Bug #14410
closed
Failure to run DB migrations prevents plugin permissions being loaded
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1221971
Description of problem:
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. configure LDAP authentication using http://theforeman.org/manuals/1.8/index.html#4.1.1LDAPAuthentication
2. create a user-group with external user-group (example Active Directory)
3. login as a AD user, which is part of the external user-group
4. create a ak_role via the roles and assign all the "activation keys" permissions via the filters.
5. assign the role "ak_role" at the user_group level(only after step 3) performed to reproduce)
Actual results:
login as a AD user, which is part of the external user-group, to observe that the AD user has no access/permissions for all the roles added after the AD user was logged in.
Expected results:
Adding new roles for the AD user at user-group level after the AD user was logged-id should be possible.
Additional info:
Updated by Dominic Cleal about 9 years ago
- Category set to Users, Roles and Permissions
- Status changed from New to Need more information
Does the user have the groups? Please try on a current version and provide logs with LDAP debugging enabled.
Updated by Daniel Lobato Garcia about 9 years ago
- Project changed from Foreman to Katello
- Category deleted (
Users, Roles and Permissions) - Status changed from Need more information to Assigned
Yeah, the user has the groups. The problem I'm facing is that Katello links are not being displayed even though the user has the appropriate permissions. I'll move this to the Katello project.
Updated by Daniel Lobato Garcia about 9 years ago
It doesn't have to do much with group permissions either I don't think. Even if I set the view_activation_keys permission to the user directly, it doesn't work.
Updated by Daniel Lobato Garcia about 9 years ago
It has to deal somehow with the way permissions are loaded.
On a production nightly host: `Foreman::AccessControl.send(:permissions).map(&:name).count` -> 161 - it's missing Katello permissions
On a katello-deploy centos7-devel host: `Foreman::AccessControl.send(:permissions).map(&:name).count` -> 238 - bug can't be reproduced
Updated by Daniel Lobato Garcia about 9 years ago
- Project changed from Katello to Foreman
Ah, finally found the cause. It doesn't have to do with external user groups as far as I can see. You'll probably struggle to reproduce this one, as it requires:
- Upgrading from some verison
- Fail during the upgrade so that some migration does not run
At that point, Foreman::AccessControl does not load the permissions from plugins properly, as per line https://github.com/theforeman/foreman/blob/develop/app/services/foreman/plugin.rb#L217
If you run foreman-rake db:migrate and systemctl restart httpd, permissions will be reloaded again and it will work.
So I guess we should either log this better or turn on the check for missing migrations in production. (https://gist.github.com/stbenjam/c182ff0b1fe99bef6680ea4463f1f156)
Updated by
Updated by Ivan Necas almost 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 2aa15bf1f40fff77a50bb9907fa993e067dd6346.