Description of problem: Auth - MIQLDAP External Auth - SSUI web interface hangs when switching to group that doesn't have SSUI permissions Version-Release number of selected component (if applicable): 5.8.1.0 How reproducible: Steps to Reproduce: 1. Configure either MIQLDAP or External Auth for any provider. I tested MIQLDAP(AD, FreeIPA, Openldap) 2. You need a user with 2 groups. One group with SSUI permissions set as your current group, Another group without SSUI permissions (evm-Operator as an example) 3.Log into the SSUI with the user who's current group has permissions 4. Try to switch to the other group that doesn't have permissions Actual results: Page reloads and a thin blue line loads across the top of the page and then the page hangs. Expected results: User should get a better page telling them that the group doesn't have perms, or that group with invalid perms should be grayed out and the user prevented from trying to switch. I'm not sure what workflow is better. Additional info: Found testing: https://bugzilla.redhat.com/show_bug.cgi?id=1459257
Can you please provide an appliance where we can see this behavior?
Verified, thinking if a user doesn't have permissions we log them out throw the "you don't have permissions" alert. This might be a UX question?
Discussion here going down a little bit is indicating desired behavior be not showing groups who cannot use SUI, gonna be course of action for this bz: https://gitter.im/ManageIQ/manageiq-ui-service?at=595a4a7b329651f46e4ad9ec
A Pivotal Tracker story has been created for this Bug: https://www.pivotaltracker.com/story/show/148246535
OK SO update on this... I understand the original issue, we don't handle state changes that aren't the result of a 401 gracefully (this is a 403) BUT found a new issue, sui isn't actually changing the group, ya can click that button all ya want, but we're keeping the same user group, looks to be there is a client side header modification, but no actually api talkly talky happening... looking into how we can fix group switching in addition to handling the original bz
While you're looking at group switching, I'll add that I've run across (but wanted to test more), that if a user has two different groups, but those groups map to the same role, they can't switch groups. Probably related to what you've mentioned in Comment 7.
This gets super tricky, users who have multiple groups but no edit user permission? SUPER tricky... not going to be the quick fix I had hoped for.
Ok so after doing some intense watching... it appears that the group DOES in fact change, just not at the expected pace (on value select) so gonna refocus these efforts, take the easy way out and fix that poorly handled unsupported group transition
https://github.com/ManageIQ/manageiq-ui-service/pull/833
Chris Kacerguis added a comment in Pivotal Tracker: Commit by Allen Wight https://github.com/ManageIQ/manageiq-ui-service/commit/032881c15983d2440cde7bab91f14055a06fe968 On statechange 401 or 403 we now logout user [Fixes #148246535]
*** Bug 1478170 has been marked as a duplicate of this bug. ***
I need a list of roles that have SSUI perms, initial testing fails and without a list of valid roles, I'm blocked.
Work to make the roles that have sui access more explicit is here: https://github.com/ManageIQ/manageiq/pull/16329 current state, which is not accurate as the sui product features map to their own product feature subset is here: https://github.com/ManageIQ/manageiq/blob/master/db/fixtures/miq_user_roles.yml
Verified on 5.9.0.11 Ext Auth FreeIPA/AD/OpenLDAP
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0380