This appliance appears to be unable to connect to the LDAP server.

[----] E, [2018-11-06T16:41:38.020122 #2255:105f93c] ERROR -- : [Net::LDAP::Error]: unable to establish a connection to server  Method:[block in method_missing]
[----] E, [2018-11-06T16:41:38.025584 #2255:105f93c] ERROR -- : /var/www/miq/vmdb/lib/miq_ldap.rb:96:in `resolve_host'
/var/www/miq/vmdb/lib/miq_ldap.rb:48:in `initialize'
/var/www/miq/vmdb/app/models/authenticator/ldap.rb:39:in `new'
/var/www/miq/vmdb/app/models/authenticator/ldap.rb:39:in `miq_ldap'
/var/www/miq/vmdb/app/models/authenticator/ldap.rb:66:in `normalize_username'
/var/www/miq/vmdb/app/models/authenticator/base.rb:54:in `authenticate'
/var/www/miq/vmdb/app/models/user.rb:160:in `authenticate'
/opt/rh/cfme-gemset/bundler/gems/cfme-api-ebd1e44a7a7d/app/controllers/api/base_controller/authentication.rb:20:in `block in require_api_user_or_token'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal/http_authentication.rb:97:in `authenticate'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal/http_authentication.rb:87:in `authenticate_with_http_basic'
/opt/rh/cfme-gemset/bundler/gems/cfme-api-ebd1e44a7a7d/app/controllers/api/base_controller/authentication.rb:20:in `require_api_user_or_token'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:382:in `block in make_lambda'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:150:in `block (2 levels) in halting_and_conditional'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/abstract_controller/callbacks.rb:12:in `block (2 levels) in <module:Callbacks>'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:151:in `block in halting_and_conditional'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:454:in `block in call'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:454:in `each'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:454:in `call'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:101:in `__run_callbacks__'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:750:in `_run_process_action_callbacks'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:90:in `run_callbacks'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/abstract_controller/callbacks.rb:19:in `process_action'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal/rescue.rb:20:in `process_action'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal/instrumentation.rb:32:in `block in process_action'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/notifications.rb:164:in `block in instrument'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/notifications/instrumenter.rb:21:in `instrument'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/notifications.rb:164:in `instrument'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal/instrumentation.rb:30:in `process_action'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal/params_wrapper.rb:248:in `process_action'
/opt/rh/cfme-gemset/gems/activerecord-5.0.6/lib/active_record/railties/controller_runtime.rb:18:in `process_action'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/abstract_controller/base.rb:126:in `process'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal.rb:190:in `dispatch'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_controller/metal.rb:262:in `dispatch'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/routing/route_set.rb:50:in `dispatch'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/routing/route_set.rb:32:in `serve'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/journey/router.rb:39:in `block in serve'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/journey/router.rb:26:in `each'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/journey/router.rb:26:in `serve'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/routing/route_set.rb:727:in `call'
/opt/rh/cfme-gemset/gems/secure_headers-3.0.3/lib/secure_headers/middleware.rb:10:in `call'
/opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/etag.rb:25:in `call'
/opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/conditional_get.rb:25:in `call'
/opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/head.rb:12:in `call'
/opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/session/abstract/id.rb:232:in `context'
/opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/session/abstract/id.rb:226:in `call'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/cookies.rb:613:in `call'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/callbacks.rb:38:in `block in call'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:97:in `__run_callbacks__'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:750:in `_run_call_callbacks'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/callbacks.rb:90:in `run_callbacks'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/callbacks.rb:36:in `call'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/remote_ip.rb:79:in `call'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/debug_exceptions.rb:49:in `call'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
/opt/rh/cfme-gemset/gems/railties-5.0.6/lib/rails/rack/logger.rb:36:in `call_app'
/opt/rh/cfme-gemset/gems/railties-5.0.6/lib/rails/rack/logger.rb:26:in `call'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/request_id.rb:24:in `call'
/opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/method_override.rb:22:in `call'
/opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/runtime.rb:22:in `call'
/opt/rh/cfme-gemset/gems/activesupport-5.0.6/lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
/opt/rh/cfme-gemset/gems/actionpack-5.0.6/lib/action_dispatch/middleware/executor.rb:12:in `call'
/opt/rh/cfme-gemset/gems/rack-2.0.3/lib/rack/sendfile.rb:111:in `call'
/opt/rh/cfme-gemset/gems/railties-5.0.6/lib/rails/engine.rb:522:in `call'
/opt/rh/rh-ruby23/root/usr/share/gems/gems/puma-3.7.1/lib/puma/configuration.rb:232:in `call'
/opt/rh/rh-ruby23/root/usr/share/gems/gems/puma-3.7.1/lib/puma/server.rb:578:in `handle_request'
/opt/rh/rh-ruby23/root/usr/share/gems/gems/puma-3.7.1/lib/puma/server.rb:415:in `process_client'
/opt/rh/rh-ruby23/root/usr/share/gems/gems/puma-3.7.1/lib/puma/server.rb:275:in `block in run'
/opt/rh/rh-ruby23/root/usr/share/gems/gems/puma-3.7.1/lib/puma/thread_pool.rb:120:in `block in spawn_thread'

