Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1432716

Summary: Regression: Upgrade to 6.2.8 breaks Dashboard for SSO users
Product: Red Hat Satellite Reporter: Paul Armstrong <parmstro>
Component: DashboardAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WORKSFORME QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.2.8CC: bbuckingham, jcallaha, mhulan, parmstro, sgraessl, tbrisker
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-11 19:33:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Permission Denied when using IdM SSO none

Description Paul Armstrong 2017-03-16 02:04:10 UTC 
Created attachment 1263554 [details]
Permission Denied when using IdM SSO

Description of problem:
See attached Image. After an upgrade to 6.2.8 from 6.2.7, the Dashboard startup page displays Permission denied for all widgets for users logging in using IPA integrated SSO (https://sat6.example.com/user/extlogin). Other aspects of the UI appear to function normally. Logging in through https://sat6.example.com/user/login as admin or other locally defined user works as expected.

Version-Release number of selected component (if applicable):
6.2.8

How reproducible:
Always

Steps to Reproduce:
1. Configure Sat6 for IdM SSO on 6.2.7 or earlier
2. Upgrade to 6.2.8
3. Try to log in using kerberos creds...


Actual results:
Boom!

Expected results:
Yay!

Additional info:
See attachment.
Comment 4 Paul Armstrong 2017-03-20 20:10:54 UTC 
In researching another issue, 

https://bugzilla.redhat.com/show_bug.cgi?id=1368212

I noticed that for some reason my IdM user that gets created no longer has admin privilege in table 'users'. 

external group admins in IdM is mapped to the admins group in Satellite. When I try to refresh that group, I get an error "unable to refresh external group"

If I kdestroy, then log in as the admin user. I can see the login for my idm user. When I delete it, it is cleaned up from the users table appropriately. 
Then if I kinit and the go to the base Satellite URL, the new user is created in the users table with a new id. I am logged on successfully. The new user shows up in the Users list in the WebAPI and Administrator is ticked. NOTE: that admin = f in the users table for the newly created user. 

I can log out and then log back in again no problem. I can kdestroy, then kinit and visit the Satellite base URL or simply click log back in. All seems to work as expected. And I no longer see the "permission denied" message.

****HOWEVER****
If I modify my profile to select the Default Org or Location on login and save it (successfully). Then log out and try to log back in. I get the issue stated in the BZ above (1368212) and then on successfully logging back in by visiting the base URL I get the permission denied error.

Selecting my account to try to edit the Defaults ends up giving me a "user not found" error. In visiting the users administration page, the IdM user is not listed.

foreman=# select * from users where id=8;
 id |  login   | firstname | lastname  |          mail          | admin |       last_login_on        | auth_source_id |         created_at         |        updated_at         |
 password_hash | password_salt | locale | avatar_hash | default_organization_id | default_location_id | lower_login | mail_enabled | timezone 
----+----------+-----------+-----------+------------------------+-------+----------------------------+----------------+----------------------------+---------------------------+
---------------+---------------+--------+-------------+-------------------------+---------------------+-------------+--------------+----------
  8 | parmstro | Paul      | Armstrong | parmstro | f     | 2017-03-20 19:58:15.609475 |              4 | 2017-03-20 19:58:15.504356 | 2017-03-20 20:05:39.15123 |
               |               |        |             |                       3 |                   4 | parmstro    | t            | 
(1 row)
Comment 5 Paul Armstrong 2017-03-20 20:26:26 UTC 
Now logging in as admin user and selecting Any/Any context. I see the user.
No locations are selected, that is probably why we can't see the user when logged in. 
The admin role is not selected... 
and checking the external group mappings trying to refresh the admins mapping
"Warning: External user group admins could not be refreshed"

