Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-35399

/rest/v1/security/users does not always list local Roles from the default realm that are associated with an external realm user

    Details

    • Type: Bug
    • Status: Waiting for Second Review
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.39.0, 3.41.1
    • Fix Version/s: None
    • Component/s: LDAP, REST, Security, UI
    • Labels:
    • Story Points:
      2
    • Sprint:
      NXRM Sentinels Sprint 47, NXRM Sentinels Sprint 48
    • Notability:
      3
    • InvestmentLayer:
      support-escalated
    • Aha Concept:
      non-concept

      Description

      For LDAP users, /rest/v1/security/users does not populate the "roles" attribute for the default realm roles that has the roleId match the external role; instead it was noticed only the externalRoles are returned.
       

      Reproduce

      1. Create a nexus role with role id 'Developer', name 'Developer test' granting any priviliege eg. nx-all
      2. Create another nexus role with role id 'Devops', name 'Devops test' granting any priviliege eg. nx-all
      3. Assigned an external role 'Developer' to the LDAP user (testuser1) from the Active directory
      4. Directly map an LDAP user (testuser1) from Nexus Repo by assigning both 'Developer test'  and 'Devops test' roles to it
        2. Call the GET rest/v1/security/users?userId=<USER_ID> API and check if roles are returned:
      curl -X 'GET' \
       'http://localhost:8081/service/rest/v1/security/users?userId=testuser1' \
       -H 'accept: application/json' \
       -H 'NX-ANTI-CSRF-TOKEN: 0.09931115428391735'

      Response body:

      [
       {
       "userId": "testuser1",
       "firstName": "testuser1",
       "lastName": null,
       "emailAddress": "testuser1@win.blackforest.local",
       "source": "LDAP",
       "status": "active",
       "readOnly": true,
       "roles": ["Devops"],
       "externalRoles": ["Developer",
       "Users"
       ]
       }
      ]

      Notice that the "roles" attribute only returns the role that is not match with the external role. Expected the roles to populated with "Developer", "Devops"

      Expected response:

      The API should always list the local roles assigned to an LDAP(external) directly mapped user.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            jsinha Jay Sinha
            Last Updated By:
            Peter Lynch Peter Lynch
            Team:
            NXRM - Sentinels
            Owner:
            Matthew Piggott Matthew Piggott
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title