1335638 – Groups resolution shouldn't be done on authn stage

Bug 1335638 - Groups resolution shouldn't be done on authn stage

Summary: Groups resolution shouldn't be done on authn stage

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	3.6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ovirt-3.6.7
Target Release:	3.6.7
Assignee:	Martin Perina
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:	1335488
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-12 18:03 UTC by Anitha Udgiri
Modified:	2019-12-16 05:46 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1335488
Environment:
Last Closed:	2016-06-29 16:20:01 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
login log (5.80 KB, text/plain) 2016-06-09 08:18 UTC, Gonza	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1364	0	normal	SHIPPED_LIVE	Red Hat Enterprise Virtualization Manager (rhevm) bug fix 3.6.7	2016-06-29 20:18:44 UTC
oVirt gerrit	57356	0	ovirt-engine-3.6	MERGED	aaa: kerbldap: don't resolve groups in authn stage	2016-05-14 20:03:01 UTC

Description Anitha Udgiri 2016-05-12 18:03:51 UTC

+++ This bug was initially created as a clone of Bug #1335488 +++

For kerbldap we are resolving groups also in authn stage, not only in authz stage.
This was caused in 3.5 when we moved to using extensions, as before authz + authn was done in one stage in 
LdapAuthenticateUserCommand.java and in 3.5 it was split into two stages, but code unfortunatelly preserved.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2016-05-12 06:14:31 EDT ---

This bug report has Keywords: Regression or TestBlocker.
Since no regressions or test blockers are allowed between releases, it is also being identified as a blocker for this release. Please resolve ASAP.

--- Additional comment from Ondra Machacek on 2016-05-12 06:15:56 EDT ---

The result is that login time is ~two times longer.

Comment 6 Martin Perina 2016-05-16 07:08:09 UTC

Removing rhevm-4.0-ga as kerberos/ldap module (engine-manage-domains) has been removed in 4.0 completely and 3.6 is the last version which includes it.

Comment 8 Gonza 2016-06-09 08:18:10 UTC

Created attachment 1166196 [details]
login log

Verified with:
rhevm-3.6.7.2-0.1.el6.noarch

Log attached.

Comment 10 errata-xmlrpc 2016-06-29 16:20:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1364

Note You need to log in before you can comment on or make changes to this bug.