Bug 1066586

Summary: NDA setting prevents ACL's from working
Product: [Retired] Beaker Reporter: Bill Peck <bpeck>
Component: web UIAssignee: Dan Callaghan <dcallagh>
Status: CLOSED CURRENTRELEASE QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 0.15CC: aigao, asaha, dcallagh, jburke, llim, pbunyan, rmancy, xjia
Target Milestone: 0.15.5Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-03 01:33:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bill Peck 2014-02-18 16:43:32 UTC 
Description of problem:

We have some systems in beaker that have been set to NDA/Secret and even though the ACL's say that users in a particular group should have access to reserve and edit the system they can't even see the system.

Version-Release number of selected component (if applicable):
0.15.3

How reproducible:
Every time.  

Steps to Reproduce:
1. User A own system A and NDA checked
2. Add group B to System A and User B
3. Add all permissions for group B

Actual results:
User B will not be able to see System A

Expected results:
User B should be able to see and use system.

Additional info:
If system is loaned to User B then user can edit and use system based on the ACL's.
Comment 3 Dan Callaghan 2014-02-19 00:02:18 UTC 
This is an RFE rather than a regression, right? The current behaviour matches the previous behaviour in 0.14, namely that secret systems are only visible to the owner and to the person who they are loaned to.

Anyway this is already fixed in the upcoming 0.16 release by replacing the Secret checkbox with a "view" permission in the access policy.

http://git.beaker-project.org/cgit/beaker/commit/?id=c6101de1f657b3127f55e69674305984a9414e23
Comment 4 Bill Peck 2014-02-19 01:43:42 UTC 
It is a regression.  One of the very confusing overloading of groups in beaker pre 0.15.

What is the ETA on 0.16?  

Thanks
Comment 5 Dan Callaghan 2014-02-19 04:49:20 UTC 
Ahhh yes you're right, not sure how I missed that. In 0.14 and earlier, private systems were visible to group members (as well as owner, user, loan recipient, admins, and accounts with secret_visible permission).
Comment 6 Nick Coghlan 2014-02-19 07:43:24 UTC 
We're hoping to have 0.16rc1 ready for testing next week, but we'll also come up with a patch for 0.15 that adds an implied "view" permission as part of having the "reserve" permission.

That way, even if there are delays in getting 0.16 published, there'll still be a patch that can be used to hot fix this issue in 0.15 deployments.
Comment 7 Dan Callaghan 2014-02-19 07:44:14 UTC 
I think we can fix this for the 0.15.x series by allowing anybody with "reserve" permission to see secret systems. That should be equivalent to the old behaviour in 0.14, since we migrated system groups to be a grant of "reserve" permission in the access policy.

In 0.16+ the real fix will be the new "view" permission.
Comment 8 Dan Callaghan 2014-02-20 04:51:08 UTC 
On Gerrit: http://gerrit.beaker-project.org/2823
Comment 11 Nick Coghlan 2014-03-03 01:33:40 UTC 
This was fixed with the release of Beaker 0.15.5.