Project

General

Profile

Actions
Copy link

Bug #14410

closed

Failure to run DB migrations prevents plugin permissions being loaded

Added by Daniel Lobato Garcia over 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Daniel Lobato Garcia
Category:
DB migrations
Target version:
1.13.0
Difficulty:
Triaged:
Bugzilla link:
1221971
Pull request:
https://github.com/theforeman/foreman/pull/3426, https://github.com/theforeman/foreman/pull/3561
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1221971
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. configure LDAP authentication using http://theforeman.org/manuals/1.8/index.html#4.1.1LDAPAuthentication
2. create a user-group with external user-group (example Active Directory)
3. login as a AD user, which is part of the external user-group
4. create a ak_role via the roles and assign all the "activation keys" permissions via the filters.
5. assign the role "ak_role" at the user_group level(only after step 3) performed to reproduce)

Actual results:
login as a AD user, which is part of the external user-group, to observe that the AD user has no access/permissions for all the roles added after the AD user was logged in.

Expected results:

Adding new roles for the AD user at user-group level after the AD user was logged-id should be possible.

Additional info:

Related issues 1 (1 open0 closed)

Related to Foreman - Refactor #15866: Provide alternative way of migrating data as oposed misuing db:migrate for this purposeNew07/27/2016Actions
Actions
Copy link
 #1

Updated by Dominic Cleal over 8 years ago

  • Category set to Users, Roles and Permissions
  • Status changed from New to Need more information

Does the user have the groups? Please try on a current version and provide logs with LDAP debugging enabled.

Actions
Copy link
 #2

Updated by Daniel Lobato Garcia over 8 years ago

  • Project changed from Foreman to Katello
  • Category deleted (Users, Roles and Permissions)
  • Status changed from Need more information to Assigned

Yeah, the user has the groups. The problem I'm facing is that Katello links are not being displayed even though the user has the appropriate permissions. I'll move this to the Katello project.

Actions
Copy link
 #3

Updated by Daniel Lobato Garcia over 8 years ago

It doesn't have to do much with group permissions either I don't think. Even if I set the view_activation_keys permission to the user directly, it doesn't work.

Actions
Copy link
 #4

Updated by Daniel Lobato Garcia over 8 years ago

  • Subject changed from adding new roles at user_group level after user logs in seems to have no effect to Adding activation_keys permissions to user seems to have no effect
Actions
Copy link
 #5

Updated by Daniel Lobato Garcia over 8 years ago

It has to deal somehow with the way permissions are loaded.

On a production nightly host: `Foreman::AccessControl.send(:permissions).map(&:name).count` -> 161 - it's missing Katello permissions
On a katello-deploy centos7-devel host: `Foreman::AccessControl.send(:permissions).map(&:name).count` -> 238 - bug can't be reproduced

Actions
Copy link
 #6

Updated by Daniel Lobato Garcia over 8 years ago

  • Project changed from Katello to Foreman

Ah, finally found the cause. It doesn't have to do with external user groups as far as I can see. You'll probably struggle to reproduce this one, as it requires:

  • Upgrading from some verison
  • Fail during the upgrade so that some migration does not run

At that point, Foreman::AccessControl does not load the permissions from plugins properly, as per line https://github.com/theforeman/foreman/blob/develop/app/services/foreman/plugin.rb#L217

If you run foreman-rake db:migrate and systemctl restart httpd, permissions will be reloaded again and it will work.
So I guess we should either log this better or turn on the check for missing migrations in production. (https://gist.github.com/stbenjam/c182ff0b1fe99bef6680ea4463f1f156)

Actions
Copy link
 #7

Updated by The Foreman Bot over 8 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3426 added
Actions
Copy link
 #8

Updated by The Foreman Bot over 8 years ago

  • Pull request https://github.com/theforeman/foreman/pull/3561 added
Actions
Copy link
 #9

Updated by Dominic Cleal over 8 years ago

  • Priority changed from High to Normal
  • Subject changed from Adding activation_keys permissions to user seems to have no effect to Failure to run DB migrations prevents plugin permissions being loaded
  • Category set to DB migrations
Actions
Copy link
 #10

Updated by Ivan Necas over 8 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link
 #11

Updated by Dominic Cleal over 8 years ago

  • Translation missing: en.field_release set to 160
Actions
Copy link
 #12

Updated by Ivan Necas over 8 years ago

  • Related to Refactor #15866: Provide alternative way of migrating data as oposed misuing db:migrate for this purpose added
Actions
Copy link

Also available in: Atom PDF