Bug 603899

Summary: User assigned role with dynagroup, resourcehub shows wrong content
Product: [Other] RHQ Project Reporter: Jeff Weiss <jweiss>
Component: Core ServerAssignee: Joseph Marques <jmarques>
Status: CLOSED CURRENTRELEASE QA Contact: Corey Welton <cwelton>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 3.0.0CC: cwelton, dajohnso, jmarques
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-12 16:52:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 565628, 593121    

Description Jeff Weiss 2010-06-14 19:24:21 UTC 
Description of problem:
User should only see groups to which he's assigned, but when assigned to a dynagroup he can see ALL dynagroups, and no resources of the dynagroup to which he's assigned.  

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Create a role with Control and Configure permissions
2. Create a user.
3. Create a dynagroup, say that lists all agents.
4. Assign the user and the dynagroup to the role you created.
5. Log in as that user and go to the resource browser
  
Actual results:
resource browser counts show (1) but no items shown under Resources.  Under groups the count is also (1) but all dynagroups are listed, not just the one you assigned to the role.

Expected results:
The dynagroup and/or the resources which belong to it should be shown, nothing else.  The counts should match the number of items displayed.


Additional info:
Comment 1 Joseph Marques 2010-06-21 18:13:26 UTC 
raising this to urgent.  this isn't a matter of the counts being wrong, this is a matter of being able to see resources to which a user is entitled.  right now, the permissions appear to be too aggressive; upon logging in (after following the reproduction steps) no resources can be seen at all.
Comment 2 Joseph Marques 2010-06-21 18:15:11 UTC 
Underlying exception in the server log is as follows:

14:11:35,854 ERROR [PagedListDataModel] Could not retrieve collection for PageControlView[BrowseResourcesUIBean]
org.rhq.enterprise.server.authz.PermissionException: Subject [simple] requires InventoryManager permission for requested query criteria.
	at org.rhq.enterprise.server.resource.ResourceManagerBean.findResourcesByCriteria(ResourceManagerBean.java:2044)
	at org.rhq.enterprise.server.resource.ResourceManagerBean.findResourceCompositesByCriteria(ResourceManagerBean.java:2024)

This is why the resource browser shows nothing.
Comment 3 Joseph Marques 2010-06-21 18:27:07 UTC 
commit 22e6fee94ca7f2aabd2defad3922b04544488980
Author: Joseph Marques <joseph>
Date:   Mon Jun 21 14:23:31 2010 -0400

    BZ-603899: fix the overly aggressive authorization for the resource browser
Comment 4 Corey Welton 2010-06-23 13:11:54 UTC 
I think the first part of this is fixed, but not the second?

When logging in as user, I do, now, see resources (all the agents) as expected.  However, when I go to groups, I am still seeing all groups created -- not just the one I have explicitly assigned to the user.  

Returning to dev for consideration.
Comment 5 Joseph Marques 2010-06-23 15:12:53 UTC 
Corey, good catch.  You're right, I didn't even realize there was a second part to this fix.
Comment 6 Joseph Marques 2010-06-23 15:13:04 UTC 
commit b9ca90d9414a7e09eeac2fb9e2423a3f607eafe7
Author: Joseph Marques <joseph>
Date:   Wed Jun 23 10:22:25 2010 -0400

    BZ-603899: add missing authorization check to ResourceGroupManager.findResourceGroupCompositesByCriteria
Comment 7 Corey Welton 2010-06-24 12:56:43 UTC 
QA Verified.
Comment 8 Corey Welton 2010-08-12 16:52:12 UTC 
Mass-closure of verified bugs against JON.