Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 950570 - User Portal refresh does not update VM list according to user permissions
User Portal refresh does not update VM list according to user permissions
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation (Show other bugs)
3.2.0
Unspecified Unspecified
unspecified Severity high
: ---
: 3.3.0
Assigned To: Tim Hildred
ecs-bugs
virt
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-04-10 08:40 EDT by Jiri Belka
Modified: 2015-09-22 09 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
The User Portal refreshes LDAP and Active Directory information once per hour, so permission changes to user roles are not immediately reflected. To work around this issue, use engine-config to set the UserRefreshRate parameter to a lower value, or re-log in to the User Portal.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-16 17:58:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jiri Belka 2013-04-10 08:40:08 EDT 
Description of problem:

User Portal refresh (automatic, manual clicking on refresh button, Ctrl-r in a browser [FF17, IE10], Ctrl-F5 [hard refresh] in the browsers) does not update VM list according to user real permissions. It means when a user when he is logged into User Portal becomes member of an AD group which has UserRole (on system), the VM list is not updated to include all VMs related to UserRole of the group. The VM list still contains only direct permission of the user (user->UserRole->specific VM) during whole User Portal session. Signing off and logging in the User Portal again makes the VM list include even VMs which are related to group permission.

Seems to be regression, BZ806792, as it sounds it was working.

Version-Release number of selected component (if applicable):
sf13

How reproducible:
100%

Steps to Reproduce:
1. have an AD user
2. have an AD group
3. assing UserRole permission on a VM to this AD user
4. assing UserRole permission on _system_ to this AD group
6. login into User Portal as the AD user
7. update the AD user properties on Directory server to be member of the AD group (step 2)
8. wait 5 seconds (default automatic refresh), click refresh button, browser soft-refresh, browser hard-refresh
9. logoff && log in

Actual results:
8 - nothing happens, no group permissions related VM appear in the list
9 - now group permissions related VM appear in the list

Expected results:
8 - autorefresh should check again user's permissions and add other vms in the list

Additional info:
nothing in engine.log
Comment 1 Jiri Belka 2013-04-10 09:47:16 EDT 
It seems to me that roles a user or group has are rechecked "internally" only. For example: user has UserRole, group has UserRole, then you add admin role to the group, refresh would find it. But when you add the user to a group and the engine did not know before he has been in this group, it won't recheck AD...
Comment 3 Libor Spevak 2013-04-15 10:10:27 EDT 
It is probably not feasible to reflect the Active Directory user and group configuration changes to user session on server very frequently (e.g. every cca 5 seconds when using automatic refresh).

Yair, please, can you confirm, is there an automatic mechanism which updates the user sessions regularly - after some time interval (asynchronously) - I noticed on Engine channel, you plan a refactoring of the authentication/authorization module nowadays.

http://www.ovirt.org/DomainInfrastructure
Comment 6 Michal Skrivanek 2013-07-12 08:03:27 EDT 
yair, comment #3 relevant?
do we have or plan to have an update in background for user's permissions?
Comment 7 Michal Skrivanek 2013-07-17 07:00:12 EDT 
the refresh period is by default one hour. Or on relogin
We'd suggest to either change the refresh period via engine-config (UserRefreshRate) or/and add release note that the refresh occurs on relogin and in a defined interval only.

moving to docs
Comment 8 Michal Skrivanek 2013-08-08 05:34:57 EDT 
this was always the behavior, removing Regression
Comment 9 Jodi Biddle 2013-10-16 17:58:06 EDT 
Cheryn has already documented this bug in the release notes, so I'm closing it to move it off my queue.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.