Project

General

Profile

Actions

Bug #7079

closed

Group UI allows invalid entry causing Identity ServiceFailure

Added by Chris Jones over 6 years ago. Updated over 6 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
Start date:
08/03/2016
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:

Description

When adding users to a Group in the MetacatUI -> My Profile -> Settings -> Groups web form, the form allows users to be added to the group that don't exist in the Accounts Registry. We need to validate the member DN prior to calling PUT /cn/v2/groups so an invalid entry doesn't get created by the CNIdentityLDAPImpl service.

Bogus User Entry

Unfortunately, once a uniqueMember is is created in the group in LDAP, this causes the Accounts Registry service to throw a 500 ServiceFailure, so all other authenticated interactions with the CN fail, affecting all users. I'll add a ticket in the d1_identity_manager project to address this from the server side. See https://redmine.dataone.org/issues/7857

By removing the bogus uniqueMember entry in LDAP, the Accounts Registry service worked fine again.


Files

bogus-user-entry.png (134 KB) bogus-user-entry.png Bogus User Entry Chris Jones, 08/03/2016 11:17 AM
Actions #1

Updated by Lauren Walker over 6 years ago

  • Target version set to 1.12.0
Actions #2

Updated by ben leinfelder over 6 years ago

Since this actually doesn't break the account service (now) do we really need to restrict group member? Say I want to make a group of Orcid accounts but not all the the people in my group have logged in to DataONE before. They won't be in our system but I don't see why I shouldn't be able to add them.

Actions #3

Updated by Lauren Walker over 6 years ago

Will adding an orcid to a group cause an error? I can see it being helpful to be able to create a group of ORCIDs whether or not they are in the LDAP registry

Actions #4

Updated by ben leinfelder over 6 years ago

No, it should not be a problem and is exactly the kind of scenario I was imagining.

Lauren Walker wrote:

Will adding an orcid to a group cause an error? I can see it being helpful to be able to create a group of ORCIDs whether or not they are in the LDAP registry

Actions #5

Updated by Lauren Walker over 6 years ago

So Chris, should the UI only allow:

- valid ORCIDs
- other usernames that are in the LDAP account registry

Anything else is rejected by the form.

Actions #6

Updated by ben leinfelder over 6 years ago

Why can't it allow anything that is a valid Subject format? Different MNs use lots of different identification systems. Sure, we try to have them use ORCIDs, but many don't. Maybe they will use DNs, but many don't... Point is we need to be as flexible as possible.

Actions #7

Updated by Lauren Walker over 6 years ago

  • Status changed from New to Rejected

This was fixed in CCI 2.2.0, so the UI should allow users to enter any username since it won't cause an error

Actions #8

Updated by Chris Jones over 6 years ago

Agreed - it seems fine to let any Subject be added since (as Ben pointed out), the ServiceFailure bug on the CN was fixed.

Actions

Also available in: Atom PDF