Description of problem: When using external authentication(IPA server), the user is still able to log-in to CFME web-interface, even if he does not belongs to any group. Version-Release number of selected component (if applicable): 5.4.5.2 How reproducible: Try to delete all the groups to which the user belongs, the user still be able to log-in. Steps to Reproduce: 1. 2. 3. Actual results: User is able to log-in when he does not belongs to any group. Expected results: If the user does not belongs to any group, he should not be able to log-in to CFME web-interface. Additional info:
Sachin: This might not be a bug. It might be a usage issue. In Brief: --------- Please check if you have "Get User Groups from External Authentication" checked under: Settings->Configuration->Settings->Authentication Some Details: ------------- Do you have "Get User Groups from External Authentication" checked under: Settings->Configuration->Settings->Authentication? If so the users groups will be repopulated with what is configured on the IPA LDAP server. If "Get User Groups from External Authentication" is not checked whatever Group the user belongs to will be the group he is logged in with. In the latest upstream it is not possible to remove a user from all groups. One must select a group from a dropdown. Please check if you have "Get User Groups from External Authentication" checked under: Settings->Configuration->Settings->Authentication If you still feel this is an error please describe more precisely what it is you are doing when you remove the all groups from the user. Thank you! JoeV
Joe, I'll ask the customer to check what you have suggested. If you confirm that in the latest code, user should be a member of at-least one group, we need to check that. > If you still feel this is an error please describe more precisely what it is > you are doing when you remove the all groups from the user. When user is removed from all the groups, he is still able to log-in which is strange. Anyway s, thanks for the info. -- Sachin
(In reply to Sachin from comment #4) > Joe, > > I'll ask the customer to check what you have suggested. If you confirm that > in the latest code, user should be a member of at-least one group, we need > to check that. > > > > If you still feel this is an error please describe more precisely what it is > you are doing when you remove the all groups from the user. > > When user is removed from all the groups, he is still able to log-in which > is strange. > > > Anyway s, thanks for the info. > > > -- > Sachin Sachin, If the "Get User Groups from External Authentication" is checked under: Settings->Configuration->Settings->Authentication the user would be able to log in even if the CFME administrator removed the user from all groups because at login time the user's group information we be pulled from the IPA server. JoeV
JoeV, Is there any way to clear this info? or this is how it is expected to work? -- Sachin
(In reply to Sachin from comment #6) > JoeV, > > Is there any way to clear this info? or this is how it is expected to work? > > > -- > Sachin Hey Sachin, If you no longer want an IPA user to be able to log into CMFE the best thing to do would be to log into the IPA server and reconfigure the user so they no longer belong to the groups configured on CFME. JoeV
I am closing this as NOTABUG. The code works as designed and the desired functionality is obtained, as described in above comments, by: If you no longer want an IPA user to be able to log into CMFE the best thing to do would be to log into the IPA server and reconfigure the user so they no longer belong to the groups configured on CFME. Please reopen with more information if you feel this is still an issue.
Joe, Additional step of removing the user to get desired results(so that the user can't log-in) is for CF-4.1(cfme-5.6.0..). Although the bug was raised against CF-3.2, but we see similar behaviour on CF-4.2.
Sachin, I can you please PM me the IPAddress and credentials to the CF-4.2 (cfme-5.7) based appliance where you are seeing this issue and the URL to the source of the image you used to stand up that appliance? Thank you, JoeV
Ohh!, Sorry for the confusion Joe, It was a typo. My bad. What you wrote is correct: - It fails on CF-3.2(CFME-5.4) - It works on CF-4.1(CFMW-5.6), but we need to remove the user from CFME manually. - This problem doe not exist in the upstream. > If this is only a CF-3.2 (CFME 5.4) I'm not sure we are doing 5.4.z stream releases. I think, the user should not be able to login if he is not a member of ipa/cfme group. It should work seamlessly irrespective of user being removed manually(We do not remove the user in upstream). So it is still a bug in CF-4.1(CFME5.6) -- Sachin
ChrisP, This bug only occurs on 5.6. It is not reproducible on 5.7. Please adjust the flags and target release accordingly. Thank you, JoeV
https://github.com/ManageIQ/manageiq/pull/10634
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/7b439c12f1f63968e0fa40c2d0ca1e869a073d9c commit 7b439c12f1f63968e0fa40c2d0ca1e869a073d9c Author: Joe VLcek <jvlcek> AuthorDate: Fri Aug 19 14:23:16 2016 -0400 Commit: Joe VLcek <jvlcek> CommitDate: Tue Aug 23 15:41:57 2016 -0400 Update the user when there are no matching groups When all MiQ groups are removed for a given user on the "authenticator" the user's DB entry must be updated to show no matching MiQ groups. https://bugzilla.redhat.com/show_bug.cgi?id=1342082 app/models/authenticator.rb | 3 ++- spec/models/authenticator_spec.rb | 23 +++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-)
Looks like the change is needed on master as well, removing the needinfo flag.
Verified in 5.7.0.0
Any update on this BZ?
(In reply to Sachin from comment #36) > Any update on this BZ? Sachin. The fix, as noted in comment #31, has been verified, as indicated by this BZs status. So you should be good to go. JoeV
*** Bug 1404537 has been marked as a duplicate of this bug. ***