Bug 970517

Summary: LDAP user login fails with when user did not log in through UI previously
Product: [Other] RHQ Project Reporter: Libor Zoubek <lzoubek>
Component: RESTAssignee: Heiko W. Rupp <hrupp>
Status: ON_QA --- QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.8CC: theute
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
server.log none

Description Libor Zoubek 2013-06-04 08:41:38 UTC
Created attachment 756658 [details]
server.log

Description of problem: I am not able to login through REST API as a LDAP user when this LDAP user did not yet logged in through UI => does not yet exist in rhq database. 

Version-Release number of selected component (if applicable):
RHQ 4.8-master

How reproducible:always


Steps to Reproduce:
1.have a LDAP user, not yet "imported" to RHQ
2.login to REST API

Actual results: you get server errror with UndeclaredThrowable


Expected results:user should be able to login


Additional info:

Comment 1 Heiko W. Rupp 2013-06-04 08:48:41 UTC
I understand this is the same restriction as for the CLI

Comment 3 Heiko W. Rupp 2013-06-04 13:03:21 UTC
master 764f68b5674 now prints a message for the LDAP user case:

/devel/ZwitscherA hrupp$ curl -i -u user:pass http://localhost:7080/rest/.json
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: application/json
Transfer-Encoding: chunked
Date: Tue, 04 Jun 2013 12:29:18 GMT

{"message":"User was authorized, but has no rights for the operation. If this is an LDAP user, the user needs to log in to the UI and complete registration."}

If the user is completely invalid we return a normal 401 response (actually the container does this for us)

Comment 4 Heiko W. Rupp 2013-07-17 12:51:37 UTC
We should open a new BZ that lists that restriction for CLI and REST.