New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the user when there are no matching groups #10634
Conversation
@abellotti and @kbrock Please review |
@jvlcek until we get a memberof overlay on ApacheDS, you can configure MiqLdap directly to the Ldap of an IPA server and test against that. IPA's openldap implements the memberof overlay. |
5ebdc3f
to
0cd36b9
Compare
When all MiQ groups are removed for a given user on the "authenticator" the user's DB entry must be updated to show no matching MiQ groups. https://bugzilla.redhat.com/show_bug.cgi?id=1342082
0cd36b9
to
7b439c1
Compare
Checked commit jvlcek@7b439c1 with ruby 2.2.5, rubocop 0.37.2, and haml-lint 0.16.1 |
@jvlcek nice job diving in and getting this PR done. LGTM!! |
👍 LGTM too! |
@gtanzillo and @abellotti Once the travis tests to pass I'll request a final review/merge. |
@abellotti Please take a look. |
I'm good with this. @kbrock can we borrow your 👀 Thanks. |
This looks great |
Update the user when there are no matching groups (cherry picked from commit 426e642)
Darga backport details: $ git cherry-pick -x -m 1 426e642
[darga bab3149] Merge pull request #10634 from jvlcek/bz_1342082_ext_auth_groups
Author: Gregg Tanzillo <gtanzill@redhat.com>
Date: Wed Aug 24 11:43:15 2016 -0400
2 files changed, 25 insertions(+), 1 deletion(-)
$ git log
commit bab3149e524e31922ef355acb80219572bc00b77
Author: Gregg Tanzillo <gtanzill@redhat.com>
Date: Wed Aug 24 11:43:15 2016 -0400
Merge pull request #10634 from jvlcek/bz_1342082_ext_auth_groups
Update the user when there are no matching groups
(cherry picked from commit 426e6420e94cb050311ea99992db43dd490992d8) |
I have confirmed this PR using external auth with IPA/LDPA
Marking as WIP until I am able to confirm with LDAP directly.
Purpose or Intent
The purpose of this PR is to address a situation where:
A valid user with valid MiQ groups had been able to successfully log into MiQ.
After which the LDAP system administrator removed all MiQ groups from the
user with the intent of preventing the user access to MiQ.
However when no valid groups were returned from LDAP the user's group
information was not updated in the DB and the UI would use the stale,
valid records.
This PR simply updates the user's miq_groups to empty when there are
no matching groups. Thereby preventing user authorization.
Steps for Testing/QA
To test this:
1 - configure MiQ to validate using LDAP,
either directly to an LDAP server or to an external authentication server
that supports LDAP (e.g. IPA)
2 - Create a valid user with valid MiQ groups in LDAP
3 - log into MiQ using the valid user, then log off
4 - Remove all valid MiQ groups from the user in LDAP
5 - confirm login attempts into MiQ using the valid user that no longer has
valid MiQ groups in LDAP fails.
Description
When all MiQ groups are removed for a given user
on the "authenticator" the user's DB entry must
be updated to show no matching MiQ groups.
https://bugzilla.redhat.com/show_bug.cgi?id=1342082