1639907 – "foreman-rake ldap:refresh_usergroups" via cli is not working as expected

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1639907 - "foreman-rake ldap:refresh_usergroups" via cli is not working as expected

Summary: "foreman-rake ldap:refresh_usergroups" via cli is not working as expected

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Users & Roles
Sub Component:
Version:	6.3.4
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	6.6.0
Assignee:	satellite6-bugs
QA Contact:	Radovan Drazny
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-10-16 21:52 UTC by Waldirio M Pinheiro
Modified:	2023-09-07 19:27 UTC (History)
CC List:	15 users (show)
Fixed In Version:	foreman-1.18.0.43-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1756043 1793640 (view as bug list)
Environment:
Last Closed:	2019-10-22 19:48:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
foreman-tail output (256.37 KB, text/plain) 2019-03-15 19:18 UTC, Mac Reid	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	26831	0	Normal	Closed	execute refresh_usergroups task as anonymous admin	2021-02-11 16:34:58 UTC

Description Waldirio M Pinheiro 2018-10-16 21:52:45 UTC

Description of problem:
After configure ldap auth and usergroup sync, I'm keeping the user sync feature *disabled* on ldap auth source conf, then it's expected to see, at the first login customer see *access denied* but after some time, the task *ldap:refresh_usergroups* via crontab should update this status but is not.


Version-Release number of selected component (if applicable):
6.3.4

How reproducible:
100%

Steps to Reproduce:
1. Configure ldap auth source
2. Configure user group
3. Login with the AD user
4. Execute the command *foreman-rake ldap:refresh_usergroups*

Actual results:
via webUI we are not seeing changes via user groups to that user

Expected results:
See the correct information related to User versus group

Additional info:

Comment 7 Mac Reid 2019-03-15 19:18:44 UTC

Created attachment 1544591 [details]
foreman-tail output

foreman-tail logs during foreman-rake call. I see this when I run the command line `/usr/sbin/foreman-rake ldap:refresh_usergroups` or when I authenticate with an LDAP user.

Comment 8 Mac Reid 2019-03-15 19:20:45 UTC

We are hitting this bug as well with Satellite 6.4.2. I added our debug logs as attachments.

Our LDAP auth works correctly, but the usergroup sync doesn't work when using the foreman-rake task or when logging into the web interface. The only way to refresh the usergroups is to use the web interface to manually refresh the usergroups one at a time.

Below is the direct output when running the foreman-rake test:


[root@satellite-test ~]# /usr/sbin/foreman-rake ldap:refresh_usergroups
/usr/share/foreman/lib/foreman.rb:8: warning: already initialized constant Foreman::UUID_REGEXP
/usr/share/foreman/lib/foreman.rb:8: warning: previous definition of UUID_REGEXP was here
/usr/share/foreman/lib/core_extensions.rb:182: warning: already initialized constant ActiveSupport::MessageEncryptor::DEFAULT_CIPHER
/opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activesupport-5.1.6/lib/active_support/message_encryptor.rb:22: warning: previous definition of DEFAULT_CIPHER was here
/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.7.0.46/app/models/katello/concerns/content_facet_host_extensions.rb:7: warning: already initialized constant Katello::Concerns::ContentFacetHostExtensions::ERRATA_STATUS_MAP
/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.7.0.46/app/models/katello/concerns/content_facet_host_extensions.rb:7: warning: previous definition of ERRATA_STATUS_MAP was here
/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.7.0.46/app/models/katello/concerns/content_facet_host_extensions.rb:14: warning: already initialized constant Katello::Concerns::ContentFacetHostExtensions::TRACE_STATUS_MAP
/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.7.0.46/app/models/katello/concerns/content_facet_host_extensions.rb:14: warning: previous definition of TRACE_STATUS_MAP was here
/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.7.0.46/app/models/katello/concerns/subscription_facet_host_extensions.rb:13: warning: already initialized constant Katello::Concerns::SubscriptionFacetHostExtensions::SUBSCRIPTION_STATUS_MAP
/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.7.0.46/app/models/katello/concerns/subscription_facet_host_extensions.rb:13: warning: previous definition of SUBSCRIPTION_STATUS_MAP was here

Comment 10 Marek Hulan 2019-07-24 06:56:39 UTC

Waldirio, would it be possible to get access to your reproducer? I have a feeling this may be actually https://projects.theforeman.org/issues/26831, the patch would be trivial to test https://patch-diff.githubusercontent.com/raw/theforeman/foreman/pull/6772.diff if you or your customer is interested.

