region, it is sent to the remote region to actually perform the request. (since the global region is just a rollup reporting region)
For some reason or another, the requester can see the request in the remote region, but not the global region.
Create a master/rollup region ('G')
Create a remote region ('R')
Create a non-admin user ('U') in regions 'G' and 'R' - both must have the same name.
Create an non-admin user ('U2') in region 'G'
Create a catalog item ('C') in the remote region
Ensure U has privilege to see/execute C in region R and G.
Ensure U2 has privilege to see/execute C in region R and G.
Login to the appliance for region G as user U
Run the service catalog item C to create an miq request. 'M'
Login to R as U, and you CAN see the request 'M'
Login to G as U, and you CAN see 'M'. (This is the fix)
Login to G as U2, and you CAN NOT see 'M'. (This verifies that you configured it correctly)
Hello Niyaz, Not using ldap: good I changed role2 privileges: Access Restriction for Services, VMs, and Templates = Only User or Group Owned. This means you can only see your own requests. user1 could see the request u could not So we know we were doing some filtering based upon the user. This looks good to me. |
This appliance appears to be unable to connect to the LDAP server. [----] E, [2018-11-06T16:41:38.020122 #2255:105f93c] ERROR -- : [Net::LDAP::Error]: unable to establish a connection to server Method:[block in method_missing] [----] E, [2018-11-06T16:41:38.025584 #2255:105f93c] ERROR -- : /var/www/miq/vmdb/lib/miq_ldap.rb:96:in `resolve_host' /var/www/miq/vmdb/lib/miq_ldap.rb:48:in `initialize' /var/www/miq/vmdb/app/models/authenticator/ldap.rb:39:in `new' /var/www/miq/vmdb/app/models/authenticator/ldap.rb:39:in `miq_ldap' /var/www/miq/vmdb/app/models/authenticator/ldap.rb:66:in `normalize_username' /var/www/miq/vmdb/app/models/authenticator/base.rb:54:in `authenticate' /var/www/miq/vmdb/app/models/user.rb:160:in `authenticate' /opt/rh/cfme-gemset/bundler/gems/cfme-api-ebd1e44a7a7d/app/controllers/api/base_controller/authentication.rb:20:in `block in require_api_user_or_token' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal/http_authentication.rb:97:in `authenticate' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal/http_authentication.rb:87:in `authenticate_with_http_basic' /opt/rh/cfme-gemset/bundler/gems/cfme-api-ebd1e44a7a7d/app/controllers/api/base_controller/authentication.rb:20:in `require_api_user_or_token' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:382:in `block in make_lambda' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:150:in `block (2 levels) in halting_and_conditional' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/abstract_controller/callbacks.rb:12:in `block (2 levels) in <module:Callbacks>' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:151:in `block in halting_and_conditional' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:454:in `block in call' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:454:in `each' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:454:in `call' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:101:in `__run_callbacks__' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:750:in `_run_process_action_callbacks' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:90:in `run_callbacks' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/abstract_controller/callbacks.rb:19:in `process_action' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal/rescue.rb:20:in `process_action' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal/instrumentation.rb:32:in `block in process_action' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/notifications.rb:164:in `block in instrument' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/notifications/instrumenter.rb:21:in `instrument' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/notifications.rb:164:in `instrument' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal/instrumentation.rb:30:in `process_action' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal/params_wrapper.rb:248:in `process_action' /opt/rh/cfme-gemset/gems/activerecord-5.0.6/lib/active_record/railties/controller_runtime.rb:18:in `process_action' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/abstract_controller/base.rb:126:in `process' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal.rb:190:in `dispatch' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal.rb:262:in `dispatch' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/routing/route_set.rb:50:in `dispatch' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/routing/route_set.rb:32:in `serve' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/journey/router.rb:39:in `block in serve' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/journey/router.rb:26:in `each' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/journey/router.rb:26:in `serve' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/routing/route_set.rb:727:in `call' /opt/rh/cfme-gemset/gems/secure_headers-3.0.3/lib/secure_headers/middleware.rb:10:in `call' /opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/etag.rb:25:in `call' /opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/conditional_get.rb:25:in `call' /opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/head.rb:12:in `call' /opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/session/abstract/id.rb:232:in `context' /opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/session/abstract/id.rb:226:in `call' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/cookies.rb:613:in `call' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/callbacks.rb:38:in `block in call' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:97:in `__run_callbacks__' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:750:in `_run_call_callbacks' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:90:in `run_callbacks' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/callbacks.rb:36:in `call' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/remote_ip.rb:79:in `call' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/debug_exceptions.rb:49:in `call' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call' /opt/rh/cfme-gemset/gems/railties-5.0.6/lib/rails/rack/logger.rb:36:in `call_app' /opt/rh/cfme-gemset/gems/railties-5.0.6/lib/rails/rack/logger.rb:26:in `call' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/request_id.rb:24:in `call' /opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/method_override.rb:22:in `call' /opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/runtime.rb:22:in `call' /opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call' /opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/executor.rb:12:in `call' /opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/sendfile.rb:111:in `call' /opt/rh/cfme-gemset/gems/railties-5.0.6/lib/rails/engine.rb:522:in `call' /opt/rh/rh-ruby23/root/usr/share/gems/gems/puma-3.7.1/lib/puma/configuration.rb:232:in `call' /opt/rh/rh-ruby23/root/usr/share/gems/gems/puma-3.7.1/lib/puma/server.rb:578:in `handle_request' /opt/rh/rh-ruby23/root/usr/share/gems/gems/puma-3.7.1/lib/puma/server.rb:415:in `process_client' /opt/rh/rh-ruby23/root/usr/share/gems/gems/puma-3.7.1/lib/puma/server.rb:275:in `block in run' /opt/rh/rh-ruby23/root/usr/share/gems/gems/puma-3.7.1/lib/puma/thread_pool.rb:120:in `block in spawn_thread' ==> log/api.log <== [----] E, [2018-11-06T16:41:38.039665 #2255:105f93c] ERROR -- : MIQ(Api::AuthController.api_error) API Error [----] E, [2018-11-06T16:41:38.039805 #2255:105f93c] ERROR -- : MIQ(Api::AuthController.api_error) MiqException::MiqEVMLoginError: unable to establish a connection to server [----] I, [2018-11-06T16:41:38.051218 #2255:105f93c] INFO -- : MIQ(Api::AuthController.log_request) Response: {:completed_at=>"2018-11-06 21:41:38 UTC", :size=>"0.129 KBytes", :time_taken=>"127.338 Seconds", :status=>401} ==> log/production.log <== [----] I, [2018-11-06T16:41:38.051770 #2255:105f93c] INFO -- : Completed 401 Unauthorized in 127340ms (Views: 8.4ms | ActiveRecord: 0.0ms)