Bug 866638
| Summary: | Need an admin account for LDAP mode | ||
|---|---|---|---|
| Product: | [Retired] CloudForms Cloud Engine | Reporter: | Shveta <sshveta> |
| Component: | aeolus-configure | Assignee: | Mike Orazi <morazi> |
| Status: | CLOSED EOL | QA Contact: | Rehana <aeolus-qa-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.1.0 | CC: | aweiteka, morazi, sseago |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-27 17:58:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Shveta
2012-10-15 19:05:50 UTC
Copying chat/comments from sseago <sseago> sshveta, you need to make him an admin or he won't see it I don't think -- I think admin rights are needed to see a user's quota (the way the code is written now) <sshveta> sseago, in ldap mode admin account doesnt work <sshveta> sseago, so how shall i give any rights to this user? <sseago> sshveta, yeah -- so you need to give the ldap user admin rights _before_ switching to ldap mode <sshveta> sseago, but that user was not existing when i changed it to ldap .. <sshveta> sseago, so now i should o back to db nmode <sshveta> mode and do it? <sseago> sshveta, yeah -- the bootstrapping process is a bit awkward, but you have to create a user that you know has an ldap account before swapping to ldap mode <sseago> then grant that user admin rights <sseago> then swap to ldap <sshveta> sseago, ok .. <sseago> sshveta, so the issue is right now aeolus-configure doesn't set up ldap for us, so you have to do it manually <sseago> morazi-afk, hewbrocca but yeah we need more automation around setting up ldap admin users I think <sseago> hewbrocca, morazi-afk right now it's pretty clumsy. you have to set things up in non-ldap mode, create a user that matches an ldap username and grant that user access, then set up ldap and swap login mode to ldap, and (ideally) then delete the non-ldap "admin" user account <sseago> sshveta, what we probably need longer-term is a way to identify what account we're creating for admin access in aeolus-configure So, yes the short-term fix is to document the process, which is essentially: 1) aeolus-configure sets up conductor in database login mode with a user called 'admin' 2) admin logs into conductor and creates a new user with a username corresponding to the desired ldap admin user 3) give this new user admin rights (Global Administrator role) 4) reconfigure conductor for ldap login and restart 5) log in as new admin -- everything should work as expected now 6) (optional but useful in case there is an ldap user called 'admin') Revoke privileges on the original 'admin' user Longer-term we need to fix aeolus-configure to do the following: 1) configure /etc/ldap_fluff.yml properly for ldap (user will need to customize ldap settings in a puppet recipe or something similar) -- Katello already does this in their config, so we could probably pull some puppet stuff from there 2) configure settings.yml to allow for swapping out the default database auth with ldap auth 3) configurable admin account username (this may be here already) 4) fix the create_user rake task to work under ldap mode too (this may work already, but I suspect at least some tweaking will be needed) |