Description of problem: If a LDAP user who is not a member of any LDAP group and is not registered to JBoss ON, trying to login with CLI is successful. Note: If the same user is registered to JBoss ON, trying a CLI login gives correct results. ( A message: There are no preconfigured roles for user ) Version-Release number of selected component (if applicable): Version : 3.3.0.ER01 Build Number : 23b3476:f3aa7e7 LDAP: Windows server 2008 Active Directory How reproducible: Always Steps to Reproduce: 1. Create a LDAP user who is not member of any ldap group on Windows active directory ( Ex: sachin ) 2. Configure LDAP properties in JBoss ON Administration UI and save 3. Do not register the ldap user 'sachin' to JBoss ON. 4. Login with the ldap user 'sachin' to CLI. 5. Login is successful. ./rhq-cli.sh -u sachin -p <password> -s 10.65.201.174 -t 7080 [root@dhcp201-174 bin]# ./rhq-cli.sh -u sachin -p Redhat123 -s 10.65.201.174 -t 7080 RHQ Enterprise Remote CLI 4.12.0.JON330ER01 Remote server version is: 3.3.0.ER01 (23b3476:f3aa7e7) Login successful 6. Now login to JBOSS ON UI and register the ldap user 'sachin'. 7. After registering the ldap user, try to login to CLI [root@dhcp201-174 bin]# ./rhq-cli.sh -u sachin -p Redhat123 -s 10.65.201.174 -t 7080 RHQ Enterprise Remote CLI 4.12.0.JON330ER01 Login failed: There are no preconfigured roles for user [sachin] Usage: login username password [host port [transport]] unconnected$ 8. Observe that after registering the ldap user, the cli won't allow user to login which is correct. Actual results: Unregistered LDAP user without role can login to CLI Expected results: Unregistered LDAP user without role should not be able to login to CLI. Additional info:
It now works also for CLI. If it is the very first login of LDAP user, in CLI and REST the message is shown that he/she should go through web UI first and register. It is still possible to log in to the "/rest" endpoint event if the "Enable Login Without Roles" is set to "No" and LDAP user has no roles. However there is nothing he can do. It would be too much effort (with necessity to "uglify" the code) to make it working also for REST endpoint, so I've decided not to do that. branch: master link: https://github.com/rhq-project/rhq/commit/61bc3cebe time: 2014-09-26 15:11:38 +0200 commit: 61bc3cebe032ac1bcdb8906d302d976d73ab3cdf author: Jirka Kremser - jkremser message: [BZ 1133947] - Unregistered LDAP user without role can login to CLI - introducing loginLocal() method to be able to find out that user is comming from CLI (the case when SubjectManagerRemote.login() is called) and let him fail if it is LDAP user and is not registered in the system. This is now consistent with the REST endpoint, where we assume the registered LDAP user as well.
branch: release/jon3.3.x link: https://github.com/rhq-project/rhq/commit/b18999965 time: 2014-09-26 16:27:19 +0200 commit: b1899996541837efbeeb1895d7e4d730cb9124fd author: Jirka Kremser - jkremser message: [BZ 1133947] - Unregistered LDAP user without role can login to CLI - introducing loginLocal() method to be able to find out that user is comming from CLI (the case when SubjectManagerRemote.login() is called) and let him fail if it is LDAP user and is not registered in the system. This is now consistent with the REST endpoint, where we assume the registered LDAP user as well. (cherry picked from commit 61bc3cebe032ac1bcdb8906d302d976d73ab3cdf) Signed-off-by: Libor Zoubek <lzoubek>
Moving to ON_QA as available for test with build: https://brewweb.devel.redhat.com/buildinfo?buildID=388959
Verified on JON 3.3 ER04 Trying to login with unregistered LDAP user without role to CLI fails and shows the message: [root@dhcp201-204 bin]# ./rhq-cli.sh -u sachin -p Redhat123 -s 10.65.201.204 -t 7080 RHQ Enterprise Remote CLI 4.12.0.JON330ER04 Login failed: java.lang.IllegalStateException: Use the web UI for the first log in and fill all the necessary information. Usage: login username password [host port [transport]] ----- Trying to login with unregistered LDAP user without role to rest shows the message: Error User was authorized, but has no rights for the operation. If this is an LDAP user, the user needs to log in to the UI and complete registration.