Bug 1070277 (JON3-39) - JON should (be able to) block login to a user without roles
Summary: JON should (be able to) block login to a user without roles
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: JON3-39
Product: JBoss Operations Network
Classification: JBoss
Component: Security
Version: JON 3.3.0
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ER04
: JON 3.3.0
Assignee: Jay Shaughnessy
QA Contact: Sunil Kondkar
URL:
Whiteboard:
Depends On: 1133947 1150586
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-26 14:28 UTC by Heiko W. Rupp
Modified: 2015-06-18 15:23 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-12-11 14:03:50 UTC
Type: Enhancement
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1122549 0 unspecified CLOSED LDAP user registration screen does not appear when 'Enable Login Without Roles' has value 'No' 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker JON3-39 0 Major Resolved JON should block login to a user without roles [PRODMGT-420] 2015-09-29 21:43:57 UTC

Internal Links: 1122549

Description Heiko W. Rupp 2014-02-26 14:28:25 UTC 
A user who is not assigned to any role into JON are able to login, but doesn't see any platform and it's access is really limited.

JON integration with a LDAP could bring hundreds of users and all of them will be able to login into JON. Admins would like to block the users without roles to login.
'Enabled Login' is not enough since admins need to wait the user to login to add the LDAP user entry into the JON database, and then change the 'Enabled Login' value to false.
Comment 1 Jirka Kremser 2014-05-13 13:48:29 UTC 
branch:  master
link:    https://github.com/rhq-project/rhq/commit/2d64ae7ab
time:    2014-05-13 15:39:35 +0200
commit:  2d64ae7abedfd1ae973db55967fefad9e9e51a3d
author:  Jirka Kremser - jkremser
message: [BZ 1070277] - (JON3-39) JON should (be able to) block login to a user
         without roles

         Adding a flag into system settings that will indicate if it is
         allowed to log in without any assigned RHQ role. Our RBAC
         current implementation luckily protect user from performing any
         server-side calls, but she is still able to see alert and 
         metric templates, download and install agent, etc.

         If the flag (Enable Login Without Roles) is set to true
         everything is as before this change. Otherwise, the user is not
         let into the application. Because of the security reasons there
         is no difference between invalid credentials and valid
         credentials together with  no assigned role.

         It defaults to false.

         NOTE: It does not apply only for LDAP users but for all users,
         because it should be consistent for both JDBC and LDAP users.
Comment 4 JBoss JIRA Server 2014-05-14 15:15:02 UTC 
Heiko Rupp <hrupp> updated the status of jira JON3-39 to Resolved
Comment 6 Simeon Pinder 2014-07-31 15:51:41 UTC 
Moving to ON_QA as available to test with brew build of DR01: https://brewweb.devel.redhat.com//buildinfo?buildID=373993
Comment 7 Garik Khachikyan 2014-08-05 09:10:38 UTC 
taking QA contact.
Comment 10 JBoss JIRA Server 2014-08-15 22:48:48 UTC 
mfoley user <mfoley> updated the status of jira JON3-39 to Reopened
Comment 12 Jay Shaughnessy 2014-09-09 15:28:55 UTC 
Jirka, just set this to MODIFIED when you do the same for Bug 1133947.  It's basically a tracker from what I can see.
Comment 17 Jirka Kremser 2014-09-22 17:38:50 UTC 
branch:  master
link:    https://github.com/rhq-project/rhq/commit/4df0d7f41
time:    2014-09-22 18:57:49 +0200
commit:  4df0d7f411da1a03604e49c6b9d0117965616ca8
author:  Jirka Kremser - jkremser
message: [BZ 1070277] - (JON3-39) JON should (be able to) block login to a user
         without roles - Changing the default of the property to true,
         i.e. enabling the login for user without roles by default.
Comment 18 Jirka Kremser 2014-09-25 15:06:34 UTC 
branch:  release/jon3.3.x
link:    https://github.com/rhq-project/rhq/commit/19bfe3af3
time:    2014-09-25 17:03:21 +0200
commit:  19bfe3af34c894a69dfe69fae7729177e367e2c6
author:  Jirka Kremser - jkremser
message: [BZ 1070277] - (JON3-39) JON should (be able to) block login to a user
         without roles - Changing the default of the property to true,
         i.e. enabling the login for user without roles by default.

         (cherry picked from commit
         4df0d7f411da1a03604e49c6b9d0117965616ca8) Signed-off-by: Jirka
         Kremser <jkremser>
Comment 19 Jirka Kremser 2014-09-25 15:18:19 UTC 
branch:  release/jon3.3.x
link:    https://github.com/rhq-project/rhq/commit/78d2e8e1c
time:    2014-09-25 17:17:46 +0200
commit:  78d2e8e1cbd082fdf5796dca9cced4d43e880ab8
author:  Jirka Kremser - jkremser
message: [BZ 1070277] - (JON3-39) JON should (be able to) block login to a user
         without roles - adding it to the db-upgrade.xml also using
         lower case in sysconfig-data.xml

         (cherry picked from commit
         74f4240ea865308b7dea9aa025fd0574423f52ac) Signed-off-by: Jirka
         Kremser <jkremser>
Comment 20 Simeon Pinder 2014-10-01 21:33:04 UTC 
Moving to ON_QA as available for test with build:
https://brewweb.devel.redhat.com/buildinfo?buildID=388959
Comment 21 Mike Foley 2014-10-08 15:49:42 UTC 
Based on ...

1) this BZ being closed:  https://bugzilla.redhat.com/show_bug.cgi?id=1150586
2) ​https://tcms.engineering.redhat.com/run/166675/?from_plan=14350

GSS ... please review item #1, and re-open if needed.

Based on #1, #2 ...JON 3-39 is "Test Complete"
Comment 22 JBoss JIRA Server 2014-10-08 15:50:52 UTC 
mfoley user <mfoley> updated the status of jira JON3-39 to Resolved
Comment 23 Larry O'Leary 2014-10-17 01:27:20 UTC 
(In reply to Mike Foley from comment #21)
> Based on ...
> 
> 1) this BZ being closed:  https://bugzilla.redhat.com/show_bug.cgi?id=1150586
> 2) ​https://tcms.engineering.redhat.com/run/166675/?from_plan=14350
> 
> GSS ... please review item #1, and re-open if needed.
> 
> Based on #1, #2 ...JON 3-39 is "Test Complete"

I have re-opened bug 1150586 as the requirement clearly states that the warning should occur on the first attempt. Without such a warning or any feedback, the login screen appears broken and this becomes a usability issue.
Comment 24 JBoss JIRA Server 2014-10-17 12:13:40 UTC 
mfoley user <mfoley> updated the status of jira JON3-39 to Reopened
Comment 25 JBoss JIRA Server 2015-06-18 15:23:35 UTC 
Jirka Kremser <jkremser> updated the status of jira JON3-39 to Resolved
Note You need to log in before you can comment on or make changes to this bug.