Users fail to login after enabling candid/rbac if they existed before

I can confirm this behavior. It's not restricted to the user "admin" either, any users who previously registered with "normal" maas auth will not be able to also register with Candid. I'm guessing the behavior works in reverse, although I haven't tested it yet.

See this attached log for a MAAS error message complaining about non-unique pks:

https://pastebin.ubuntu.com/p/MbsHCKFCx7/

This seems to be a MAAS specific issue -- As Candid/canonical-rbac report a successful authentication.

To me, the correct behavior should be to remove any "old" auth methods after setting configauth in MAAS. Perhaps they can be backed up, but I think it would be reasonable to purge them entirely.

I think that maybe keeping users still there in case you revert back to internal backend makes sense (without having to restore a backup of users), but they should be completely dormant and not influence rbac while switched away.

This may be a duplicate of LP:1887877 - is the email attribute configured in the same way in Candid as it is for the local user?

I'm not sure they are the same problem. Maybe the solution still applies, but the symptom is different.

In this case, user can login normally from candid side, rbac passes OK to maas, and maas does not allow the user to login because it thinks the user has no attribute configured (neither admin nor user). It's the same behavior as if I take all roles from a working account, it will stop logging in in maas with a message "User not allowed".

The email field is not the same. For the internal one I had something like "<email address hidden>" and for the rbac admin one I had something like "<email address hidden>", definitely not equal.

But we do see in the logs a message about key value unique constraint. My initial thought it was about the username being both in internal db and rbac, but it could be something else.

Currently, email has to be unique in MAAS. When enabling RBAC, local users are disabled but not removed, so if there's already a user with that email MAAS will fail to create a new one for the remote auth.

A workaround would be to remove the local user.

Just to be clear, emails are not the same, what is the same is the username.

Maas is initialized with:

sudo maas createadmin --username admin --password adminpass --email <email address hidden> --ssh-import xxx

And when configuring candid, a "static" user is added with name "admin" but with a different email (specifically, <email address hidden>). It still triggers the issue.

No domain is set for those static users so login happens without the @domain part, making the username just "admin" for both cases.

I'm waiting for logs from the customer and will add them here shortly.

Username is also currently unique.

Understood. Thank you for confirming that.