loggers -> sql debug
production.log

2017-03-20 16:22:04 [sql] [D]    (0.4ms)  SELECT  "katello_events"."object_id" FROM "katello_events"  WHERE "katello_events"."in_progress" = 'f'  ORDER BY "katello_events"."created_at" ASC LIMIT 1
2017-03-20 16:22:04 [sql] [D]    (0.4ms)  SELECT  "katello_events"."event_type" FROM "katello_events"  WHERE "katello_events"."in_progress" = 'f'  ORDER BY "katello_events"."created_at" ASC LIMIT 1
2017-03-20 16:22:04 [sql] [D]   Katello::Event Load (0.3ms)  SELECT  "katello_events".* FROM "katello_events"  WHERE "katello_events"."in_progress" = 'f' AND 1=0 AND 1=0  ORDER BY "katello_events"."created_at" DESC LIMIT 1
2017-03-20 16:22:04 [sql] [D]   SQL (0.5ms)  UPDATE "katello_events" SET "in_progress" = 't' WHERE "katello_events"."id" IN (SELECT "katello_events"."id" FROM "katello_events"  WHERE "katello_events"."in_progress" = 'f' AND 1=0 AND 1=0  ORDER BY "katello_events"."created_at" ASC)
2017-03-20 16:22:04 [app] [I] Started PUT "/external_usergroups/admins/refresh" for 192.168.252.131 at 2017-03-20 16:22:04 -0400
2017-03-20 16:22:04 [app] [I] Processing by ExternalUsergroupsController#refresh as HTML
2017-03-20 16:22:04 [app] [I]   Parameters: {"authenticity_token"=>"/HSU3qoj47rbhvBrT8xHYewFRb3LNEy4oEFX5/ZPrQc=", "id"=>"admins"}
2017-03-20 16:22:04 [sql] [D]   ActiveRecord::SessionStore::Session Load (0.6ms)  SELECT  "sessions".* FROM "sessions"  WHERE "sessions"."session_id" = 'c920069c22a1926222518fe9675c5149'  ORDER BY "sessions"."id" ASC LIMIT 1
2017-03-20 16:22:04 [sql] [D]   User Load (0.3ms)  SELECT  "users".* FROM "users"  WHERE "users"."id" = $1 LIMIT 1  [["id", 3]]
2017-03-20 16:22:04 [sql] [D]    (0.5ms)  SELECT COUNT(*) FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Organization')
2017-03-20 16:22:04 [sql] [D]    (0.3ms)  SELECT COUNT(*) FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Location')
2017-03-20 16:22:04 [sql] [D]   AuthSource Load (0.2ms)  SELECT  "auth_sources".* FROM "auth_sources"  WHERE "auth_sources"."id" = $1 LIMIT 1  [["id", 1]]
2017-03-20 16:22:04 [sql] [D]    (0.3ms)  SELECT  "taxonomies"."id" FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Location') LIMIT 1
2017-03-20 16:22:04 [sql] [D]    (0.4ms)  SELECT  "taxonomies"."id" FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Organization') LIMIT 1
2017-03-20 16:22:04 [sql] [D]    (0.5ms)  SELECT COUNT(*) FROM "external_usergroups"
2017-03-20 16:22:04 [sql] [D]   ExternalUsergroup Load (0.5ms)  SELECT  "external_usergroups".* FROM "external_usergroups"  WHERE "external_usergroups"."id" = 0 LIMIT 1
2017-03-20 16:22:04 [sql] [D]   ExternalUsergroup Load (0.5ms)  SELECT  "external_usergroups".* FROM "external_usergroups"  WHERE "external_usergroups"."name" = 'admins'  ORDER BY "external_usergroups"."id" ASC LIMIT 1
2017-03-20 16:22:04 [sql] [D]   AuthSource Load (0.3ms)  SELECT  "auth_sources".* FROM "auth_sources"  WHERE "auth_sources"."id" = $1 LIMIT 1  [["id", 4]]
2017-03-20 16:22:04 [app] [I] Redirected to https://sat6.parmstrong.ca/usergroups
2017-03-20 16:22:04 [app] [I] Completed 302 Found in 21ms (ActiveRecord: 4.4ms)
2017-03-20 16:22:04 [sql] [D]    (0.2ms)  BEGIN
