Bug 1589266

Summary: Users can see items which they don't have permissions/access to under services they own
Product: Red Hat CloudForms Management Engine Reporter: jritenou
Component: APIAssignee: Milan Zázrivec <mzazrivec>
Status: CLOSED CURRENTRELEASE QA Contact: Landon LaSmith <llasmith>
Severity: high Docs Contact:
Priority: high    
Version: 5.9.0CC: cpelland, duboyd, gtanzill, jamisonm, jritenou, lavenel, llasmith, obarenbo, simaishi
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.10.0Flags: gtanzill: needinfo-
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.10.0.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1594275 (view as bug list) Environment:
Last Closed: 2019-02-11 14:07:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1594275    

Description jritenou 2018-06-08 14:46:26 UTC
Description of problem: Use case - government customer runs cyber security training lab, and create multiple VMs - some of which the students own and have direct console access to.  The others, the should not be aware of - the idea is that they will be discovering them and accessing them via SSH, RDP, etc as part of the course.  

In the most recent release of CloudForms, I have created a mockup of this lab design using bundle catalog items - the first item creates the visible VMs, the second creates the hidden ones.  They are all under the same service.  In the ops UI, this works as intended - the student user with a restricted view only sees the items they should.  In the self service UI, they still show up as visible, regardless of how I handle limiting their visibiliby - through ownership change or using tagging.  

Note that this only makes them visible - if the user clicks on the VMs they should not have access to, an error loading VM details pops up, and they can't interact with it.  Ideally, however, the VMs should not be visible at all.  


Version-Release number of selected component (if applicable): 5.9.2


How reproducible: Always


Steps to Reproduce:
1. Provision catalog item with multiple VMs as a user with access set to only user owned, or with some sort of visibility restriction based on tagging
2. Either change the ownership of some of the created items, or apply a tag that would restrict the users's view
3. Log into self service UI as the user and navigate the service

Actual results: User can see a listing of the items they do not have access to


Expected results: Student should not see the items they do not have access to, as in the ops UI. 


Additional info:

Comment 2 Dave Johnson 2018-06-08 15:02:44 UTC
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.

Comment 3 Chris Hale 2018-06-13 14:04:57 UTC
Reassigning to API team to take a look at.  The UI doesn't control what data comes back from API in order to decide what to hide or show an individual user.  Please let me know if you would like my help in the future to test or validate this after API changes have been made.

Comment 5 Gregg Tanzillo 2018-06-13 14:41:33 UTC
Chris, would you be able to provide us with the API call being made that is bringing VMs that the use shouldn't see? This way we can verify that RBAC is properly being enforced.

Comment 6 Chris Hale 2018-06-13 14:43:15 UTC
Hi jritenou,
     Do you have an appliance setup that can reproduce this issue that we can look at?

Thank you in advance,

Chris H

Comment 12 CFME Bot 2018-06-22 07:21:53 UTC
New commit detected on ManageIQ/manageiq-api/master:

https://github.com/ManageIQ/manageiq-api/commit/7566ed9c7c6bfb57305d9456c98285f040a3346a
commit 7566ed9c7c6bfb57305d9456c98285f040a3346a
Author:     Milan Zazrivec <mzazrivec>
AuthorDate: Wed Jun 20 12:08:16 2018 -0400
Commit:     Milan Zazrivec <mzazrivec>
CommitDate: Wed Jun 20 12:08:16 2018 -0400

    services?expand=vms: fetch RBAC-filtered list of vms

    https://bugzilla.redhat.com/show_bug.cgi?id=1589266

 app/controllers/api/subcollections/vms.rb | 1 +
 1 file changed, 1 insertion(+)

Comment 15 Landon LaSmith 2018-08-06 01:43:10 UTC
VERIFIED in 5.10.0.8. I was able to create a user restricted to the engineering department that could only see services that were also tagged with Engineering. When completed services were created via a bundle the user could only see services that were tagged with Engineering