-
Bug
-
Resolution: Done
-
Normal
-
None
-
5
-
False
-
False
-
-
Release Notes
-
No
-
-
-
-
-
-
1.24.0
-
No
-
-
Bug Fix
-
Done
-
No
-
Yes
-
None
-
MODH Sprint 31, MODH Sprint 32, RHODS 1.24
-
Moderate
Description of problem:
In RHODS-348 there are three scenarios concerning user sessions, scenario no. 2 listed in the original issue is still not covered as expected in RHODS.
User no longer has access to RHODS based on removal from RHODS user or admin group
When a user is removed from the rhods-users group while being logged into the JH spawner, they are not automatically logged out. Refreshing the page does not log the user out. The only way for the change to take effect is to do an "hard" refresh (ctrl+f5 or similar); in this case the user is logged out, and upon login receives a 403 Forbidden error message.
The original issue is also concerned with user session w.r.t. the RHODS dashboard, however being part of the rhods-users/admins group currently changes nothing as far as the dashboard is concerned. An OpenShift user not part of either group can always log into the dashboard, and consequently removing a logged in user from either group does not log them out of the dashboard.
Prerequisites (if any, like setup, operators/versions):
RHODS 1.1.1-41 on OSD
Steps to Reproduce
- Install RHODS
- Add IdPs to your cluster
- Create user(s) in the IdP and OpenShift
- Add user(s) to rhods-users or admins group
- Log in the JH spawner
- User should be able to log in
- Remove user(s) from rhods-users or admins group
- Refresh JH spawner page
- User is still logged in
- Hard refresh the page / log out
- log in with the same user again, you should receive a 403 Forbidden error
- Same up to step 4
- Log in the RHODS dashboard
- Remove user(s) from rhods-users or admins group
- Refresh dashboard page, user should still be logged in
- Hard refresh/log out the page
- Log in with same user, the user should still be allowed to log in
Actual results:
User is not automatically logged out of the JH spawner when the credentials (i.e. group membership) are revoked. User session needs to expire by other means before the change is applied.
User is not automatically logged out of the RHODS dashboard. Furthermore, user can still log into the dashboard after credentials are revoked (or before they are ever given).
Expected results:
User is logged out automatically when credentials are revoked from both JH spawner and RHODS dashboard.
RHODS dashboards checks for group membership before allowing a user to log in.
Reproducibility (Always/Intermittent/Only Once):
Always
Build Details:
RHODS 1.1.1-41 on OSD
Additional info:
- is related to
-
RHODS-348 Session mgmt: Log users out when credentials are revoked
- Closed
- mentioned on