Bug 1157773
| Summary: | No password change url on login failure when password expires | ||
|---|---|---|---|
| Product: | [Retired] oVirt | Reporter: | Pan Liyang <plysab> |
| Component: | ovirt-engine-core | Assignee: | Alexander Wels <awels> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ondra Machacek <omachace> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.5 | CC: | alonbl, awels, bugs, ecohen, gklein, gshereme, lsurette, oourfali, rbalakri, yeylon, ylavi |
| Target Milestone: | --- | ||
| Target Release: | 3.5.4 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | ux | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-09-03 13:54:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | UX | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Pan Liyang
2014-10-27 16:38:12 UTC
adding gshereme to CC list, just in case there some assistance will be needed to display the URL properly within the newly-styled login page (not sure what the exact problem is though, so may not be related at all). 1.) This bug reproduces for me.
2.) I've confirmed that the change password URL is:
* stored in db
* returned by aaa builtin extension to bll.
* returned from bll
* returns to the browser:
function Jae$(_0,_1){_0.c=_1;return _0}function Xqb$(_0){return L7(Xqb,{292:1,300:1,316:1},0,_0)}function bti$(_0,_1,_2,_3,_4){_0.b=_1;_0.c=_3;return _0}return [(_._3=jAg(Jae$(_._4=new (kaf(Xhb)),Xqb$([0,(_._0=new Tze,Rue(Jae$(_._6=new (kaf(Xhb)),Xqb$([4,"USER_PASSWORD_EXPIRED_CHANGE_URL_PROVIDED","$URL ","USER_PASSWORD_EXPIRED_CHANGE_MSG_PROVIDED","$MSG Hay, Bye."])),_._0),_._0),0,0,null,"",(_._1=new Tze,Rue(Jae$(_._6=new (kaf(Xhb)),Xqb$([0])),_._1),_._1),(_._2=new Tze,Rue(Jae$(_._6=new (kaf(Xhb)),Xqb$([0])),_._2),_._2),1,bti$(new (kaf(BDb)),(Vsi(),Hli),null,"ENGINE",null),(Llg(),Hlg)]))),iAg(_._4,_._3),_._3)];
The message here is "Hay, Bye."
Greg could you take a look (per comment 1)?
Per comment #2 moving to UX, and removing the needinfo. reassigning to Alexander. So I investigated this a little bit and it appears the following is happening. There are 2 options one can pass: --change-password-msg: This is an additional message besides the URL. --change-password-url: This is the URL to display in the reported message. When the password is expired the backend passes 2 failure messages into the result object. The change password URL message with the URL substituted from the above --change-password-url option. And 'Cannot login. User Password has expired. Detailed message: $MSG' with $MSG substituted from --change-password-msg. Since the first commit the LoginModel has always obtained the first message (The URL one in this case) and displayed that. The second message has always been ignored. There has been a lot of work on the authentication side of things recently and it looks like the order of the messages was reversed before. So the first error message was the one associated with --change-password-msg and the second one with --change-password-url. So the url message was silently ignored. However in the current state the order switched so now the url is first and the msg is the one ignored. It also appears there is a bug in the backend that doesn't ignore adding the url/msg if they are blank (just null). I will do the following: 1. Fix the backend to also check for blank urls or msgs. 2. Fix the LoginModel to allow multiple error messages. 3. Fix the display to properly format and show all messages. Is there a option to set change-password-msg in the new AAA method? (In reply to Yaniv Dary from comment #6) > Is there a option to set change-password-msg in the new AAA method? this is extension specific. in case of ldap see [1] look for: * config.authn.credentials-change.url * config.authn.credentials-change.message [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l296 When testing this please make sure the message works with the options listed in comment #7 as well. Alexander, did you make sure that the fix is working well for the new AAA stuff as well? Yes this will work with the new AAA, that was actually what exposed the existing issue. moving back to POST. @Alexander - this needs a backport to ovirt-engine-3.5. pushing TR to 3.5.4, so no need to cherry-pick the fix to the 'ovirt-engine-3.5.3' branch. Once 'ovirt-engine-3.5' is merge - please move the BZ to MODIFIED. (In reply to Einav Cohen from comment #12) > Once 'ovirt-engine-3.5' is merge Once *the* 'ovirt-engine-3.5' *patch* is *merged* Since oVirt 3.5.4 RC1 has been released, please ensure that the fix is included in the build and move the bug to ON_QA accordingly. Works fine in vt16.1 for both legacy and new AAA. This is an automated message. oVirt 3.5.4 has been released on September 3rd 2015 and should include the fix for this BZ. Moving to closed current release. |