Bug 1014219
Summary: | RBAC: Control element visibility for users with multiple scoped roles | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Jakub Cechacek <jcechace> |
Component: | Web Console | Assignee: | Harald Pehl <hpehl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Jakub Cechacek <jcechace> |
Severity: | urgent | Docs Contact: | Russell Dickenson <rdickens> |
Priority: | unspecified | ||
Version: | 6.2.0 | CC: | brian.stansberry, hpehl, jcechace, jkudrnac, kkhan, lcosti, lthon, myarboro, rdickens, smumford |
Target Milestone: | DR6 | ||
Target Release: | EAP 6.3.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Users assigned to multiple roles would see operations in the console that they did not have access to perform. For example, a user with roles *host-master-administrator* and *host-slave-monitor* should only have been able to see control elements (such as the *Add* button on the server configurations page) in context of host slave. This button should not have been visible when operating in context of host master (however it was).
Operations that were incorrectly visible would fail if attempted, as the correct access control was enforced in the execution of the operation. There was no security violation.
This issue in the management console has been fixed in this release. Control elements which are not relevant for a user role, while visible, are 'grayed-out' and are not active.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-28 15:39:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1074493 | ||
Bug Blocks: |
Description
Jakub Cechacek
2013-10-01 14:24:39 UTC
So the user experience would be that the button is visible in a context when it should not be, but the operation will fail if the user attempts it? Yes. If we cannot resolve this issue with our current timeline, we should defer. Added text for a known issue. It's a known issue, that has already been postponed. See above. Acknowledged. I already added text for the release note. The original report, and in consequence also the Doc Text, is wrong in one detail: the control elements should only be visible in context of host _master_ (as for this host, the user is in the administrator role). Jakub, please confirm. That's true, I've accidentally switched the context in my description. Russell, can you correct the Doc Text please? Modified Doc Text content (appears to gel with Jakub's comment 12) and marked for inclusion in 6.2 Release Notes document. Part of this is done by https://github.com/jbossas/jboss-eap/pull/1024 Harald Pehl <hpehl> updated the status of jira HAL-238 to Resolved Verified 6.3.0.ER1 Edited release note as per bug 1097786. |