2017-03-20 16:22:04 [sql] [D]   SQL (0.2ms)  UPDATE "sessions" SET "data" = $1, "updated_at" = $2 WHERE "sessions"."id" = 1064323  [["data", "BAh7D0kiD3Nzb19tZXRob2QGOgZFRkkiF1NTTzo6Rm9ybUludGVyY2VwdAY7\nAEZJIgl1c2VyBjsARmkISSIPZXhwaXJlc19hdAY7AEZsKwdsi9FYSSILbG9j\nYWxlBjsARiIHZW5JIhBfY3NyZl90b2tlbgY7AEZJIjEvSFNVM3FvajQ3cmJo\ndkJyVDh4SFlld0ZSYjNMTkV5NG9FRlg1L1pQclFjPQY7AEZJIiJyZWRpcmVj\ndF90b191cmxfb3JnYW5pemF0aW9ucwY7AFQiJWh0dHBzOi8vc2F0Ni5wYXJt\nc3Ryb25nLmNhL3VzZXJzSSIecmVkaXJlY3RfdG9fdXJsX2xvY2F0aW9ucwY7\nAFQiJWh0dHBzOi8vc2F0Ni5wYXJtc3Ryb25nLmNhL3VzZXJzSSIacmVkaXJl\nY3RfdG9fdXJsX3VzZXJzBjsAVCIlaHR0cHM6Ly9zYXQ2LnBhcm1zdHJvbmcu\nY2EvdXNlcnNJIh9yZWRpcmVjdF90b191cmxfdXNlcmdyb3VwcwY7AFQiKmh0\ndHBzOi8vc2F0Ni5wYXJtc3Ryb25nLmNhL3VzZXJncm91cHNJIgpmbGFzaAY7\nAFR7B0kiDGRpc2NhcmQGOwBUWwBJIgxmbGFzaGVzBjsAVHsGSSIMd2Fybmlu\nZwY7AEZJIjZFeHRlcm5hbCB1c2VyIGdyb3VwIGFkbWlucyBjb3VsZCBub3Qg\nYmUgcmVmcmVzaGVkBjsAVA==\n"], ["updated_at", "2017-03-20 20:22:04.702380"]]
2017-03-20 16:22:04 [sql] [D]    (4.7ms)  COMMIT
2017-03-20 16:22:04 [app] [I] Started GET "/usergroups" for 192.168.252.131 at 2017-03-20 16:22:04 -0400
2017-03-20 16:22:04 [app] [I] Processing by UsergroupsController#index as HTML
2017-03-20 16:22:04 [sql] [D]   ActiveRecord::SessionStore::Session Load (0.9ms)  SELECT  "sessions".* FROM "sessions"  WHERE "sessions"."session_id" = 'c920069c22a1926222518fe9675c5149'  ORDER BY "sessions"."id" ASC LIMIT 1
2017-03-20 16:22:04 [sql] [D]   User Load (0.3ms)  SELECT  "users".* FROM "users"  WHERE "users"."id" = $1 LIMIT 1  [["id", 3]]
2017-03-20 16:22:04 [sql] [D]    (0.4ms)  SELECT COUNT(*) FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Organization')
2017-03-20 16:22:04 [sql] [D]    (0.3ms)  SELECT COUNT(*) FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Location')
2017-03-20 16:22:04 [sql] [D]   AuthSource Load (0.3ms)  SELECT  "auth_sources".* FROM "auth_sources"  WHERE "auth_sources"."id" = $1 LIMIT 1  [["id", 1]]
2017-03-20 16:22:04 [sql] [D]    (0.3ms)  SELECT  "taxonomies"."id" FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Location') LIMIT 1
2017-03-20 16:22:04 [sql] [D]    (0.3ms)  SELECT  "taxonomies"."id" FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Organization') LIMIT 1
2017-03-20 16:22:04 [sql] [D]   Usergroup Load (0.3ms)  SELECT  "usergroups".* FROM "usergroups"   ORDER BY usergroups.name LIMIT 1
2017-03-20 16:22:04 [sql] [D]   Usergroup Load (0.4ms)  SELECT  "usergroups".* FROM "usergroups"   ORDER BY usergroups.name LIMIT 100 OFFSET 0
2017-03-20 16:22:04 [sql] [D]   UsergroupMember Load (0.4ms)  SELECT "usergroup_members".* FROM "usergroup_members"  WHERE "usergroup_members"."member_type" = 'Usergroup' AND "usergroup_members"."usergroup_id" IN (1, 3, 2)
2017-03-20 16:22:04 [sql] [D]    (0.4ms)  SELECT auth_sources.id FROM "auth_sources"  WHERE "auth_sources"."type" IN ('AuthSourceHidden')
2017-03-20 16:22:04 [sql] [D]   User Load (0.4ms)  SELECT "users".* FROM "users" INNER JOIN "usergroup_members" ON "users"."id" = "usergroup_members"."member_id" WHERE "usergroup_members"."usergroup_id" = $1 AND "usergroup_members"."member_type" = 'User' AND ("users"."auth_source_id" NOT IN (2))  ORDER BY firstname  [["usergroup_id", 1]]
2017-03-20 16:22:04 [sql] [D]   CACHE (0.0ms)  SELECT auth_sources.id FROM "auth_sources"  WHERE "auth_sources"."type" IN ('AuthSourceHidden')
2017-03-20 16:22:04 [sql] [D]   User Load (0.7ms)  SELECT "users".* FROM "users" INNER JOIN "usergroup_members" ON "users"."id" = "usergroup_members"."member_id" WHERE "usergroup_members"."usergroup_id" = $1 AND "usergroup_members"."member_type" = 'User' AND ("users"."auth_source_id" NOT IN (2))  ORDER BY firstname  [["usergroup_id", 3]]
