Tanzu Hub retains stale Administrator permissions for LDAP users after removal from Group
search cancel

Tanzu Hub retains stale Administrator permissions for LDAP users after removal from Group

book

Article ID: 436463

calendar_today

Updated On:

Products

VMware Tanzu Platform Core

Issue/Introduction

In environments using LDAP/Active Directory for identity management, users who have been removed from an administrative LDAP group may still retain "Administrator" privileges within Tanzu Hub. This stale permission state persists until the user performs a fresh authentication directly against the source foundation (Ops Manager).

Environment

  • Product: VMware Tanzu Platform - Hub
  • Affects Version: 10.3.x (and prior)
  • Platform: Tanzu Platform for Cloud Foundry (TPCF) / Ops Manager
  • Identity Provider: External LDAP / Active Directory (AD) integrated with Ops Manager UAA.
  • Configuration:
    • Foundations attached to Tanzu Hub.
    • Administrative access granted via LDAP group mappings in Ops Manager.

Cause

The issue stems from how Tanzu Hub synchronizes permissions from Ops Manager:

  • Role-Based Sync: Hub synchronizes specific RoleBindings (e.g., "User X has Admin privileges") rather than dynamic group memberships.
  • Auth-Triggered Updates: Ops Manager UAA uses a "Sync-on-Auth" model. It only queries LDAP to update a user's scopes during an active authentication event.
  • Stale State: If a user is removed from an LDAP group but does not log back into Ops Manager, the RoleBinding remains active in the foundation. Tanzu Hub continues to pull and honor this stale permission during its own synchronization cycles.

Resolution

R&D has accepted this as a defect (TNZ-89270). A fix is being prepared to ensure Hub does not rely solely on stale RoleBindings and properly validates or synchronizes group-based authorization.

Fixed Version

This behavior is scheduled to be addressed in the first patch for Tanzu HUB 10.4, currently targeted for May 2026.

Workaround

Until the May 2026 patch is applied, administrators can force a permission update using one of the following methods:

  1. Manual Re-authentication: Direct the impacted user to log out and log back into the Ops Manager UAA to trigger a fresh LDAP group sync.
  2. Manual Role Removal: Manually remove the stale administrative RoleBinding within the foundation (Ops Manager/UAA) to ensure the change propagates to Tanzu Hub.
Powered by Wolken Software