Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 950570

Summary: User Portal refresh does not update VM list according to user permissions
Product: Red Hat Enterprise Virtualization Manager Reporter: Jiri Belka <jbelka>
Component: DocumentationAssignee: Tim Hildred <thildred>
Status: CLOSED WORKSFORME QA Contact: ecs-bugs
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.2.0CC: acathrow, chetan, gklein, jbiddle, jkt, lpeer, michal.skrivanek, Rhev-m-bugs, yeylon, yzaslavs
Target Milestone: ---   
Target Release: 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: virt
Fixed In Version: Doc Type: Known Issue
Doc Text:
The User Portal refreshes LDAP and Active Directory information once per hour, so permission changes to user roles are not immediately reflected. To work around this issue, use engine-config to set the UserRefreshRate parameter to a lower value, or re-log in to the User Portal.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-16 21:58:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jiri Belka 2013-04-10 12:40:08 UTC 
Description of problem:

User Portal refresh (automatic, manual clicking on refresh button, Ctrl-r in a browser [FF17, IE10], Ctrl-F5 [hard refresh] in the browsers) does not update VM list according to user real permissions. It means when a user when he is logged into User Portal becomes member of an AD group which has UserRole (on system), the VM list is not updated to include all VMs related to UserRole of the group. The VM list still contains only direct permission of the user (user->UserRole->specific VM) during whole User Portal session. Signing off and logging in the User Portal again makes the VM list include even VMs which are related to group permission.

Seems to be regression, BZ806792, as it sounds it was working.

Version-Release number of selected component (if applicable):
sf13

How reproducible:
100%

Steps to Reproduce:
1. have an AD user
2. have an AD group
3. assing UserRole permission on a VM to this AD user
4. assing UserRole permission on _system_ to this AD group
6. login into User Portal as the AD user
7. update the AD user properties on Directory server to be member of the AD group (step 2)
8. wait 5 seconds (default automatic refresh), click refresh button, browser soft-refresh, browser hard-refresh
9. logoff && log in

Actual results:
8 - nothing happens, no group permissions related VM appear in the list
9 - now group permissions related VM appear in the list

Expected results:
8 - autorefresh should check again user's permissions and add other vms in the list

Additional info:
nothing in engine.log
Comment 1 Jiri Belka 2013-04-10 13:47:16 UTC 
It seems to me that roles a user or group has are rechecked "internally" only. For example: user has UserRole, group has UserRole, then you add admin role to the group, refresh would find it. But when you add the user to a group and the engine did not know before he has been in this group, it won't recheck AD...
Comment 3 Libor Spevak 2013-04-15 14:10:27 UTC 
It is probably not feasible to reflect the Active Directory user and group configuration changes to user session on server very frequently (e.g. every cca 5 seconds when using automatic refresh).

Yair, please, can you confirm, is there an automatic mechanism which updates the user sessions regularly - after some time interval (asynchronously) - I noticed on Engine channel, you plan a refactoring of the authentication/authorization module nowadays.

http://www.ovirt.org/DomainInfrastructure
Comment 6 Michal Skrivanek 2013-07-12 12:03:27 UTC 
yair, comment #3 relevant?
do we have or plan to have an update in background for user's permissions?
Comment 7 Michal Skrivanek 2013-07-17 11:00:12 UTC 
the refresh period is by default one hour. Or on relogin
We'd suggest to either change the refresh period via engine-config (UserRefreshRate) or/and add release note that the refresh occurs on relogin and in a defined interval only.

moving to docs
Comment 8 Michal Skrivanek 2013-08-08 09:34:57 UTC 
this was always the behavior, removing Regression
Comment 9 Jodi Biddle 2013-10-16 21:58:06 UTC 
Cheryn has already documented this bug in the release notes, so I'm closing it to move it off my queue.