Bug 2144346
| Summary: | Search returns all entities the permissions allow if the user is not admin | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Germano Veit Michel <gveitmic> |
| Component: | ovirt-engine | Assignee: | Eli Mesika <emesika> |
| Status: | CLOSED ERRATA | QA Contact: | Barbora Dolezalova <bdolezal> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.5.3 | CC: | emarcus, josgutie, mavital, mperina |
| Target Milestone: | ovirt-4.5.3-async | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ovirt-engine-4.5.3.5 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, search conditions were not applied properly when a non-admin user tried to search for Clusters or Data Centers over the REST API.
In this release, both admin and non-admin users can search for clusters properly using the REST API.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-01-11 11:25:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This bug has low overall severity and is not going to be further verified by QE. If you believe special care is required, feel free to properly align relevant severity, flags and keywords to raise PM_Score or use one of the Bumps ('PrioBumpField', 'PrioBumpGSS', 'PrioBumpPM', 'PrioBumpQA') in Keywords to raise it's PM_Score above verification threashold (1000).
*** Bug 2078946 has been marked as a duplicate of this bug. *** I followed the reproduction steps and it works as it should (same results returned as admin user). Verified in ovirt-engine-4.5.3.6-0.zstream.20221207085812.gitdecf5699b99.el8.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:0074 |
Description of problem: When doing a search with a user (not admin), the API returns all objects the user has access to, not just the searched one like when doing with admin user. Version-Release number of selected component (if applicable): rhvm-4.5.3.2-1.el8ev.noarch How reproducible: Always Steps to Reproduce: 1. Create 2+ Clusters (no need to initialize or anything, just have them there) engine=# select name from cluster; name --------- Default Other (2 rows) 2. Create 1 additional internal user, give system permissions as Power User ovirt-aaa-jdbc-tool user add germano --attribute=firstName=Germano ovirt-aaa-jdbc-tool user password-reset germano --password-valid-to="2025-08-01 12:00:00-0800" 3. As admin user, search for 'Default' cluster, note only Default is returned. $ curl -s -k -u "admin@internal:redhat" -H "Content-type: application/xml" https://rhvm.lab.toca.local/ovirt-engine/api/clusters?search=name%3D%22Default%22 | grep "^ <name>" <name>Default</name> 4. As "user" user, do the same search. Note both are returned $ curl -s -k -u "germano@internal:redhat" -H "Content-type: application/xml" "https://rhvm.lab.toca.local/ovirt-engine/api/clusters?search=name%3D%22Default%22" | grep "^ <name>" <name>Default</name> <name>Other</name> Actual results: * incorrect search results returned * as consequence ovirt_vm is broken when using non-admin user, as specifying cluster will actually pick the first from the list and not the searched one. Expected results: * same results returned as admin user Additional info: Looks like Search is not called at all for non-admin, goes to GetAllClusters admin ----- 2022-11-21 07:37:13,772+10 DEBUG [org.ovirt.engine.core.bll.Backend] (default task-2) [] Executing query Search with isFiltered : false for user admin@internal-authz. 2022-11-21 07:37:13,773+10 DEBUG [org.ovirt.engine.core.bll.SearchQuery] (default task-2) [88617e5f-0f05-4400-aa08-4ecb12b25651] Executing generic query: SELECT * FROM ((SELECT cluster_view.* FROM cluster_view WHERE cluster_view.name ILIKE 'Default' ) ORDER BY name ASC) as T1 OFFSET (1 -1) LIMIT 2147483647 user ---- 2022-11-21 07:38:37,589+10 DEBUG [org.ovirt.engine.core.bll.Backend] (default task-2) [] Executing query GetAllClusters with isFiltered : true for user germano@internal-authz. 2022-11-21 07:38:37,592+10 DEBUG [org.ovirt.engine.core.bll.GetAllClustersQuery] (default task-2) [4b876e47-ecf9-467f-8a3d-725a476c3cbe] Query GetAllClustersQuery took 3 ms