Bug 754696

Summary: Creating a role linked to an LDAP group will not link existing users
Product: [Other] RHQ Project Reporter: Tom Fonteyne <tfonteyn>
Component: DatabaseAssignee: RHQ Project Maintainer <rhq-maint>
Status: CLOSED NOTABUG QA Contact: Mike Foley <mfoley>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 3.0.1CC: hrupp, loleary, spinder
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-07 00:21:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tom Fonteyne 2011-11-17 12:04:39 UTC 
Description of problem:

Creating a role linked to an LDAP group will not link existing users

Version-Release number of selected component (if applicable):

JON 2.4.1

How reproducible: always


Steps to Reproduce:
1. Have a user in LDAP which belongs to an LDAP group
2. Configure JON to use LDAP and fill in the group filter so it finds above group.
3. have said user register with JON
4. create a new role, and assign said LDAP group to it
5. Add said user to this role
6. The table RHQ_SUBJECT_ROLE_LDAP_MAP should get an entry linking the user with the role
  
Actual results:

The table RHQ_SUBJECT_ROLE_LDAP_MAP is *not* getting an entry

Expected results:

That the table RHQ_SUBJECT_ROLE_LDAP_MAP gets an entry with the proper subject_id and role_id

Additional info:

Workaround: 

Use this SQL to find subject_id and role_id:

SELECT id FROM rhq_subject WHERE name LIKE 'username';

This is the subject_id you need. For example 67890
Now get the role_id with:

SELECT id FROM rhq_role WHERE name LIKE 'rolename';

For example, returning 12345
Finally insert a new entry:

INSERT INTO RHQ_SUBJECT_ROLE_LDAP_MAP (role_id,subject_id) VALUES (12345,67890);
Comment 2 Tom Fonteyne 2011-11-29 10:47:31 UTC 
workaround:

1. Have a user in LDAP which belongs to an LDAP group
2. Configure JON to use LDAP and fill in the group filter so it finds above
group.
3. have said user register with JON
4. create a new role, and assign said LDAP group to it
5. Add said user to this role
6. Have user logout and login again.

I think it would still be better to do the check in step 5 though
Comment 3 Simeon Pinder 2011-11-30 21:30:28 UTC 
Basically this is a case of mixing the RHQ and LDAP Administration models as described on the following link and should be avoided: http://www.rhq-project.org/display/RHQ/Using+RHQ+and+LDAP+Authorization+Models

If you enable LDAP Group authorization, you are indicating to RHQ that you want the RHQ Server to automatically assign and update RHQ users/roles every time that an external LDAP user logs in.  Even the first assignment of the external LDAP users to the "LDAP Role" is not necessary.  In other words, after completing steps 3 and 4 to enable LDAP Group authorization, executing step 5 should not be done.  Whenever the user from step 1 logs in, the role->user assigned will be taken care of correctly.   

###
3. have said user register with JON
4. create a new role, and assign said LDAP group to it
5. Add said user to this role
6. The table RHQ_SUBJECT_ROLE_LDAP_MAP should get an entry linking the user
with the role
####

A possible enhancement here would be to display a warning message that "user<->role assignment is automatic" whenever an RHQ Role is being updated with a)an external LDAP group OR b)a user account if an external LDAP group is already assigned. 

This would address Tom's suggestion to "do the check in step 5".
Comment 4 Larry O'Leary 2013-03-07 00:21:07 UTC 
As described in the previous comment this is not a bug. LDAP users get associated with a JBoss ON role based on the LDAP group the belong to and that LDAP group being assigned to the target role. This is done each time the user logs into JBoss ON.