Commit 5da2594
AAP-43587: Fix 50x error in ldap legacy auth (ansible#721)
## Description
Bug description:
* Resource (LDAP legacy migrated user, though it doesn't really matter
the type) exists in controller and gateway with ansible_id A
* User logs in via "I have a controller account" legacy auth on gateway
* Gateway (for LDAP users only) tests a login via the opposite component
as well (hub if controller login, controller if hub login) to see if the
user can log in there (see this code)
* In our pipeline 2.4 -> 2.5 upgrade scenarios w/ LDAP, we have the same
LDAP instance connected to hub and controller, so even if a user is
created only on 2.4 controller, it's perfectly fine for that user to
login as well on hub at any point even though the pipeline hasn't done
that and doesn't intend to
the hub test login succeeds and creates a new user with the same
username, but with ansible_id B
* Hub immediately syncs to gateway, who updates the existing matching
user from ansible_id A to B
* User clicks the finalize button to confirm user migration, but it
fails with a 50x error because gateway is using the new ansible_id B
while controller still has ansible_id A for that user
Fix:
DAB is updated such that it will not attempt a local authentication upon
request if it does not already have a user matching the requested
username. This will prevent the issue without making any general
behavioral changes in how resources are managed.
## Type of Change
- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Documentation update
- [ ] Test update
- [ ] Refactoring (no functional changes)
- [ ] Development environment change
- [ ] Configuration change
## Self-Review Checklist
- [x] I have performed a self-review of my code
- [x] I have added relevant comments to complex code sections
- [ ] I have updated documentation where needed
- [ ] I have considered the security impact of these changes
- [ ] I have considered performance implications
- [ ] I have thought about error handling and edge cases
- [x] I have tested the changes in my local environment
## Testing Instructions
### Prerequisites
Use a 2.4 -> 2.5 upgrade pipeline from
https://jenkins-csb-aap-main.dno.corp.redhat.com/job/AAPQA/job/AAPQA%20Provisioner/job/AAPQA-ATF-Upgrade-On-Demand-Pipeline/
WITH LDAP enabled
### Steps to Test
1. The pipeline will create some users that are defined only in
controller (see
https://gitlab.cee.redhat.com/ansible/testing/test-suite/-/blob/main/src/aap_test_suite/resources/freeipa.py?ref_type=heads
users starting with ldap_ui_ctlr_, such as tower_all, tower_1,
saml_user). Pick one of these users.
2. From gateway login screen, select "I have a controller account" and
log in with the user.
3. The migration screen will be shown. Click through and finish
(finalize) the user migration.
### Expected Results
No 50x error encountered and migration completed successfully.
## Additional Context
Before the change, any of these users would trigger a 50x error upon
finalization.
Co-authored-by: Bryan Havenstein <[email protected]>1 parent 9291277 commit 5da2594
File tree
2 files changed
+14
-0
lines changed- ansible_base/resource_registry
- test_app/tests/resource_registry
2 files changed
+14
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| 5 | + | |
5 | 6 | | |
6 | 7 | | |
7 | 8 | | |
| |||
198 | 199 | | |
199 | 200 | | |
200 | 201 | | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
201 | 207 | | |
202 | 208 | | |
203 | 209 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
23 | 23 | | |
24 | 24 | | |
25 | 25 | | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
26 | 34 | | |
27 | 35 | | |
28 | 36 | | |
| |||
0 commit comments