Bug 1531658 - Auth MIQLDAP AD - SSUI - When switching groups in SSUI to a user with group/role EvmGroup-desktop, user is logged out.
Summary: Auth MIQLDAP AD - SSUI - When switching groups in SSUI to a user with group/r...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - Service
Version: 5.9.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: GA
: 5.10.0
Assignee: Allen W
QA Contact: Landon LaSmith
URL:
Whiteboard: auth:miqldap:ad:rbac
Depends On:
Blocks: 1533222
TreeView+ depends on / blocked
 
Reported: 2018-01-05 17:08 UTC by Matt Pusateri
Modified: 2019-02-11 14:01 UTC (History)
6 users (show)

Fixed In Version: 5.10.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1533222 (view as bug list)
Environment:
Last Closed: 2019-02-11 14:01:24 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Proposal (211.06 KB, image/png)
2018-01-10 17:09 UTC, Serena 		no flags Details
View All

Description Matt Pusateri 2018-01-05 17:08:17 UTC 
Description of problem:
 When switching groups in SSUI to a user with group/role EvmGroup-desktop, user is logged out.  User should not be logged out as EvmGroup-desktop has SSUI permissions.

Version-Release number of selected component (if applicable):
5.9.0.15

How reproducible:


Steps to Reproduce:
1. Configure MIQLDAP for AD.
2. Login in with user with multiple groups, one of which is EvmGroup-Desktop
3. Login to SSUI with the users current group set to some other valid SSUI group, then try to switch to the EvmGroup-Desktop

Actual results:
User is logged out.

Expected results:
User should get appropriate entries based on EvmGroup-Desktop role.

Additional info:
Comment 3 Loic Avenel 2018-01-08 18:09:32 UTC 
Can you retest it without using MiqLDAP?
In CF 4.6, you can add multiple Groups to one user
Comment 4 Allen W 2018-01-10 13:21:11 UTC 
Ok I totally understand whats going on here.  The product features that role has assigned to it (as they pertain to the sui) include: 

  - sui_vm_details_view
  - sui_vm_console
  - sui_vm_web_console
  - sui_vm_start
  - sui_vm_stop
  - sui_vm_suspend
  - sui_orders_show
  - sui_orders_operations

Last release we decided that if a user couldn't view anything (either services, service catalogs, or orders) that they shouldn't be able to log in, because they couldn't view anything.  Seeing as this particular role is using the leaves of both the Services and Orders tab, I propose we add the following to the role

  - sui_services_view
  - sui_orders_show


Loic, as this modifies a role, need your ok to move forward with this plaaaaaaaan.
Comment 5 Allen W 2018-01-10 14:30:21 UTC 
https://github.com/ManageIQ/manageiq/pull/16788

Well here's a pr to fix it.
Comment 6 Loic Avenel 2018-01-10 14:51:30 UTC 
(In reply to Allen W from comment #4)
> Ok I totally understand whats going on here.  The product features that role
> has assigned to it (as they pertain to the sui) include: 
> 
>   - sui_vm_details_view
>   - sui_vm_console
>   - sui_vm_web_console
>   - sui_vm_start
>   - sui_vm_stop
>   - sui_vm_suspend
>   - sui_orders_show
>   - sui_orders_operations
> 
> Last release we decided that if a user couldn't view anything (either
> services, service catalogs, or orders) that they shouldn't be able to log
> in, because they couldn't view anything.  Seeing as this particular role is
> using the leaves of both the Services and Orders tab, I propose we add the
> following to the role
> 
>   - sui_services_view
>   - sui_orders_show
> 
> 
> Loic, as this modifies a role, need your ok to move forward with this
> plaaaaaaaan.

I am good with the change here... 


BUT I think also we have to rework with UX about what is happening when user changes to a Role without SUI privileges. I think it will be much better to show a "Warning" screen with a message, you have no privileges and offering the option to select another group...

Also, we may simply greyed out group who have no privileges.

@Serena, help?
Comment 7 Matt Pusateri 2018-01-10 14:51:59 UTC 
I think one of the other issues, is that when you switch to a user with no perms, there's no notifcation to the user either. A better user experience would be to give a flash message that the group has no permissions, and then maybe log you out?
Comment 8 Allen W 2018-01-10 16:39:25 UTC 
Pr has been merged!
Comment 9 Serena 2018-01-10 17:09:58 UTC 
Created attachment 1379623 [details]
Proposal
Comment 10 Serena 2018-01-10 17:10:42 UTC 
I've attached a proposal ... essentially if a group does not have SUI access: 
- menu option is disabled
- warning icon is placed to the right of the group
- change the tooltip
Comment 11 Allen W 2018-01-10 17:36:04 UTC 
Love it! The tricky part is going to be knowing the product features of those other roles 🤔 So we have a call in place that would yield this information (for posterity):

`GET /api/roles?attributes=miq_product_features&expand=resources`

BUT there is an issue.  I am a user whose current group has lesser permissions, I see this error

`{
  "error": {
    "kind": "forbidden",
    "message": "Use of the read action is forbidden",
    "klass": "Api::ForbiddenError"
  }
}`

So I am unable to see the product features of other groups/roles. SUI would need help with this issue, or maybe there is another avenue through which this information can be communicated? (I know on auth we get the list of all a user's groups, maybe product features of those groups could be included) 

Also, are we disabling the button entirely? As in, even if a user wants to switch to that group they are unable to?
Comment 13 Landon LaSmith 2018-07-02 17:14:43 UTC 
VERIFIED in 5.10.0.2. I was able to enable ldap authentication and login to the SSUI with a user that is a member of multiple groups (including evmgroup-desktop). Changing the active group to/from evmgroup-desktop did not cause a logout and the nav menu was updated accordingly
Note You need to log in before you can comment on or make changes to this bug.