NASA-AMMOS
Gateway does not add new roles CAM login
Checked for duplicates
No - I haven't checked
Is this a regression?
Yes - This worked in a previous version
Version
3.4.0
Describe the bug
CAM SSO, initially logged in with gateway configured with default array for roles. Changed configuration to include aerie_admin but the role was not added when I logged back in.
Reproduction
see above
Logs
System Info
podman on rhel9, firefox, mac
Severity
Moderate
Hmm, I can see how that would be the expected behavior. If I remember correctly, the configuration is only consulted once on initialization, and after that you would need to use... SQL to modify the default roles...? I was going to say GraphQL but I don't see a yaml file for that table. @Mythicaeda may remember more here
I had him write the ticket because I pulled up the Gateway code and, near as I can tell, it's supposed to update. From the CamAuthAdaptor:
// if mappings exist, we treat them as the source of truth
if (authGroupMappingsExist()) {
// get existing allowed_roles from DB
const existing_roles = await getUserRoles(userId, default_role, allowed_roles);
// calculate if allowed_roles in DB match our freshly calculated mapping
// these could differ if either AUTH_GROUP_ROLE_MAPPINGS changes, or if
// user's membership in external auth groups changes.
const existing_set = new Set(existing_roles.allowed_roles);
const mapped_roles_match_db =
allowed_roles.length == existing_roles.allowed_roles.length && allowed_roles.every(e => existing_set.has(e));
// if they are different, upsert roles from mapping (source of truth)
// we could do this every single time, but by only upserting when
// they actually differ, we save on DB trips
if (!mapped_roles_match_db) {
await syncRolesToDB(userId, default_role, allowed_roles);
}
}
Also, for help with our debugging, this was not using CAM SSO, it was CAM UserPass (users still went through the Aerie UI login screen)