Bug 1088941
Summary: | /broker/rest/teams returns all global teams for users with view_global_teams capability | |||
---|---|---|---|---|
Product: | OpenShift Online | Reporter: | Jordan Liggitt <jliggitt> | |
Component: | Pod | Assignee: | Jordan Liggitt <jliggitt> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | libra bugs <libra-bugs> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 2.x | CC: | jliggitt, xtian, zzhao | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1089647 (view as bug list) | Environment: | ||
Last Closed: | 2014-05-15 15:29:56 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1089647 |
Description
Jordan Liggitt
2014-04-17 13:19:06 UTC
Will merge in https://github.com/openshift/origin-server/pull/5298 Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/3fd9778cb7f8770fe597a78adcf26e1c50343b1a Bug 1088941: Exclude non-member global teams from index Assigned this bug. if user is member of global team , then even if --allowviewglobalteams set to 'false', the user still can view the team. 1.set the --allowviewglobalteams to false #oo-broker oo-admin-ctl-user -l zzhao --allowviewglobalteams false Setting view_global_teams capability to false for user zzhao... Done. User zzhao: plan: free consumed domains: 0 max domains: 1 consumed gears: 0 max gears: 3 max tracked storage per gear: 0 max untracked storage per gear: 0 max teams: 0 viewing all global teams allowed: false plan upgrade enabled: true gear sizes: small sub accounts allowed: false private SSL certificates allowed: false inherit gear sizes: false HA allowed: false 2. check the team by restapi [root@ip-10-153-148-122 local]# curl -k -s -H "Accept:application/xml" https://localhost/broker/rest/teams/ -u zzhao Enter host password for user 'zzhao': <?xml version="1.0" encoding="UTF-8"?> <response> <status>ok</status> <type>teams</type> <data> <team> <id>535091228a2c7af85d000001</id> <name>g1</name> <maps-to>1</maps-to> <global>true</global> <links> <link> <rel>Get team</rel> <method>GET</method> <href>https://localhost/broker/rest/team/535091228a2c7af85d000001</href> <required-params/> <optional-params/> </link> <link> <rel>list members</rel> <method>GET</method> <href>https://localhost/broker/rest/team/535091228a2c7af85d000001/members</href> <required-params/> <optional-params/> </link> </links> </team> </data> <messages> <message> <severity>info</severity> <text>Listing teams for user zzhao</text> <exit-code>0</exit-code> <field nil="true"></field> <index nil="true"></index> </message> </messages> <version>1.6</version> <api-version>1.6</api-version> <supported-api-versions> <supported-api-version>1.0</supported-api-version> <supported-api-version>1.1</supported-api-version> <supported-api-version>1.2</supported-api-version> <supported-api-version>1.3</supported-api-version> <supported-api-version>1.4</supported-api-version> <supported-api-version>1.5</supported-api-version> <supported-api-version>1.6</supported-api-version> </supported-api-versions> </response> Users can always view teams they are a member of. view_global_teams capability controls searching all global teams, and viewing global teams the user is not a member of. Behavior described in comment 3 is correct: "if user is member of global team , then even if --allowviewglobalteams set to 'false', the user still can view the team." Then I don't know the function of the option '--allowviewglobalteams'? 1)if user is not a member of global team. No matter the --allowviewglobalteams is true or false, the user can not view the global team 2) if user is a member of global team. No matter the --allowviewglobalteams is true or false, the user still can view the global team If view_global_teams is true: 1. the user can search for global teams using /broker/rest/teams?search=...&global=true 2. the user can view global teams they are not a member of using /broker/test/team/:id If view_global_teams is false: 1. the user cannot search for global teams at all using /broker/rest/teams?search=...&global=true 2. the user can only view a global team directly using /broker/test/team/:id if they are a member of the global team The purpose of the capability is to prevent a user from searching for global teams, or viewing global teams they are not a member of sorry, I have a little confusion. This bug have a little contradiction with comment 6 1. the bug expect result is the user can not view the global team when view_global_teams is true and user is not member and Comment 6 said the user can view global teams they are not a member of using /broker/test/team/:id This bug is about the LIST_TEAMS API: "LIST_TEAMS": { "href": "https://.../broker/rest/teams", "method": "GET", "optional_params": [ ], "rel": "List all teams you are a member of", "required_params": [ ] }, /broker/rest/teams should only list teams the user is a member of The bug expected result is that only global teams they are a member of appear in LIST_TEAMS. Comment 6 is also correct, they can view any global team directly using /broker/rest/team/:id OK, got it, sorry for waste your time for this. Thanks very much. then verified this bug on devenv_stage_812 can not list the global team by restapi by /broker/rest/teams but can list the global team by /broker/rest/teams/:id |