1422551 – External authentication works when logging into the Admin UI but doesn't work for the same user to get into the Service UI

Bug 1422551 - External authentication works when logging into the Admin UI but doesn't work for the same user to get into the Service UI

Summary: External authentication works when logging into the Admin UI but doesn't work...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	UI - Service
Sub Component:
Version:	5.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	GA
Target Release:	5.8.0
Assignee:	Josh Langholtz
QA Contact:	Matt Pusateri
Docs Contact:
URL:
Whiteboard:	auth:externalauth:ad:freeipa:ssui
Depends On:
Blocks:	1429650
TreeView+	depends on / blocked

Reported:	2017-02-15 14:18 UTC by cwyatt
Modified:	2017-07-11 13:47 UTC (History)
CC List:	6 users (show)
Fixed In Version:	5.8.0.2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1429650 (view as bug list)
Environment:
Last Closed:	2017-06-12 17:08:07 UTC
Category:	---
Cloudforms Team:	CFME Core
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Unable to login to Service UI (24.83 KB, image/png) 2017-02-15 14:18 UTC, cwyatt	no flags	Details
View All

Description cwyatt 2017-02-15 14:18:54 UTC

Created attachment 1250622 [details]
Unable to login to Service UI

Description of problem:
User's are unable to login to the Service UI when external authentication is specified as the login mechanism for CloudForms 4.2. The same user is able to login to the Admin UI without issues, but when they tried to login to the Service UI, they are presented with the message "Error! User does not have privileges to login."

Version-Release number of selected component (if applicable):
5.7.0.17.20161219135818_725f92f

How reproducible:
100%

Steps to Reproduce:
1. Configure external authentication to Active Directory using the instructions listed here 
2. Create a CloudForms group for the Active Directory group that the user is a member of
3. Login to the Admin UI to verify that the test user can login successfully
4. Attempt to login to the Service UI

Actual results:
Unable to login to Service UI with Active Directory user - "Error! User does not have privileges to login."

Expected results:
User is able to login to both the Admin UI and the Service UI

Additional info:

Comment 3 cwyatt 2017-02-15 14:21:11 UTC

These instructions were followed to configure the external authentication to AD
https://access.redhat.com/articles/2037663

Comment 4 CFME Bot 2017-02-22 15:13:47 UTC

https://github.com/ManageIQ/manageiq-ui-service/pull/527

Comment 5 CFME Bot 2017-02-22 16:27:27 UTC

New commit detected on ManageIQ/manageiq-ui-service/master:
https://github.com/ManageIQ/manageiq-ui-self_service/commit/88598e53b8e432688b5d853d8b1e1fd902b97a59

commit 88598e53b8e432688b5d853d8b1e1fd902b97a59
Author:     Josh Langholtz <jjlangholtz>
AuthorDate: Wed Feb 22 09:57:00 2017 -0500
Commit:     Josh Langholtz <jjlangholtz>
CommitDate: Wed Feb 22 09:57:00 2017 -0500

    Set X-Miq-Group header for every request
    
    Break down `Session.create` into two distinct setters because the auth
    token and miq group values come from two separate HTTP requests.
    
    The group value is returned as part of the user object when the
    authorizations request is made.
    
    https://www.pivotaltracker.com/story/show/140246987
    https://bugzilla.redhat.com/show_bug.cgi?id=1422551

 client/app/core/authentication-api.factory.js |  2 +-
 client/app/core/authorization.config.js       |  6 ++----
 client/app/core/session.service.js            | 17 ++++++++++++-----
 client/app/core/session.service.spec.js       |  6 +++---
 4 files changed, 18 insertions(+), 13 deletions(-)

Comment 7 Matt Pusateri 2017-05-16 21:16:29 UTC

Validated in External Auth FreeIPA,AD,OpenLDAP 5.8.0.14-rc3

Note You need to log in before you can comment on or make changes to this bug.