Bug 2222924
| Summary: | Permissions are not inherited | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Divya Shah <divshah> |
| Component: | ovirt-engine | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | meital avital <mavital> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.5.3 | CC: | mperina |
| Target Milestone: | --- | Flags: | mperina:
needinfo?
(divshah) |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Divya Shah
2023-07-14 13:39:53 UTC
I've just checked that group permissions are inherited properly to the group members and also group permissions are visible within webadmin in Administration / Users when you click on a User Name detail in Permissions tab.
So could you please retest following scenario:
1. Create group with name group1 on LDAP server
2. Create user with username user1 on LDAP server
3. Try to login with user1 to webadmin - it should fail due to insufficient permisions
4. Login to webadmin using administrator acount and perform following steps
a. Navigate to Administration / Users and then to Group tab
b. Click Add, select the relevant authorization provider for your LDAP server and add group1
c. I the Group tab click on Group Name group1, switch to Permissions tab and add SuperUser system permission
d. Navigate to Administration / Users and then to Users tab
e. Find user user1 and click on its user name, then navigate to Permissions tab and verify that the user doesn't have SuperUser role, which is correct, because the user is not a member of group group1
f. Logout from webadmin
5. Go to LDAP and make user user1 member of the group group1
6. Login to webadmin using user1 -> authentication should succeed, because user user1 is now a member of group group1, which has SuperUser role
7. You can navigate to Administration / Users, find user1, click on its user name and navigate to Permissions tab, you should see SuperUser role within its permissions
If above doesn't work, then you probably have an issue within group mapping of your aaa-ldap provider. You can try to executed below command on your RHVM machine to display groups of your user user1:
$ ovirt-engine-extensions-tool aaa search \
--extension-name=<YOUR LDAP AUTHZ PROVIDER NAME> \
--entity=principal \
--authz-flag=resolve-groups \
--entity-name=user1
In the generated output you should see something like below:
INFO: --- Begin GroupRecord ---
Jul 21, 2023 5:21:23 PM org.ovirt.engine.exttool.aaa.AAAServiceImpl output
INFO: AAA_AUTHZ_GROUP_ID: c7040212-fe92-4f7a-839b-bd42d9ec8ae4
Jul 21, 2023 5:21:23 PM org.ovirt.engine.exttool.aaa.AAAServiceImpl output
INFO: AAA_AUTHZ_GROUP_DISPLAY_NAME:
Jul 21, 2023 5:21:23 PM org.ovirt.engine.exttool.aaa.AAAServiceImpl output
INFO: AAA_AUTHZ_GROUP_NAMESPACE: *
Jul 21, 2023 5:21:23 PM org.ovirt.engine.exttool.aaa.AAAServiceImpl output
INFO: AAA_AUTHZ_GROUP_NAME: group1
Jul 21, 2023 5:21:23 PM org.ovirt.engine.exttool.aaa.AAAServiceImpl output
INFO: AAA_JDBC_GROUP_DESCRIPTION:
Jul 21, 2023 5:21:23 PM org.ovirt.engine.exttool.aaa.AAAServiceImpl$Dump dumpGroups
INFO: --- End GroupRecord ---
where the important line is
INFO: AAA_AUTHZ_GROUP_NAME: group1
If there is not GroupRecord found, then your group mapping is not setup correctly.
|