Mac, I looked at your logs which showed different error, looking more https://projects.theforeman.org/issues/24497, where it turned out user had netgroups enabled for non netgroups use. Can you double check that? But then most likely you will start hitting the same as above.

Comment 12 Marek Hulan 2019-07-24 10:49:11 UTC

Mac, also this is related to your logs https://projects.theforeman.org/issues/25840 - fixed in 6.5

Comment 13 Waldirio M Pinheiro 2019-07-24 12:19:09 UTC

Hello all

I'll test on 6.5 and will post the results here.

Thank you!

Best Regards
-- 
Waldirio M Pinheiro | Senior Software Maintenance Engineer

Comment 14 Sayan Das 2019-09-02 14:26:55 UTC

I have tested and can confirm that it's working on Satellite 6.6.0 Beta.

Comment 15 Ramesh Daryani 2019-09-02 15:59:11 UTC

We have recently updated our satellite and capsule servers to 6.5.2.1.  Kindly confirm when will version 6.6.0 be out for public use?

Regards,
Ramesh Daryani

Comment 16 Sayan Das 2019-09-04 08:46:09 UTC

Ramesh,

If you had seen the update from Marek Hulan, earlier i.e.
~~~~~~~~~~~~~~~~~~~~~~
I have a feeling this may be actually https://projects.theforeman.org/issues/26831, the patch would be trivial to test https://patch-diff.githubusercontent.com/raw/theforeman/foreman/pull/6772.diff if you or your customer is interested.
~~~~~~~~~~~~~~~~~~~~~~

This is already delivered on Satellite 6.6 Public beta and seems to be working as it was expected. We will test the patch "https://patch-diff.githubusercontent.com/raw/theforeman/foreman/pull/6772.diff" on Satellite 6.5 and update here if that gives me a positive result.

Meanwhile, Your patience will be appreciated.


Regards,

Sayan

Comment 20 Mike McCune 2019-09-12 20:35:21 UTC

This landed upstream in 1.22 which is the basis for 6.6. Moving ON_QA for verification.

Comment 23 Mike McCune 2019-09-20 17:37:23 UTC

*** Satellite 6.4.4 Hotfix Available ***

1) Download http://people.redhat.com/~mmccune/hotfix/HOTFIXRHBZ1639907.tar  to your Satellite

2) Unpack and Install:

tar cvf HOTFIXRHBZ1639907.tar
rpm -Uvh foreman*.rpm

3) restart:

satellite-maintain service restart

4) resume operations and verify ldap refresh functions properly

Comment 25 Radovan Drazny 2019-09-26 11:56:21 UTC

Tested on Satelllite 6.6 Snap 22 using the reproducer from the initial report and comment #1. 

hammer> user-group info --id 8
Id:                   8
Name:                 ADGroup2
Admin:                yes
Users:                

User groups:          

External user groups: 
    foobargroup
Roles:                

Created at:           2019/09/26 11:47:58
Updated at:           2019/09/26 11:47:58

["foreman-rake ldap:refresh_usergroups" run in other terminal. No errors in the terminal or a log.>

hammer> user-group info --id 8
Id:                   8
Name:                 ADGroup2
Admin:                yes
Users:                
    foobar
User groups:          

External user groups: 
    foobargroup
Roles:                

Created at:           2019/09/26 11:47:58
Updated at:           2019/09/26 11:47:58

The user group mapped to an external group on a AD server gets updated successfully after running foreman-rake ldap:refresh_usergroups. 

VERIFIED

Comment 27 Bryan Kearney 2019-10-22 19:48:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3172

Note You need to log in before you can comment on or make changes to this bug.