Description of problem: Any valid group should be able to login in. Currently SSUI login fails to allow a user to log in, if their primary group does not have a role that permits ssui features. Even if the user has secondary groups that do have permissions, only the primary role is evaluated. See bug: https://bugzilla.redhat.com/show_bug.cgi?id=1429650 Version-Release number of selected component (if applicable): 5.6.2, 5.7.2.0, 5.8.0 How reproducible: Steps to Reproduce: 1.Configure external auth 2. Setup user that has 2 groups evmgroup-operator and evmgroup-user 3. Log into classic UI to ensure primary group is set. This may not be necessary depending on how the API set's the primary group. 4. Log into ssui and it fails. Actual results: User fails to log in as evmgroup-operator gets assigned to be the primary group, and has no SSUI feature permissions. evmgroupo-user is not evaluated as a secondary group even though that user has permissions Expected results: Any valid group that has ssui feature permissions should be allowed to login. Additional info:
To complicate this even more, if a user is a member of multiple groups, and logs into the classic UI. When they log out, what their last current group is/was affects whether they can log into the SSUI. So they can get a successful login one time only to be told they don't have enough permissions another time.
https://bugzilla.redhat.com/show_bug.cgi?id=1445939 is a new related bug.
*** Bug 1486234 has been marked as a duplicate of this bug. ***