Bug 1571224

Summary: Read Action Forbidden When User Tries to Attach Cloud Volume OpenStack
Product: Red Hat CloudForms Management Engine Reporter: myoder
Component: UI - OPSAssignee: Harpreet Kataria <hkataria>
Status: CLOSED CURRENTRELEASE QA Contact: Omri Hochman <ohochman>
Severity: medium Docs Contact:
Priority: high    
Version: 5.8.0CC: agk, akkaran046, cpelland, dmetzger, gberginc, hkataria, jocarter, jprause, lavenel, maufart, mpovolny, myoder, obarenbo, simaishi, slucidi, sseago
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.10.0.15 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1625249 1625250 (view as bug list) Environment:
Last Closed: 2020-11-18 14:53:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: Bug
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1572700, 1625249, 1625250    
Attachments:
Description Flags
read action forbidden error none

Description myoder 2018-04-24 10:55:18 UTC 
Created attachment 1425945 [details]
read action forbidden error

Description of problem:

When user with limited roles permissions tries to attach / detach a cloud volume, a red error message is displayed in the ui stating "Use of the read action is forbidden".

The only way I have found to address this, is by enabling the following product features for the user's role:

  Compute => Infrastructure => Infrastructure Providers => View


However, user should not need to enable Infrastructure role features to attach / detach a cloud volume for a cloud provider.


Please note, even though the red error message is being displayed, the user is still allowed to attach / detach the cloud instance.

Version-Release number of selected component (if applicable):
CFME 5.8.3.5

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
Red error message is displayed when attempting to attach or detach a cloud instance

Expected results:
There should be no error message, as the user has the correct permissions.

Additional info:
This issue was originally for the whole attach / detach cloud image page not displaying and was supposed to be fixed in this bug:

  https://bugzilla.redhat.com/show_bug.cgi?id=1462269

However, that bug was opened for a slightly different issue, so I wanted to open a fresh bug for clarity.

Appliance 10.13.145.93 with credentials admin:smartvm exibits this behavior.
Comment 3 Scott Seago 2018-05-01 20:36:56 UTC 
I'm copying over slucidi's comment from the related bug, since it explains the cause of the current behavior:

"It looks like the other half of this issue is related to the 'providers' api endpoint. The cloud volume form calls to it to request a list of providers/managers with storage capabilities, but fails if the user doesn't have ems_infra permissions. 

Looking at https://github.com/imtayadeway/manageiq-api/blob/cebbdc102cd87d0d5120ca35c8571132f7e530eb/config/api.yml#L1856 it appears that the providers endpoint uses all ems_infra related roles. I'm not sure if the issue is that the required permissions are incorrect, if it's the wrong endpoint to use to list storage managers on this form, or if it's just misaligned expectations."

The API call to the providers endpoint that requires these permissions is in the initialization of the angular cloudVolumeFormController. This is needed for the "new cloud volume" operation (to get the list of providers to choose from), but it's completely unnecessary for attach/detach volume.

The angular controller needs to be refactored so that this API call isn't made for forms that don't need it.
Comment 18 conor mcgregor 2019-08-20 09:57:47 UTC Comment hidden (spam)