Bug 788933 - Imported users using the Remote API end up having no password [NEEDINFO]
Imported users using the Remote API end up having no password
Product: RHQ Project
Classification: Other
Component: CLI (Show other bugs)
All All
medium Severity medium (vote)
: ---
: ---
Assigned To: RHQ Project Maintainer
Mike Foley
Depends On:
  Show dependency treegraph
Reported: 2012-02-09 05:29 EST by Romain PELISSE
Modified: 2015-02-09 07:06 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-02-09 07:06:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
hrupp: needinfo? (belaran)

Attachments (Terms of Use)

  None (edit)
Description Romain PELISSE 2012-02-09 05:29:26 EST
Description of problem:

Using the Remote API, we build a Java Application (a CLI) to export the Roles and the Users from JON into an simple JSON file. We then import those Users/Roles into other RHQ instance.

The issue we encounter is that we cannot export password - which somehow make sense to a certain extent, but when we import the "password-less" users, they end up having actually no password - meaning that anybody providing the username and a random password can log as the user. 

Version-Release number of selected component (if applicable):

JBoss Operations Network<http://rhq-project.org/>
Version: 3.0.0.GA
Build Number: e23441b:85320d2

GWT Version: 2.0.4
SmartGWT Version: 2.4

(not sure how this map to RHQ version)

How reproducible:

I cannot (yet) disclose our code, but I guess it fairly easily reproducible - perhaps using the CLI provided by JON.

Steps to Reproduce:
1.Import an user (without any password)
2.Try to log as this user with a random password

Actual results:

You're logged in !

Expected results:

My expectation here was that the user will be somehow "locked" and that he will have to reset his password (or requesting it by email).

Additional info:
Comment 1 Lukas Krejci 2012-02-13 07:45:19 EST
A workaround is to import the subjects with the "factive" property set to false - i.e. such subjects will not be enabled after import.

I tried guessing the repro steps for this but I wasn't successful (just copy&pasting the CLI commandline interaction):

rhqadmin@localhost:7080$ var newUser = new Subject

rhqadmin@localhost:7080$ newUser.name = "newUser"

rhqadmin@localhost:7080$ newUser.factive = true

rhqadmin@localhost:7080$ newUser.firstName = "a"

rhqadmin@localhost:7080$ newUser.lastName = "b"

rhqadmin@localhost:7080$ newUser.emailAddress = "a@b.com"

rhqadmin@localhost:7080$ SubjectManager.createSubject(newUser)
             emailAddress: a@b.com
                  factive: true
                firstName: a
                  fsystem: false
                       id: 10011
                 lastName: b
                ldapRoles: []
                     name: newUser
                    roles: []

This will create a new (enabled) subject inside RHQ. In GUI, I couldn't log in using the username provided (it won't let me in with no password, and entering a random password wouldn't let me in).

The next step in the normal workflow is to create a principal that would provide the authentication to the subject.

I tried these:
rhqadmin@localhost:7080$ SubjectManager.createPrincipal("newUser", null)       
sun.org.mozilla.javascript.internal.WrappedException: Wrapped javax.ejb.EJBException: [Warning] java.lang.NullPointerException 
SubjectManager.createPrincipal("newUser", null) 

rhqadmin@localhost:7080$ SubjectManager.createPrincipal("newUser", "")

This succeeded but the user wasn't able to log in because the UI won't let the empty password through.

rhqadmin@localhost:7080$ SubjectManager.createPrincipal("newUser", "password1")

This succeeded and the user was then able to log in only with the provided username and password.
Comment 2 Mike Foley 2012-02-13 11:59:36 EST
per triage 2/13/2012 (asantos, crouch, foley, loleary)
Comment 3 Heiko W. Rupp 2012-06-21 05:39:20 EDT
how do you import the users? Can you show that part of the code?
Comment 4 Romain PELISSE 2012-06-22 07:39:55 EDT
Hi Heiko,

Sorry I categorized this as CLI, but in fact, as I wrote I'm using the Remote API, so I do the import from a Java client. I may able to push to code to github. I'll let you know as soon as it is done.
Comment 5 Heiko W. Rupp 2013-07-01 08:36:26 EDT
We can not require an importer to set the "factive" property to disable bad behavior, but have the importer to explicitly enable that.

Romain, can you please check the status of the code with RHQ 4.8 and/or JON 312?
Comment 6 Romain Pelisse 2015-02-09 07:06:54 EST
Out of date, I never had the opportunity to come back to the issue, and not sure there is a real need anyway for the feature.

Note You need to log in before you can comment on or make changes to this bug.