(ips): >> In the user edit view, the below >> method is used to determine if a user's assigned roles should be >> read-only: >> >> // >> // In general, a user with MANAGE_SECURITY can update assigned >> roles, with two exceptions: >> // >> // 1) an LDAP user's assigned roles cannot be modified >> except >> when mapping LDAP groups to LDAP roles, >> // which is not done via this view. >> // 2) rhqadmin's roles cannot be changed - the superuser >> role >> is all rhqadmin should ever need. >> // >> private boolean areRolesReadOnly(Record record) { >> boolean isLdap = >> Boolean.valueOf(record.getAttribute(UsersDataSource.Field.LDAP)); >> return (!this.loggedInUserHasManageSecurityPermission || >> (getRecordId() == SUBJECT_ID_RHQADMIN) || isLdap); >> } >> >> And the LDAP field is set to true if the user has no associated >> Principal. So even when LDAP is only being used for authentication, >> assigned roles of "LDAP users" are not editable. Of course, this >> could >> always be changed - we would just need to distinguish >> LDAP-authenticated versus LDAP-authorized, i.e.: >> >> boolean isLdapAuthenticated = hasPrincipal(subject); >> boolean isLdapAuthorized = isLdapAuthenticated && >> SYSTEM_SETTINGS.isLdapAuthorizationEnabled() (ccrouch) This sounds like a bug, please raise a BZ. In order to support LDAP authentication only usecases, administrators need a way to set a user's roles.
[master 726641] (http://git.fedorahosted.org/git/?p=rhq/rhq.git;a=commitdiff;h=726641) fixes this. We now use the following logic to determine if a user's assigned roles should be read-only in the user edit view: // // In general, a user with MANAGE_SECURITY can update assigned roles, with two exceptions: // // 1) if LDAP authorization is enabled, an LDAP-authenticated user's assigned roles cannot be modified directly; // instead an "LDAP role" is automatically assigned to the user if the user is a member of one or more of the // LDAP groups associated with that role; a user with MANAGE_SECURITY can assign LDAP groups to an LDAP role // by editing the role // 2) rhqadmin's roles cannot be changed - the superuser role is all rhqadmin should ever need. // private boolean areRolesReadOnly(Record record) { if (!this.loggedInUserHasManageSecurityPermission) { return true; } boolean isLdapAuthenticatedUser = Boolean.valueOf(record.getAttribute(UsersDataSource.Field.LDAP)); return (getRecordId() == SUBJECT_ID_RHQADMIN) || (isLdapAuthenticatedUser && this.ldapAuthorizationEnabled); } QA, please test all the various permutations of loggedInUserHasManageSecurityPermission, isRhqAdmin, isLdapAuthenticatedUser, and ldapAuthorizationEnabled and make sure roles are read-only when only when appropriate.
reducing severity as this is not in the jon 3.0 branch.
ips: can you add the link that shows this is on the jon 3 branch? thx.
It's the same commit. Commit 726641 went in to master on 10/19, before the release_jon3.x branch existed. The release_jon3.x branch was branched off the RHQ_4_2_0 tag, which was created off master on 10/28.
Verified on build#80 (Version: 4.2.0.JON300-SNAPSHOT Build Number: 3e04952) When LDAP authorization is enabled : A user with MANAGE_Security permissions can update assigned roles of users except rhqadmin and LDAP authenticated users in edit user view. A user with MANAGE_SECURITY can assign LDAP groups to an LDAP role by editing the role. When LDAP authorization is disabled in Administration->System Settings: A user with MANAGE_Security permissions can update assigned roles of LDAP authenticated user in edit user view.
changing status of VERIFIED BZs for JON 2.4.2 and JON 3.0 to CLOSED/CURRENTRELEASE