Bug 1291269

Summary: Calamari API: User with read/write role is able to add/delete an user
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Harish NV Rao <hnallurv>
Component: CalamariAssignee: Christina Meno <gmeno>
Calamari sub component: Back-end QA Contact: ceph-qe-bugs <ceph-qe-bugs>
Status: CLOSED WONTFIX Docs Contact:
Severity: medium    
Priority: unspecified CC: anharris, ceph-eng-bugs, flucifre, kdreyer
Version: 1.3.1   
Target Milestone: rc   
Target Release: 1.3.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-20 20:58:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Harish NV Rao 2015-12-14 13:25:02 UTC 
Description of problem:
As per the doc in http://calamari.readthedocs.org/en/v1.3/operations/users.html an user with 'read/write' role, cannot add/delete a user. Refer to "Read/write user role has the ability to see every resource and add or changes any resource that is not users and roles."

Version-Release number of selected component (if applicable): Ceph 1.3.1 on RHEL 7.2 with Django REST Framework version 2.3.12.

How reproducible: always

Steps to Reproduce:
1) Create a user using: "calamari-ctl add_user <new-user> --password <password> --email <email>"
2) Assign the role "read/write" to this newly added user: "calamari-ctl assign_role <new-user> --role read/write"
3) Login to calamari UI as "new-user"
4) Open Django REST framework for this user in the new tab in the browser using url: <calamari-admin-ip>/api/v1/user
5) Make sure that Django REST framework window's top right hand corner shows the "new-user" name
6) Select "Raw Data" tab
7) In the "Content" Text box add: 
{
    "username": "OneMoreUser", 
    "password": "test123",	
    "email": "OneMoreUser"
}
8) Click POST button
9) User creation is successful

Note: delete operation is also successful (using url:  <calamari-admin-ip>/api/v1/user/<pk>)

Actual results:
 User creation and deletion is successful

Expected results:
User creation and deletion should not be permitted for a read/write role

Additional info: