Bug 1456873 - Backend API doesn't authorize properly, SSUI works around it.
Summary: Backend API doesn't authorize properly, SSUI works around it.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: cfme-future
Assignee: Joe Vlcek
QA Contact: Matt Pusateri
URL:
Whiteboard: auth:externalauth
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-30 15:09 UTC by Matt Pusateri
Modified: 2018-01-10 20:58 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-09 21:30:18 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Matt Pusateri 2017-05-30 15:09:46 UTC 
Description of problem:
The backend API shows users as authenticated and authorized, when they potentially shouldn't be and the SSUI team works around it. See bug: https://bugzilla.redhat.com/show_bug.cgi?id=1443800#c5

Version-Release number of selected component (if applicable):
5.8.0

How reproducible:


Steps to Reproduce:
1.Configure External Auth
2.Try to log in to SSUI with a user with invalid perms. 
3.

Actual results:
evm.log shows user as authorized

Expected results:
User shouldn't be authorized.

Additional info:
SSUI doesn't handle groups well which makes this problem hard to reproduce.
https://bugzilla.redhat.com/show_bug.cgi?id=1451891
https://bugzilla.redhat.com/show_bug.cgi?id=1452320
https://bugzilla.redhat.com/show_bug.cgi?id=1421878
https://bugzilla.redhat.com/show_bug.cgi?id=1437682
Comment 2 Gregg Tanzillo 2017-06-01 21:36:12 UTC 

*** This bug has been marked as a duplicate of bug 1391690 ***
Comment 3 Matt Pusateri 2017-06-02 14:04:31 UTC 
I'm not sure it's a duplicate, related but not necessarily a duplicate. BZ 1391690 says the logging is wrong.  This bug is to address the fact that the API doesn't authorize correctly.  Now maybe BZ1391690 needs more wording to reflect it's not a error in what we write to the logs.
Comment 4 Matt Pusateri 2017-06-02 14:13:11 UTC 
Per discussion with gtanzillo, this bug is still valid. It's to fix the issue where the API doesn't authorize properly. Where bug BZ1391690 is to fix incorrect logging.
Comment 5 Matt Pusateri 2017-06-02 14:28:57 UTC 
Chris, Can someone from SSUI add info about what they debugged with the API not working in bug https://bugzilla.redhat.com/show_bug.cgi?id=1443800 Alberto needs more info.
Comment 6 Chris Kacerguis 2017-06-02 14:43:30 UTC 
Allen - looks like you did the original fix for this, could you please provide the info for Matt?
Comment 7 Allen W 2017-06-02 14:52:06 UTC 
I wouldn't call it a fix... alls i did was say if the only product feature a user has is to see the sui dashboard they aren't logged in... even if the credentials are correct (as was requested by the powers that be) https://github.com/ManageIQ/manageiq-ui-self_service/commit/e93af55ec6b01e815dbd54d75c240754c83a0009
Comment 8 Joe Vlcek 2017-06-21 18:56:47 UTC 
When you reproduce this Matt please provide the api log.
Comment 9 Joe Vlcek 2017-06-21 19:00:16 UTC 
and a dump of the database
Comment 10 Joe Vlcek 2017-11-09 21:30:18 UTC 
There has been no activity on the NEEDINFO request for this BZ for months.
Additionally the SUI has been updated with new product features that change
how it works.

I'm going to close this as WILLNOTFIX

If this issue or anything similar is still observed please open a new BZ.
Comment 11 Matt Pusateri 2018-01-10 20:58:42 UTC 
clearing the needs info.
Note You need to log in before you can comment on or make changes to this bug.