Bug 746347 - used detail view: assigned roles cannot be updated on an LDAP-authenticated user, even when LDAP authorization is not enabled in System Settings
used detail view: assigned roles cannot be updated on an LDAP-authenticated u...
Status: CLOSED CURRENTRELEASE
Product: RHQ Project
Classification: Other
Component: Core UI (Show other bugs)
4.1
Unspecified Unspecified
medium Severity medium (vote)
: ---
: ---
Assigned To: Ian Springer
Mike Foley
:
Depends On:
Blocks: jon3 jon30-sprint8
  Show dependency treegraph
 
Reported: 2011-10-14 17:06 EDT by Ian Springer
Modified: 2013-08-05 20:41 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-07 14:24:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ian Springer 2011-10-14 17:06:13 EDT
(ips):
>> In the user edit view, the below
>> method is used to determine if a user's assigned roles should be
>> read-only:
>>
>>     //
>>     // In general, a user with MANAGE_SECURITY can update assigned
>> roles, with two exceptions:
>>     //
>>     //    1) an LDAP user's assigned roles cannot be modified
>>     except
>> when mapping LDAP groups to LDAP roles,
>>     //       which is not done via this view.
>>     //    2) rhqadmin's roles cannot be changed - the superuser
>>     role
>> is all rhqadmin should ever need.
>>     //
>>     private boolean areRolesReadOnly(Record record) {
>>         boolean isLdap =
>> Boolean.valueOf(record.getAttribute(UsersDataSource.Field.LDAP));
>>         return (!this.loggedInUserHasManageSecurityPermission ||
>> (getRecordId() == SUBJECT_ID_RHQADMIN) || isLdap);
>>     }
>>
>> And the LDAP field is set to true if the user has no associated
>> Principal. So even when LDAP is only being used for authentication,
>> assigned roles of "LDAP users" are not editable. Of course, this
>> could
>> always be changed - we would just need to distinguish
>> LDAP-authenticated versus LDAP-authorized, i.e.:
>>
>> boolean isLdapAuthenticated = hasPrincipal(subject);
>> boolean isLdapAuthorized = isLdapAuthenticated &&
>> SYSTEM_SETTINGS.isLdapAuthorizationEnabled()


(ccrouch) This sounds like a bug, please raise a BZ. In order to support LDAP authentication only usecases, administrators need a way to set a user's roles.
Comment 1 Ian Springer 2011-10-19 11:53:59 EDT
[master 726641] (http://git.fedorahosted.org/git/?p=rhq/rhq.git;a=commitdiff;h=726641) fixes this. We now use the following logic to determine if a user's assigned roles should be read-only in the user edit view:

    //
    // In general, a user with MANAGE_SECURITY can update assigned roles, with two exceptions:
    //
    //    1) if LDAP authorization is enabled, an LDAP-authenticated user's assigned roles cannot be modified directly;
    //       instead an "LDAP role" is automatically assigned to the user if the user is a member of one or more of the
    //       LDAP groups associated with that role; a user with MANAGE_SECURITY can assign LDAP groups to an LDAP role
    //       by editing the role
    //    2) rhqadmin's roles cannot be changed - the superuser role is all rhqadmin should ever need.
    //
    private boolean areRolesReadOnly(Record record) {
        if (!this.loggedInUserHasManageSecurityPermission) {
            return true;
        }
        boolean isLdapAuthenticatedUser = Boolean.valueOf(record.getAttribute(UsersDataSource.Field.LDAP));
        return (getRecordId() == SUBJECT_ID_RHQADMIN) || (isLdapAuthenticatedUser && this.ldapAuthorizationEnabled);
    }

QA, please test all the various permutations of loggedInUserHasManageSecurityPermission, isRhqAdmin, isLdapAuthenticatedUser, and ldapAuthorizationEnabled and make sure roles are read-only when only when appropriate.
Comment 2 Mike Foley 2011-11-08 15:28:01 EST
reducing severity as this is not in the jon 3.0 branch.
Comment 3 Mike Foley 2011-11-08 15:56:34 EST
ips:  can you add the link that shows this is on the jon 3 branch?  thx.
Comment 4 Ian Springer 2011-11-10 10:45:49 EST
It's the same commit. Commit 726641 went in to master on 10/19, before the release_jon3.x branch existed. The release_jon3.x branch was branched off the RHQ_4_2_0 tag, which was created off master on 10/28.
Comment 5 Sunil Kondkar 2011-11-15 05:55:03 EST
Verified on build#80 (Version: 4.2.0.JON300-SNAPSHOT Build Number: 3e04952)

When LDAP authorization is enabled : A user with MANAGE_Security permissions can update assigned roles of users except rhqadmin and LDAP authenticated users in edit user view. A user with MANAGE_SECURITY can assign LDAP groups to an LDAP role by editing the role.

When LDAP authorization is disabled in Administration->System Settings: A user with MANAGE_Security permissions can update assigned roles of LDAP authenticated user in edit user view.
Comment 6 Mike Foley 2012-02-07 14:24:24 EST
changing status of VERIFIED BZs for JON 2.4.2 and JON 3.0 to CLOSED/CURRENTRELEASE

Note You need to log in before you can comment on or make changes to this bug.