Bug 1479583

Summary: EvmRole-auditor can perform actions on VM
Product: Red Hat CloudForms Management Engine Reporter: George Field <george.field>
Component: UI - OPSAssignee: Martin Povolny <mpovolny>
Status: CLOSED CURRENTRELEASE QA Contact: Landon LaSmith <llasmith>
Severity: high Docs Contact:
Priority: high    
Version: 5.8.0CC: abellott, cpelland, george.field, gtanzill, hkataria, jhardy, lavenel, llasmith, mpovolny, obarenbo, simaishi
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.10.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1553392 (view as bug list) Environment:
Last Closed: 2019-02-11 13:54:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: Bug
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1553392    

Description George Field 2017-08-08 21:35:26 UTC 
Description of problem:
According to Redhat doc, role EvmRole-auditor should have no permission on perform any actions on VMs. However, users having that role are able to poweron/poweroff VMs

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create a user and assign role EvmRole-auditor
2.Login with the user
3.Go to any VM and click on the Power button, all actions are visible and can be performed.

Actual results:
User is able to poweron/poweroff VMs

Expected results:
User shouldn't even be able to see the power button or actions should be disabled

Additional info:
EvmRole-security has the same problem.
Comment 3 Martin Povolny 2017-10-31 20:15:39 UTC 
> According to Redhat doc

Can you give me a link to that doc, please?
Comment 5 Martin Povolny 2017-10-31 20:43:22 UTC 
https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html/general_configuration/configuration#roles
Comment 6 Martin Povolny 2017-11-04 12:04:19 UTC 
As a workaround you can copy the pre-defined Auditor role to a new role, fix the permissions under the new role and assign the new role in place of the pre-defined role.

I am working on a fix here: https://github.com/ManageIQ/manageiq/pull/16394
Comment 7 George Field 2017-11-04 14:32:29 UTC 
Hi Martin,
Thank you very much for working on the fix.
CloudForms is the best in its kind and I am very happy to see it's getting better and better because of you guys. Awesome!
Regards,
George Field
Comment 9 Martin Povolny 2018-03-08 18:20:53 UTC 
No, just need's POSTing, sorry.
Comment 11 Landon LaSmith 2018-08-05 18:48:38 UTC 
VERIFIED in 5.10.0.8. While logged in as a user with EvmRole-auditor permissions, i was unable to power on/off a vm