search

HCL-TECH-SOFTWARE / connections-automation

Deployment and upgrade automation scripts for HCL Connections 7.0 based on Ansible
Apache License 2.0
17 stars 31 forks source link

Role everyone incorrectly set in set_all_auth_role #324

Closed marde16 closed 7 months ago

marde16 commented 8 months ago

The playbook connections-restrict-access.yml modifies for role everyone the default mapping from everyone to All Authenticated in Application's Realm

The Connections documentation (https://help.hcltechsw.com/connections/v7/admin/admin/r_admin_common_user_roles.html) says about the Everyone role:

Users with this role can access public pages without signing in to the application. The login page is an example of a page that allows such access.

Do not change the default mapping for this role because it is used internally by HCL Connections. Changing the mapping might affect the ability to log in to the application.

Therefore the setting for everyone should be yes and the allauth variables should be empty.

 - { __role: "everyone", __everyone: "yes", __allauth: '""', __users: '""', __groups: '""', __allauth_trusted: '""', __mappeduseraccessids: '""', __mappedgroupaccessids: '""' }

https://github.com/HCL-TECH-SOFTWARE/connections-automation/blob/f23269a34de6c3233941cc1d76b3e395fcfeb899/roles/hcl/connections/set_all_auth_role/tasks/main.yml#L14-L31

sabrina-yee commented 7 months ago

This script is for the playbook to disable anonymous access. Therefore, the everyone role is set to "no". We'll review the related documentation to more accurately describe anonymous access. Thanks for feedback.

stoeps13 commented 7 months ago

The everyone roles are needed to display the login form. If you set everyone to no, no login is possible!

To disable anonymous access, you have to set reader to authenticated.

From documentation: image

You want to set reader, do not touch Everyone! image

It is important, that the role reader should be changed from Everyone to Authenticated, but the everyone role has to be Everyone, or Login breaks. Even OIDC will break, because the forward rules end in 404.

sabrina-yee commented 7 months ago

We have been using this playbook for internal deployments including OIDC that's why I'd like the documentation to be reviewed to understand more about the discrepancy between automation requirements and documentation.

pln-git4011 commented 4 months ago

Closing this per pervious comments, the documentation to be reviewed to understand more about the discrepancy between automation requirements and documentation