| Summary: | Issues with RBAC filtering using the REST API | |||
|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Aparna Karve <akarve> | |
| Component: | API | Assignee: | abellott | |
| Status: | CLOSED WORKSFORME | QA Contact: | Taras Lehinevych <tlehinev> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 5.5.0 | CC: | cpelland, dajohnso, dclarizi, jhardy, jprause, jrafanie, nachandr, obarenbo | |
| Target Milestone: | GA | Keywords: | ZStream | |
| Target Release: | 5.7.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | api:rest:rbac | |||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1306721 1346974 (view as bug list) | Environment: | ||
| Last Closed: | 2016-06-20 20:17:45 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1306721, 1346974 | |||
This may be resolved with Tim's PR https://github.com/ManageIQ/manageiq/pull/6651 on upstream where we added role identifiers to read actions (e.g. GET), so users of self service group/role would get the list of services and users of desktop groups/role will be getting a 403 (forbidden) Aparna, can you confirm and let us know ? RBAC for API Services in 5.6 |
Description of problem:Issues with RBAC filtering using the REST API Version-Release number of selected component (if applicable): How reproducible:Always Steps to Reproduce: 1. Output of this url - /api/services when logged-in as a user of group EvmGroup-user_self_service yields the following result - {"name":"services","count":10,"subcount":0,"resources":[]} which is correct since the OPS UI does not display Services for this group 2.However output of the same url (/api/services) when logged-in as a user of group EvmGroup-desktop yields the following result - {"name":"services","count":10,"subcount":10,"resources":[{"href":"http://localhost:3000/api/services/3"},{"href":"http://localhost:3000/api/services/1"},{"href":"http://localhost:3000/api/services/4"},{"href":"http://localhost:3000/api/services/7"},{"href":"http://localhost:3000/api/services/2"},{"href":"http://localhost:3000/api/services/6"},{"href":"http://localhost:3000/api/services/5"},{"href":"http://localhost:3000/api/services/8"},{"href":"http://localhost:3000/api/services/10"},{"href":"http://localhost:3000/api/services/9"}]} This is incorrect since a user belonging to this group sees all the services that an Administrator would see. Note that the OPS UI does not display Services for this group. Actual results: Expected results: For a user belonging to the EvmGroup-desktop group, the output from the REST API should be - {"name":"services","count":10,"subcount":0,"resources":[]} Additional info: