Bug 1421878 - API request is not returning expected result for LDAP user
Summary: API request is not returning expected result for LDAP user
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API
Version: 5.6.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.9.0
Assignee: Tim Wade
QA Contact: Martin Kourim
URL:
Whiteboard: auth:miqldap:ad:api
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-13 23:04 UTC by myoder
Modified: 2023-09-15 00:01 UTC (History)
7 users (show)

Fixed In Version: 5.9.0.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-01 13:09:24 UTC
Category: Bug
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0380 0 normal SHIPPED_LIVE Moderate: Red Hat CloudForms security, bug fix, and enhancement update 2018-03-01 18:37:12 UTC

Description myoder 2017-02-13 23:04:42 UTC 
Description of problem:

When using the Rest API as the local admin user I can use this url to retrieve the request.
https://hostname/api/requests/11000000007200

When using the Rest API as an active directory user using this url i get a 404
https://hostname/api/requests/11000000007200
404 Not Found

however, as the same active directory user i can use this url to get the same data returned
https://hostname/api/provision_requests/11000000007200

I would expect both api/provision_requests and api/requests to behave the same way.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Dave Johnson 2017-03-01 21:35:11 UTC 
Matt, could you retest this please in 5.6.4?
Comment 6 Tim Wade 2017-05-18 17:39:35 UTC 
Matt,

Were you able to retest as per https://bugzilla.redhat.com/show_bug.cgi?id=1421878#c3 ?

It looks like there are a couple of things going on here:

1. In the requests API, we limit GETs to either the requester if they are not admin. We don't do this for provision requests, hence the inconsistency in results. IMO we should fix this, but it's a separate issue - fixing it would only make the core issue here more apparent

2. In order to do (1), we ask the current user if they are admin. This must be returning true (as expected) if you are signing in locally, and returning false when using LDAP. If this is the case we need to address that, but it's not specifically an API issue.
Comment 7 Tim Wade 2017-05-18 18:15:48 UTC 
Fixed in https://github.com/ManageIQ/manageiq/pull/15151

Matt, I have addressed (2) above, so cancelling needinfo request
Comment 9 Tim Wade 2017-05-19 15:01:19 UTC 
Note: This will also require https://github.com/ManageIQ/manageiq/pull/15163 to fix, I'll move this to POST when that gets merged.
Comment 10 Martin Kourim 2017-10-24 15:57:36 UTC 
Verified that the LDAP admin user (with EvmGroup-super_administrator group) can access both /api/requests and /api/provision_requests.
Comment 14 errata-xmlrpc 2018-03-01 13:09:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0380
Comment 15 Red Hat Bugzilla 2023-09-15 00:01:18 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.