==> log/api.log <==
[----] E, [2018-11-06T16:41:38.039665 #2255:105f93c] ERROR -- : MIQ(Api::AuthController.api_error) API Error
[----] E, [2018-11-06T16:41:38.039805 #2255:105f93c] ERROR -- : MIQ(Api::AuthController.api_error) MiqException::MiqEVMLoginError: unable to establish a connection to server
[----] I, [2018-11-06T16:41:38.051218 #2255:105f93c]  INFO -- : MIQ(Api::AuthController.log_request) Response:       {:completed_at=>"2018-11-06 21:41:38 UTC", :size=>"0.129 KBytes", :time_taken=>"127.338 Seconds", :status=>401}

==> log/production.log <==
[----] I, [2018-11-06T16:41:38.051770 #2255:105f93c]  INFO -- : Completed 401 Unauthorized in 127340ms (Views: 8.4ms | ActiveRecord: 0.0ms)

I created a catalog, catalog item and dialog in the remote region.  They replicated up to the global as expected.  I added the user in the remote region to a group that has permissions to see requests (previously this user didn't have the permission, so API calls would fail).  Now from the global, the user can order the service and will be redirected to the requests page where they can see the newly created request.  Did I miss anything?

At this point we were trying to mimic the customer's environment and users. Based on the fact the customer is saying they are on the request screen and they do not see the request, I am assuming they are within a group that has these permissions.


I am requesting a remote sessions with the customer to verify the information they are giving us about the user and groups is correct.

Tuan

Hi Tuan,

Any luck reproducing the customers problem?

I am still waiting on customer for a reproducer and remote session.

https://github.com/ManageIQ/manageiq/pull/18245

https://github.com/ManageIQ/manageiq/pull/18257

New commits detected on ManageIQ/manageiq/master:

https://github.com/ManageIQ/manageiq/commit/c7d2cdc1622ad8bf4191ae2120fc438e189fecb9
commit c7d2cdc1622ad8bf4191ae2120fc438e189fecb9
Author:     Gregg Tanzillo <gtanzill>
AuthorDate: Wed Nov 28 17:02:47 2018 -0500
Commit:     Gregg Tanzillo <gtanzill>
CommitDate: Wed Nov 28 17:02:47 2018 -0500

    Support multiple regions querying user and group owned miq_requests

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1647169

 app/models/miq_group.rb | 8 +
 app/models/miq_request.rb | 4 +-
 app/models/user.rb | 8 +
 3 files changed, 18 insertions(+), 2 deletions(-)


https://github.com/ManageIQ/manageiq/commit/b1f7a3d49464a1b1ed5691594c5e1043c4b27287
commit b1f7a3d49464a1b1ed5691594c5e1043c4b27287
Author:     Keenan Brock <keenan>
AuthorDate: Mon Dec  3 12:00:33 2018 -0500
Commit:     Keenan Brock <keenan>
CommitDate: Mon Dec  3 12:00:33 2018 -0500

    Specs for multiple regions querying user and group owned miq_requests

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1647169

 spec/models/miq_group_spec.rb | 13 +
 spec/models/miq_request_spec.rb | 28 +
 spec/models/user_spec.rb | 13 +
 3 files changed, 54 insertions(+)

New commit detected on ManageIQ/manageiq/hammer:

https://github.com/ManageIQ/manageiq/commit/740e6b551760f071217fe25b5ad1296a2a3d9d37
commit 740e6b551760f071217fe25b5ad1296a2a3d9d37
Author:     Gregg Tanzillo <gtanzill>
AuthorDate: Mon Dec  3 14:50:54 2018 -0500
Commit:     Gregg Tanzillo <gtanzill>
CommitDate: Mon Dec  3 14:50:54 2018 -0500

    Merge pull request #18257 from kbrock/fix-miq_request-ownership

    Fix miq request ownership

    (cherry picked from commit aa6fba547ce4fc19e58869e282f836eeb08c44ec)

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1647169

 app/models/miq_group.rb | 8 +
 app/models/miq_request.rb | 4 +-
 app/models/user.rb | 8 +
 spec/models/miq_group_spec.rb | 13 +
 spec/models/miq_request_spec.rb | 28 +
 spec/models/user_spec.rb | 13 +
 6 files changed, 72 insertions(+), 2 deletions(-)

Hello Niyaz,

The high level of the issue:
An MiqRequest is made in the global region, it is sent to the remote region to actually perform the request. (since the global region is just a rollup reporting region)
For some reason or another, the requester can see the request in the remote region, but not the global region.

Create a master/rollup region ('G')
Create a remote region ('R')
Create a non-admin user ('U') in regions 'G' and 'R' - both must have the same name.
Create an non-admin user ('U2') in region 'G'
Create a catalog item ('C') in the remote region
Ensure U has privilege to see/execute C in region R and G.
Ensure U2 has privilege to see/execute C in region R and G.

Login to the appliance for region G as user U
Run the service catalog item C to create an miq request. 'M'


Login to R as U, and you CAN see the request 'M'
Login to G as U, and you CAN see 'M'.      (This is the fix)
Login to G as U2, and you CAN NOT see 'M'. (This verifies that you configured it correctly)

Hello Niyaz,

Not using ldap: good

I changed role2 privileges:

Access Restriction for Services, VMs, and Templates = Only User or Group Owned.

This means you can only see your own requests.

user1 could see the request
u could not

So we know we were doing some filtering based upon the user.

This looks good to me.