Bug 1429650 - External authentication works when logging into the Admin UI but doesn't work for the same user to get into the Service UI
Summary: External authentication works when logging into the Admin UI but doesn't work...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - Service
Version: 5.7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.7.2
Assignee: Allen W
QA Contact: Matt Pusateri
URL:
Whiteboard: auth:externalauth:ad:ssui
Depends On: 1422551
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-06 18:50 UTC by Satoe Imaishi
Modified: 2017-03-30 21:54 UTC (History)
7 users (show)

Fixed In Version: 5.7.2.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1422551
Environment:
Last Closed: 2017-03-30 20:39:29 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0898 0 normal SHIPPED_LIVE Moderate: cfme, cfme-appliance, and cfme-gemset security, bug fix, and enhancement update 2017-04-12 18:31:08 UTC

Comment 1 Matt Pusateri 2017-03-29 15:31:05 UTC
Validated successful on AD and OpenLDAP

FreeIPA, I had some users that could log in, but I had a user(hutteggera) that couldn't.

[----] I, [2017-03-29T10:20:22.568835 #12008:d19e08]  INFO -- : <AuditSuccess> MIQ(Authenticator.authenticate) userid: [hutteggera] - User huttegge
ra successfully validated by External httpd
[----] I, [2017-03-29T10:20:22.603384 #11931:80113c]  INFO -- : MIQ(MiqQueue.put) Message id: [876],  id: [], Zone: [default], Role: [smartstate], 
Server: [], Ident: [generic], Target id: [], Instance id: [], Task id: [job_dispatcher], Command: [JobProxyDispatcher.dispatch], Timeout: [600], Pr
iority: [20], State: [ready], Deliver On: [], Data: [], Args: []
[----] I, [2017-03-29T10:20:22.623112 #12008:d19e08]  INFO -- : MIQ(MiqTask#update_status) Task: [14] [Active] [Ok] [Authorizing]
[----] I, [2017-03-29T10:20:22.774320 #12008:d19e08]  INFO -- : MIQ(Authenticator::Httpd#authorize) Authorized User: [hutteggera]
[----] I, [2017-03-29T10:20:22.774493 #12008:d19e08]  INFO -- : MIQ(MiqTask#update_status) Task: [14] [Finished] [Ok] [User authorized successfully
]
[----] I, [2017-03-29T10:20:22.808828 #12008:d19e08]  INFO -- : <AuditSuccess> MIQ(Authenticator.authenticate) userid: [hutteggera] - Authenticatio
n successful for user hutteggera
[----] E, [2017-03-29T10:20:22.892331 #12008:d19e08] ERROR -- : <API> MIQ(Api::SettingsController.api_error) API Error
[----] E, [2017-03-29T10:20:22.893201 #12008:d19e08] ERROR -- : <API> MIQ(Api::SettingsController.api_error) Api::ForbiddenError: Use of the read a
ction is forbidden

Comment 3 Chris Kacerguis 2017-03-29 16:10:59 UTC
Matt can you please validate that the hutteggera user has the correct permissions / roles?

Comment 13 Allen W 2017-03-30 16:46:46 UTC
this one is a doozy, almost a multi bug bz, the sui bug users no matter of if they are able to view or do anything should be let into the sui.

The NON sui bug part is it looks like when a user that belongs to multiple groups each with multiple roles with varying product features, attempts to login,is not returning all the product features from all the roles of all the groups.

gonna grab our api friend Tim to help with this one

Comment 14 Allen W 2017-03-30 20:39:29 UTC
https://github.com/ManageIQ/manageiq-ui-service/pull/617

above doesn't really do much for this bz, as there wasn't much to do, but as a result of this bz, verbiage was updated for clarity

ends up the whole only returning product features for a users current group is by design, this can be closed! (right? )


Note You need to log in before you can comment on or make changes to this bug.