Bug 1225274

Summary: 3.5.1 Upgrade adds "Everyone" group to disk profile
Product: Red Hat Enterprise Virtualization Manager Reporter: nijin ashok <nashok>
Component: ovirt-engineAssignee: Roy Golan <rgolan>
Status: CLOSED ERRATA QA Contact: Ondra Machacek <omachace>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.5.1CC: gklein, howey.vernon, jbelka, juwu, lpeer, lsurette, mgoldboi, pstehlik, rbalakri, rgolan, Rhev-m-bugs, sherold, yeylon, ykaul
Target Milestone: ovirt-3.6.0-rc3Keywords: Regression, ZStream
Target Release: 3.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The "DiskProfileUser" role, which was an administrator role, was assigned to the "Everyone" group by default. As a result, when users logged into the User Portal, they saw the Extended tab by default and were exposed to options that they did not have permissions to operate. With this update, the "DiskProfileUser" role is changed to an end-user type role. Users with end-user type roles now see the Basic tab by default.
 Story Points: ---
Clone Of:
: 1284233 (view as bug list) Environment:
Last Closed: 2016-03-09 21:06:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: SLA RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1284233    

Description nijin ashok 2015-05-27 02:27:08 UTC 
Description of problem:

After upgrading to 3.5.1 "Everyone" is added default in the permission of off disk profiles. So every user will be having an extra default permission of "DiskProfileUser" inherited from "Everyone". This gives an "extended view" option in user portal of all users even the users with basic "userrole" permissions. However every operation in the extended view is denied.  . For basic VM users, this option is confusing and will expose unintended information as every information about the VM is visible with option to edit/remove although it is denied after the action.

Version-Release number of selected component (if applicable):

rhevm-3.5.1.1-0.1.el6ev.noarch

How reproducible:

100%

Steps to Reproduce:
1. Upgrade the RHEV-M from 3.5.0 to 3.5.1
2. "Everyone" will be added as default permission for every disk profiles which gives DiskProfileUser permission to all users.


Actual results:

All users will get "DiskProfileUser" permissions which gives them a "extended view" in user portal which is confusing to basic users

Expected results:

DiskProfileUser need not be added by default

Additional info:
Comment 3 Roy Golan 2015-06-01 14:14:17 UTC 
note: we must make sure after the fix, any new profile must be restrictive and  not expose to everyone. 

the solution would be then to make the diskUserProfile a user and not admin.
Comment 5 Max Kovgan 2015-06-28 14:12:25 UTC 
ovirt-3.6.0-3 release
Comment 6 Ondra Machacek 2015-06-29 13:57:25 UTC 
User with 'DiskProfileUser' inherited from everyone group can't now see extended user portal. OK in 3.6.0-3.
Comment 7 Jiri Belka 2015-11-11 13:52:35 UTC 
This is clear regression, I see it on 3.5.5 and #2 has report from customer. Why hasn't been this BZ merged to 3.5.x?
Comment 13 errata-xmlrpc 2016-03-09 21:06:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html