Bug 1881958

Summary: Non admin users behave as admin users and have their permissions
Product: [oVirt] ovirt-engine Reporter: Ivana Saranova <isaranov>
Component: GeneralAssignee: Eli Mesika <emesika>
Status: CLOSED CURRENTRELEASE QA Contact: Ivana Saranova <isaranov>
Severity: high Docs Contact:
Priority: high    
Version: 4.4.3CC: aoconnor, bugs, dfodor, dholler, emesika, michal.skrivanek, mperina, pmatyas
Target Milestone: ovirt-4.4.3Keywords: Regression
Target Release: ---Flags: pm-rhel: ovirt-4.4+
aoconnor: blocker+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.4.3.6 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-11 06:41:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1808320    
Bug Blocks: 1822372    
Attachments:
Description Flags
screenshot to comment #7 none

Description Ivana Saranova 2020-09-23 13:43:30 UTC 
Description of problem:
Non admin user without any admin role or permissions can access Admin Portal and do most of the actions only permitted to admin users. In VM portal he can see all the VMs just as an admin user does.

Version-Release number of selected component (if applicable):
ovirt-engine-4.4.3.3-0.19.el8ev.noarch

How reproducible:
Always

Steps to Reproduce:
1. Have non admin user without any admin permissions or roles
2. Log in to admin portal (or VM portal)
3.

Actual results:
Non admin user can access admin portal and behaves like admin user in both admin portal and VM portal.

Expected results:
Non admin user cannot log into admin portal and does not have admin rights in VM portal.

Additional info:
Comment 1 Martin Perina 2020-09-23 14:42:31 UTC 
Are you sure that your user doesn't have any administrator role assigned on any object? And the user is not a member of any group (recursively) which has any administrator role assigned on any object?
Comment 4 Ivana Saranova 2020-09-23 15:26:34 UTC 
I forgot to add that I cannot reproduce this issue on ovirt-engine-4.4.2.6-0.2.el8ev.noarch
Comment 6 Michal Skrivanek 2020-09-25 07:17:40 UTC 
please add OST test to check a regular user can't get into webadmin, this is not the first time it slipped through
Comment 8 Eli Mesika 2020-09-29 14:18:22 UTC 
Created attachment 1717557 [details]
screenshot to comment #7
Comment 15 Ivana Saranova 2020-10-05 12:32:20 UTC 
Please, move to ON_QA when the package has been provided to QE. Moving back to MODIFIED.
Comment 16 Ivana Saranova 2020-10-19 11:21:36 UTC 
Steps:
1) Create a new user with the ovirt-aaa-jdbc-tool
2) Log in as admin to AdminPortal and add UserRole/PowerUserRole to the new user
3) Try to login to AdminPortal as the new user
4) Login to VM Portal and check if user behaves as an admin there
5) Create a new group and new user with the ovirt-aaa-jdbc-tool
6) Add the new user to the group
7) Log in as admin to AdminPortal and add the UserRole/PowerUserRole to the new group
3) Try to login to AdminPortal as the new user
4) Login to VM Portal and check if user behaves as an admin there

Results:
New user cannot login to AdminPortal and does not behave as an admin in VM Portal.

Verified in:
ovirt-engine-4.4.3.6-0.13.el8ev.noarch
Comment 17 Sandro Bonazzola 2020-11-11 06:41:43 UTC 
This bugzilla is included in oVirt 4.4.3 release, published on November 10th 2020.

Since the problem described in this bug report should be resolved in oVirt 4.4.3 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.