Bug 1443800 - Authentication Self_Service UI externalauth/miqldap Lack of user perms clarification
Summary: Authentication Self_Service UI externalauth/miqldap Lack of user perms clarif...
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.6.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: GA
: 5.8.0
Assignee: Gregg Tanzillo
QA Contact: Matt Pusateri
Whiteboard: auth:externalauth:miqldap:ssui
Depends On: 1440931
TreeView+ depends on / blocked
Reported: 2017-04-20 00:38 UTC by Satoe Imaishi
Modified: 2017-05-31 14:55 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1440931
Last Closed: 2017-05-31 14:55:32 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1367 normal SHIPPED_LIVE Moderate: CFME 5.8.0 security, bug, and enhancement update 2017-05-31 18:16:03 UTC

Comment 2 CFME Bot 2017-04-20 00:43:04 UTC
New commit detected on ManageIQ/manageiq-ui-service/fine:

commit e93af55ec6b01e815dbd54d75c240754c83a0009
Author:     Chris Kacerguis <chriskacerguis@users.noreply.github.com>
AuthorDate: Wed Apr 19 16:14:37 2017 -0500
Commit:     Satoe Imaishi <simaishi@redhat.com>
CommitDate: Wed Apr 19 20:38:49 2017 -0400

    Merge pull request #693 from AllenBW/bz/1440931-block-unpriveleged-user-login
    BZ#1440931-Refuse login for users with only dashboard role
    (cherry picked from commit 8a7e8ca887df68340df218212e6847909007f3d5)

 client/app/core/rbac.service.js         | 3 +--
 client/app/core/session.service.spec.js | 5 -----
 2 files changed, 1 insertion(+), 7 deletions(-)

Comment 3 Matt Pusateri 2017-04-26 21:07:07 UTC
Validated in MIQLDAP (FreeIPA)

Comment 4 Matt Pusateri 2017-05-16 21:15:43 UTC
Validated in External Auth FreeIPA,AD,OpenLDAP

Comment 5 Matt Pusateri 2017-05-18 16:28:57 UTC
I'm reopening this. While the user who doesn't have the correct perms, now get's a proper error messsage in the UI. "  Error! You do not have permission to view the Service UI. Contact your administrator to update your group permissions."  The evm.log shows that they have been authorized successfully which is not true.

The evm.log should show that the user didn't have proper permissions.

[----] I, [2017-05-18T12:04:53.961002 #12144:11c7004]  INFO -- : <AuditSuccess> MIQ(Authenticator.authenticate) userid: [test-user5] - User test-
user5 successfully validated by External httpd
[----] I, [2017-05-18T12:04:53.979072 #12144:11c7004]  INFO -- : MIQ(MiqTask#update_status) Task: [176] [Active] [Ok] [Authorizing]
[----] I, [2017-05-18T12:04:54.011490 #12144:11c7004]  INFO -- : MIQ(Authenticator::Httpd#authorize) Authorized User: [test-user5]
[----] I, [2017-05-18T12:04:54.011710 #12144:11c7004]  INFO -- : MIQ(MiqTask#update_status) Task: [176] [Finished] [Ok] [User authorized successf
[----] I, [2017-05-18T12:04:54.034520 #12144:11c7004]  INFO -- : <AuditSuccess> MIQ(Authenticator.authenticate) userid: [test-user5] - Authentica
tion successful for user test-user5

Specifically this line:

[----] I, [2017-05-18T12:04:54.011710 #12144:11c7004]  INFO -- : MIQ(MiqTask#update_status) Task: [176] [Finished] [Ok] [User authorized successf

Which is not true. they are not authorized.

Comment 7 Matt Pusateri 2017-05-18 20:12:39 UTC
Validated that the user gets an error message in SSUI in External Auth FreeIPA,AD,OpenLDAP

Comment 9 errata-xmlrpc 2017-05-31 14:55:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.