2017-03-20 16:22:04 [sql] [D]   CACHE (0.0ms)  SELECT auth_sources.id FROM "auth_sources"  WHERE "auth_sources"."type" IN ('AuthSourceHidden')
2017-03-20 16:22:04 [sql] [D]   User Load (0.5ms)  SELECT "users".* FROM "users" INNER JOIN "usergroup_members" ON "users"."id" = "usergroup_members"."member_id" WHERE "usergroup_members"."usergroup_id" = $1 AND "usergroup_members"."member_type" = 'User' AND ("users"."auth_source_id" NOT IN (2))  ORDER BY firstname  [["usergroup_id", 2]]
2017-03-20 16:22:04 [app] [I]   Rendered usergroups/index.html.erb within layouts/application (24.5ms)
2017-03-20 16:22:04 [sql] [D]   Bookmark Load (0.6ms)  SELECT "bookmarks".* FROM "bookmarks"  WHERE (((bookmarks.public = 't') OR (bookmarks.owner_id = 3 AND bookmarks.owner_type = 'User'))) AND (controller = 'usergroups')  ORDER BY "bookmarks"."name" ASC
2017-03-20 16:22:04 [app] [I]   Rendered common/_searchbar.html.erb (4.6ms)
2017-03-20 16:22:04 [app] [I]   Rendered layouts/_application_content.html.erb (5.5ms)
2017-03-20 16:22:04 [app] [I]   Rendered home/_submenu.html.erb (1.7ms)
2017-03-20 16:22:04 [app] [I]   Rendered home/_user_dropdown.html.erb (2.0ms)
2017-03-20 16:22:04 [app] [I] Read fragment views/tabs_and_title_records-3 (0.2ms)
2017-03-20 16:22:04 [app] [I]   Rendered home/_topbar.html.erb (5.6ms)
2017-03-20 16:22:04 [app] [I]   Rendered layouts/base.html.erb (7.6ms)
2017-03-20 16:22:04 [app] [I] Completed 200 OK in 57ms (Views: 36.2ms | ActiveRecord: 6.5ms)
2017-03-20 16:22:04 [sql] [D]    (0.1ms)  BEGIN
2017-03-20 16:22:04 [sql] [D]   SQL (0.3ms)  UPDATE "sessions" SET "data" = $1, "updated_at" = $2 WHERE "sessions"."id" = 1064323  [["data", "BAh7DkkiD3Nzb19tZXRob2QGOgZFRkkiF1NTTzo6Rm9ybUludGVyY2VwdAY7\nAEZJIgl1c2VyBjsARmkISSIPZXhwaXJlc19hdAY7AEZsKwdsi9FYSSILbG9j\nYWxlBjsARiIHZW5JIhBfY3NyZl90b2tlbgY7AEZJIjEvSFNVM3FvajQ3cmJo\ndkJyVDh4SFlld0ZSYjNMTkV5NG9FRlg1L1pQclFjPQY7AEZJIiJyZWRpcmVj\ndF90b191cmxfb3JnYW5pemF0aW9ucwY7AFQiJWh0dHBzOi8vc2F0Ni5wYXJt\nc3Ryb25nLmNhL3VzZXJzSSIecmVkaXJlY3RfdG9fdXJsX2xvY2F0aW9ucwY7\nAFQiJWh0dHBzOi8vc2F0Ni5wYXJtc3Ryb25nLmNhL3VzZXJzSSIacmVkaXJl\nY3RfdG9fdXJsX3VzZXJzBjsAVCIlaHR0cHM6Ly9zYXQ2LnBhcm1zdHJvbmcu\nY2EvdXNlcnNJIgpmbGFzaAY7AFR7B0kiDGRpc2NhcmQGOwBUWwZJIgx3YXJu\naW5nBjsARkkiDGZsYXNoZXMGOwBUewZAGUkiNkV4dGVybmFsIHVzZXIgZ3Jv\ndXAgYWRtaW5zIGNvdWxkIG5vdCBiZSByZWZyZXNoZWQGOwBU\n"], ["updated_at", "2017-03-20 20:22:04.777244"]]
2017-03-20 16:22:04 [sql] [D]    (2.0ms)  COMMIT
2017-03-20 16:22:05 [foreman-tasks/dynflow] [D]          Step ce89394d-b10e-4831-b18a-e5fbfb2ab3a0:84 got event Dynflow::Action::Polling::Poll
2017-03-20 16:22:05 [foreman-tasks/dynflow] [D]          Step ce89394d-b10e-4831-b18a-e5fbfb2ab3a0:84 suspended >>   running in phase      Run Actions::Pulp::Consumer::SyncCapsule
2017-03-20 16:22:05 [sql] [D]   SmartProxy Load (0.3ms)  SELECT  "smart_proxies".* FROM "smart_proxies"  WHERE "smart_proxies"."id" = $1  ORDER BY smart_proxies.name LIMIT 1  [["id", 2]]
2017-03-20 16:22:05 [katello/pulp_rest] [D] RestClient.get "https://capsule.parmstrong.ca/pulp/api/v2/tasks/126cbdbf-6274-4803-b36b-5bd0d532b525/", "Accept"=>"*/*; q=0.5, application/xml", "Accept-Encoding"=>"gzip, deflate", "accept"=>"application/json", "content_type"=>"application/json"
 | \n# => 200 OK | application/json 391 bytes
 |