Project

General

Profile

Bug #14410

Failure to run DB migrations prevents plugin permissions being loaded

Added by Daniel Lobato Garcia over 4 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Category:
DB migrations
Target version:
Difficulty:
Triaged:
Bugzilla link:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1221971
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. configure LDAP authentication using http://theforeman.org/manuals/1.8/index.html#4.1.1LDAPAuthentication
2. create a user-group with external user-group (example Active Directory)
3. login as a AD user, which is part of the external user-group
4. create a ak_role via the roles and assign all the "activation keys" permissions via the filters.
5. assign the role "ak_role" at the user_group level(only after step 3) performed to reproduce)

Actual results:
login as a AD user, which is part of the external user-group, to observe that the AD user has no access/permissions for all the roles added after the AD user was logged in.

Expected results:

Adding new roles for the AD user at user-group level after the AD user was logged-id should be possible.

Additional info:


Related issues

Related to Foreman - Refactor #15866: Provide alternative way of migrating data as oposed misuing db:migrate for this purposeNew2016-07-27

Associated revisions

Revision 2aa15bf1 (diff)
Added by Ivan Necas about 4 years ago

Fixes #14410 - respond 503 when pending migration

History

#1 Updated by Dominic Cleal over 4 years ago

  • Category set to Users, Roles and Permissions
  • Status changed from New to Need more information

Does the user have the groups? Please try on a current version and provide logs with LDAP debugging enabled.

#2 Updated by Daniel Lobato Garcia over 4 years ago

  • Project changed from Foreman to Katello
  • Category deleted (Users, Roles and Permissions)
  • Status changed from Need more information to Assigned

Yeah, the user has the groups. The problem I'm facing is that Katello links are not being displayed even though the user has the appropriate permissions. I'll move this to the Katello project.

#3 Updated by Daniel Lobato Garcia over 4 years ago

It doesn't have to do much with group permissions either I don't think. Even if I set the view_activation_keys permission to the user directly, it doesn't work.

#4 Updated by Daniel Lobato Garcia over 4 years ago

  • Subject changed from adding new roles at user_group level after user logs in seems to have no effect to Adding activation_keys permissions to user seems to have no effect

#5 Updated by Daniel Lobato Garcia over 4 years ago

It has to deal somehow with the way permissions are loaded.

On a production nightly host: `Foreman::AccessControl.send(:permissions).map(&:name).count` -> 161 - it's missing Katello permissions
On a katello-deploy centos7-devel host: `Foreman::AccessControl.send(:permissions).map(&:name).count` -> 238 - bug can't be reproduced

#6 Updated by Daniel Lobato Garcia over 4 years ago

  • Project changed from Katello to Foreman

Ah, finally found the cause. It doesn't have to do with external user groups as far as I can see. You'll probably struggle to reproduce this one, as it requires:

  • Upgrading from some verison
  • Fail during the upgrade so that some migration does not run

At that point, Foreman::AccessControl does not load the permissions from plugins properly, as per line https://github.com/theforeman/foreman/blob/develop/app/services/foreman/plugin.rb#L217

If you run foreman-rake db:migrate and systemctl restart httpd, permissions will be reloaded again and it will work.
So I guess we should either log this better or turn on the check for missing migrations in production. (https://gist.github.com/stbenjam/c182ff0b1fe99bef6680ea4463f1f156)

#7 Updated by The Foreman Bot over 4 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3426 added

#8 Updated by The Foreman Bot about 4 years ago

  • Pull request https://github.com/theforeman/foreman/pull/3561 added

#9 Updated by Dominic Cleal about 4 years ago

  • Subject changed from Adding activation_keys permissions to user seems to have no effect to Failure to run DB migrations prevents plugin permissions being loaded
  • Category set to DB migrations
  • Priority changed from High to Normal

#10 Updated by Ivan Necas about 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#11 Updated by Dominic Cleal about 4 years ago

  • Legacy Backlogs Release (now unused) set to 160

#12 Updated by Ivan Necas about 4 years ago

  • Related to Refactor #15866: Provide alternative way of migrating data as oposed misuing db:migrate for this purpose added

Also available in: Atom PDF