Bug 1784102

Summary: Missing rbac identifiers for some collections in the API
Product: Red Hat CloudForms Management Engine Reporter: Satoe Imaishi <simaishi>
Component: APIAssignee: Gregg Tanzillo <gtanzill>
Status: CLOSED ERRATA QA Contact: Parthvi Vala <pvala>
Severity: unspecified Docs Contact: Red Hat CloudForms Documentation <cloudforms-docs>
Priority: unspecified    
Version: 5.11.0CC: dmetzger, mpovolny, obarenbo, pvala, simaishi
Target Milestone: GAKeywords: ZStream
Target Release: 5.11.2Flags: pm-rhel: cfme-5.11.z+
simaishi: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.11.2.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1767720 Environment:
Last Closed: 2020-02-12 05:02:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On: 1767720    
Bug Blocks:    

Comment 2 CFME Bot 2019-12-16 20:39:15 UTC 
New commit detected on ManageIQ/manageiq-api/ivanchuk:

https://github.com/ManageIQ/manageiq-api/commit/a27dbb8f115b1146d8d06e3b993a96d3cad9225b
commit a27dbb8f115b1146d8d06e3b993a96d3cad9225b
Author:     Libor Pichler <lpichler>
AuthorDate: Fri Oct 25 09:06:05 2019 -0400
Commit:     Libor Pichler <lpichler>
CommitDate: Fri Oct 25 09:06:05 2019 -0400

    Merge pull request #692 from martinpovolny/hardening_collections

    Hardening collections

    (cherry picked from commit 2d7f6ce87fb3f2f4b796d6e87d962114679b00d4)

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1784102

 config/api.yml | 15 +
 spec/lib/api/api_config_spec.rb | 10 +
 spec/requests/enterprises_spec.rb | 19 +-
 spec/requests/roles_spec.rb | 22 +-
 spec/requests/servers_spec.rb | 12 +-
 5 files changed, 70 insertions(+), 8 deletions(-)
Comment 3 CFME Bot 2019-12-16 20:39:18 UTC 
New commit detected on ManageIQ/manageiq-api/ivanchuk:

https://github.com/ManageIQ/manageiq-api/commit/a27dbb8f115b1146d8d06e3b993a96d3cad9225b
commit a27dbb8f115b1146d8d06e3b993a96d3cad9225b
Author:     Libor Pichler <lpichler>
AuthorDate: Fri Oct 25 09:06:05 2019 -0400
Commit:     Libor Pichler <lpichler>
CommitDate: Fri Oct 25 09:06:05 2019 -0400

    Merge pull request #692 from martinpovolny/hardening_collections

    Hardening collections

    (cherry picked from commit 2d7f6ce87fb3f2f4b796d6e87d962114679b00d4)

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1784102

 config/api.yml | 15 +
 spec/lib/api/api_config_spec.rb | 10 +
 spec/requests/enterprises_spec.rb | 19 +-
 spec/requests/roles_spec.rb | 22 +-
 spec/requests/servers_spec.rb | 12 +-
 5 files changed, 70 insertions(+), 8 deletions(-)
Comment 4 Parthvi Vala 2020-01-22 10:05:53 UTC 
Hi Martin, what has changed with this enhancement? How do I test it?
Comment 5 Parthvi Vala 2020-01-28 08:31:08 UTC 
FIXED. Verified on 5.11.2.0.20200113212029_18edbd8 on the basis of changes made by the PR(https://github.com/ManageIQ/manageiq-api/pull/692).

To test these changes, I created 2 user - 1 with EvmRole-user role and another role that only had permission to API feature.
1. A user without enough permissions cannot access "servers" and "enterprises" collection which they were able to do earlier.
2. Apart from the whitelisted collections mentioned here(https://github.com/ManageIQ/manageiq-api/pull/692/files#diff-b6270c43055f4b35d1cf94f20311f0e0R19), I see other collections such as "custom_button_sets", "custom_buttons", "service_offerings", and "service_parameter_sets".
Comment 7 errata-xmlrpc 2020-02-12 05:02:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0452