Red Hat Bugzilla – Bug 788933
Imported users using the Remote API end up having no password
Last modified: 2015-02-09 07:06:54 EST
Description of problem:
Using the Remote API, we build a Java Application (a CLI) to export the Roles and the Users from JON into an simple JSON file. We then import those Users/Roles into other RHQ instance.
The issue we encounter is that we cannot export password - which somehow make sense to a certain extent, but when we import the "password-less" users, they end up having actually no password - meaning that anybody providing the username and a random password can log as the user.
Version-Release number of selected component (if applicable):
JBoss Operations Network<http://rhq-project.org/>
Build Number: e23441b:85320d2
GWT Version: 2.0.4
SmartGWT Version: 2.4
(not sure how this map to RHQ version)
I cannot (yet) disclose our code, but I guess it fairly easily reproducible - perhaps using the CLI provided by JON.
Steps to Reproduce:
1.Import an user (without any password)
2.Try to log as this user with a random password
You're logged in !
My expectation here was that the user will be somehow "locked" and that he will have to reset his password (or requesting it by email).
A workaround is to import the subjects with the "factive" property set to false - i.e. such subjects will not be enabled after import.
I tried guessing the repro steps for this but I wasn't successful (just copy&pasting the CLI commandline interaction):
rhqadmin@localhost:7080$ var newUser = new Subject
rhqadmin@localhost:7080$ newUser.name = "newUser"
rhqadmin@localhost:7080$ newUser.factive = true
rhqadmin@localhost:7080$ newUser.firstName = "a"
rhqadmin@localhost:7080$ newUser.lastName = "b"
rhqadmin@localhost:7080$ newUser.emailAddress = "firstname.lastname@example.org"
This will create a new (enabled) subject inside RHQ. In GUI, I couldn't log in using the username provided (it won't let me in with no password, and entering a random password wouldn't let me in).
The next step in the normal workflow is to create a principal that would provide the authentication to the subject.
I tried these:
rhqadmin@localhost:7080$ SubjectManager.createPrincipal("newUser", null)
rhqadmin@localhost:7080$ SubjectManager.createPrincipal("newUser", "")
This succeeded but the user wasn't able to log in because the UI won't let the empty password through.
rhqadmin@localhost:7080$ SubjectManager.createPrincipal("newUser", "password1")
This succeeded and the user was then able to log in only with the provided username and password.
per triage 2/13/2012 (asantos, crouch, foley, loleary)
how do you import the users? Can you show that part of the code?
Sorry I categorized this as CLI, but in fact, as I wrote I'm using the Remote API, so I do the import from a Java client. I may able to push to code to github. I'll let you know as soon as it is done.
We can not require an importer to set the "factive" property to disable bad behavior, but have the importer to explicitly enable that.
Romain, can you please check the status of the code with RHQ 4.8 and/or JON 312?
Out of date, I never had the opportunity to come back to the issue, and not sure there is a real need anyway for the feature.