Bug 1525598

Summary: Control->Explorer is visible for evmgroup-security role
Product: Red Hat CloudForms Management Engine Reporter: Mike Shriver <mshriver>
Component: UI - OPSAssignee: Harpreet Kataria <hkataria>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Shriver <mshriver>
Severity: medium Docs Contact:
Priority: high    
Version: 5.8.0CC: apagac, cpelland, hkataria, jhardy, mpovolny, mshriver, obarenbo, simaishi
Target Milestone: GAKeywords: TestOnly
Target Release: 5.10.0Flags: mshriver: automate_bug+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: rbac:control
Fixed In Version: 5.10.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1533219 1568045 (view as bug list) Environment:
Last Closed: 2018-06-21 20:55:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1533219, 1568045    
Attachments:
Description Flags
Screenshot of evmrole-security configuration
none
Screenshot of evmrole-security visibility none

Description Mike Shriver 2017-12-13 16:16:24 UTC 
Created attachment 1367488 [details]
Screenshot of evmrole-security configuration

Description of problem:
The Control->Explorer page is visible when authenticated as a user that has the EvmRole-Security role.

This role should only have access to Control->Simulation and Control->Log. Included screenshot shows evmrole-security default configuration, and default visibility.

Version-Release number of selected component (if applicable):
5.8.2.3

How reproducible:
100%

Steps to Reproduce:
1. Create user with evmgroup-security/evmrole-security
2. Login as user
3. Note visibility for Control->Explorer0

Actual results:
Control->Explorer is visible

Expected results:
Only Log and Simulation are visible under Control

Additional info:
Tested with an aws_iam user, but AWS only provides auth, and doesn't impact RBAC.
Comment 2 Mike Shriver 2017-12-13 16:17:10 UTC 
Created attachment 1367489 [details]
Screenshot of evmrole-security visibility
Comment 3 Dave Johnson 2017-12-13 16:46:01 UTC 
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.
Comment 4 Mike Shriver 2017-12-13 17:03:24 UTC 
(In reply to Dave Johnson from comment #3)
> Please assess the impact of this issue and update the severity accordingly. 
> Please refer to
> https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a
> reminder on each severity's definition.
> 
> If it's something like a tracker bug where it doesn't matter, please set the
> severity to Low.

ack, set to medium
Comment 5 Mike Shriver 2017-12-13 19:44:46 UTC 
This is also true in 5.9.0.12, Control->Explorer is not included in evmrole-security configuration, but is visible to a user with this role.
Comment 6 Mike Shriver 2017-12-15 22:33:56 UTC 
This behavior is present for:

EvmRole-security
EvmRole-support
EvmRole-auditor
EvmRole-approver
Comment 7 Antonin Pagac 2018-01-04 14:24:38 UTC 
Appliance version: 5.8.3.0

There's also a problem with Automation -> Ansible, it's visible when it should not be, for:

EvmRole-administrator
EvmRole-user_self_service
EvmRole-vm_user
EvmRole-desktop

Tested with ldap user.
Comment 8 Mike Shriver 2018-01-04 15:28:03 UTC 
Antonin,

I've written separate bugs for each of the RBAC mismatches that I've found on the default roles.

Please record any issues with Automation->Ansible vertical nav/access control in a separate BZ so that we can accurately track RBAC changes.

Unless Harpreet would prefer these two separate vertical nav issues under one BZ, in which case ignore me.
Comment 9 Antonin Pagac 2018-01-05 10:43:21 UTC 
bz 1531499 opened.
Comment 10 Mike Shriver 2018-01-05 13:24:19 UTC 
(In reply to Antonin Pagac from comment #9)
> bz 1531499 opened.

Very much appreciated!
Comment 11 CFME Bot 2018-01-09 17:31:08 UTC 
https://github.com/ManageIQ/manageiq/pull/16780
Comment 12 CFME Bot 2018-01-09 21:41:49 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/827e8a860363b78f342f111fb6c42764a6994c03

commit 827e8a860363b78f342f111fb6c42764a6994c03
Author:     Harpreet Kataria <hkataria>
AuthorDate: Tue Jan 9 12:18:33 2018 -0500
Commit:     Harpreet Kataria <hkataria>
CommitDate: Tue Jan 9 12:18:33 2018 -0500

    Fixed control explorer feature id
    
    Fixed control explorer feature id for EvmRole-security, EvmRole-support,EvmRole-auditor, EvmRole-approver roles. This was causing confusion by not showing them as selected in the Product features tree whereas these roles did have an access to Control explorer in UI.
    
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1525598

 db/fixtures/miq_user_roles.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)