Bug 788933

Summary: Imported users using the Remote API end up having no password
Product: [Other] RHQ Project Reporter: Romain PELISSE <belaran>
Component: CLIAssignee: Romain Pelisse <rpelisse>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Mike Foley <mfoley>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.2CC: belaran, hrupp, lkrejci, rpelisse
Target Milestone: ---Flags: hrupp: needinfo? (belaran)
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-09 12:06:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Romain PELISSE 2012-02-09 10:29:26 UTC 
Description of problem:

Using the Remote API, we build a Java Application (a CLI) to export the Roles and the Users from JON into an simple JSON file. We then import those Users/Roles into other RHQ instance.

The issue we encounter is that we cannot export password - which somehow make sense to a certain extent, but when we import the "password-less" users, they end up having actually no password - meaning that anybody providing the username and a random password can log as the user. 

Version-Release number of selected component (if applicable):

JBoss Operations Network<http://rhq-project.org/>
Version: 3.0.0.GA
Build Number: e23441b:85320d2

GWT Version: 2.0.4
SmartGWT Version: 2.4

(not sure how this map to RHQ version)

How reproducible:

I cannot (yet) disclose our code, but I guess it fairly easily reproducible - perhaps using the CLI provided by JON.

Steps to Reproduce:
1.Import an user (without any password)
2.Try to log as this user with a random password

Actual results:

You're logged in !

Expected results:

My expectation here was that the user will be somehow "locked" and that he will have to reset his password (or requesting it by email).

Additional info:
Comment 1 Lukas Krejci 2012-02-13 12:45:19 UTC 
A workaround is to import the subjects with the "factive" property set to false - i.e. such subjects will not be enabled after import.

I tried guessing the repro steps for this but I wasn't successful (just copy&pasting the CLI commandline interaction):

rhqadmin@localhost:7080$ var newUser = new Subject

rhqadmin@localhost:7080$ newUser.name = "newUser"
newUser

rhqadmin@localhost:7080$ newUser.factive = true
true

rhqadmin@localhost:7080$ newUser.firstName = "a"
a

rhqadmin@localhost:7080$ newUser.lastName = "b"
b

rhqadmin@localhost:7080$ newUser.emailAddress = "a"
a

rhqadmin@localhost:7080$ SubjectManager.createSubject(newUser)
Subject:
               department: 
             emailAddress: a
                  factive: true
                firstName: a
                  fsystem: false
                       id: 10011
                 lastName: b
                ldapRoles: []
                     name: newUser
              ownedGroups: 
              phoneNumber: 
                    roles: []
                sessionId: 
               smsAddress: 
        userConfiguration: 

This will create a new (enabled) subject inside RHQ. In GUI, I couldn't log in using the username provided (it won't let me in with no password, and entering a random password wouldn't let me in).

The next step in the normal workflow is to create a principal that would provide the authentication to the subject.

I tried these:
rhqadmin@localhost:7080$ SubjectManager.createPrincipal("newUser", null)       
sun.org.mozilla.javascript.internal.WrappedException: Wrapped javax.ejb.EJBException: [Warning] java.lang.NullPointerException 
SubjectManager.createPrincipal("newUser", null) 
^

rhqadmin@localhost:7080$ SubjectManager.createPrincipal("newUser", "")

This succeeded but the user wasn't able to log in because the UI won't let the empty password through.

rhqadmin@localhost:7080$ SubjectManager.createPrincipal("newUser", "password1")

This succeeded and the user was then able to log in only with the provided username and password.
Comment 2 Mike Foley 2012-02-13 16:59:36 UTC 
per triage 2/13/2012 (asantos, crouch, foley, loleary)
Comment 3 Heiko W. Rupp 2012-06-21 09:39:20 UTC 
Romain,
how do you import the users? Can you show that part of the code?
Comment 4 Romain PELISSE 2012-06-22 11:39:55 UTC 
Hi Heiko,

Sorry I categorized this as CLI, but in fact, as I wrote I'm using the Remote API, so I do the import from a Java client. I may able to push to code to github. I'll let you know as soon as it is done.
Comment 5 Heiko W. Rupp 2013-07-01 12:36:26 UTC 
We can not require an importer to set the "factive" property to disable bad behavior, but have the importer to explicitly enable that.

Romain, can you please check the status of the code with RHQ 4.8 and/or JON 312?
Comment 6 Romain Pelisse 2015-02-09 12:06:54 UTC 
Out of date, I never had the opportunity to come back to the issue, and not sure there is a real need anyway for the feature.