Failure to run DB migrations prevents plugin permissions being loaded
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1221971
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. configure LDAP authentication using http://theforeman.org/manuals/1.8/index.html#4.1.1LDAPAuthentication
2. create a user-group with external user-group (example Active Directory)
3. login as a AD user, which is part of the external user-group
4. create a ak_role via the roles and assign all the "activation keys" permissions via the filters.
5. assign the role "ak_role" at the user_group level(only after step 3) performed to reproduce)
login as a AD user, which is part of the external user-group, to observe that the AD user has no access/permissions for all the roles added after the AD user was logged in.
Adding new roles for the AD user at user-group level after the AD user was logged-id should be possible.
#2 Updated by Daniel Lobato Garcia about 5 years ago
- Project changed from Foreman to Katello
- Category deleted (
Users, Roles and Permissions)
- Status changed from Need more information to Assigned
Yeah, the user has the groups. The problem I'm facing is that Katello links are not being displayed even though the user has the appropriate permissions. I'll move this to the Katello project.
#5 Updated by Daniel Lobato Garcia about 5 years ago
It has to deal somehow with the way permissions are loaded.
On a production nightly host: `Foreman::AccessControl.send(:permissions).map(&:name).count` -> 161 - it's missing Katello permissions
On a katello-deploy centos7-devel host: `Foreman::AccessControl.send(:permissions).map(&:name).count` -> 238 - bug can't be reproduced
#6 Updated by Daniel Lobato Garcia about 5 years ago
- Project changed from Katello to Foreman
Ah, finally found the cause. It doesn't have to do with external user groups as far as I can see. You'll probably struggle to reproduce this one, as it requires:
- Upgrading from some verison
- Fail during the upgrade so that some migration does not run
At that point, Foreman::AccessControl does not load the permissions from plugins properly, as per line https://github.com/theforeman/foreman/blob/develop/app/services/foreman/plugin.rb#L217
If you run foreman-rake db:migrate and systemctl restart httpd, permissions will be reloaded again and it will work.
So I guess we should either log this better or turn on the check for missing migrations in production. (https://gist.github.com/stbenjam/c182ff0b1fe99bef6680ea4463f1f156)