Bug 754479

Summary: Revisit permission handling for AgentManagerBean methods
Product: [Other] RHQ Project Reporter: Jay Shaughnessy <jshaughn>
Component: Core ServerAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.2CC: hrupp
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jay Shaughnessy 2011-11-16 16:16:17 UTC 
This is a follow-up for bug 669521. Relevant comments clipped:

jshaughn:
In the future:
- We may want to also ensure the calling Subject "canView" the resource
specified.

- We may want to add explicit permission checks on
getAgentClient(subject, resourceId) and not just defer the perm check to
getAgentByResourceId(), because getAgentClient() arguable should require
MANAGE_INVENTORY in addition to MANAGE_SETTINGS (or maybe even superuser).

- We need to similarly figure out how to handle
pingAgentByResourceId(subject, resourceId), which (against
the inline docs) also defers to getAgentClient(subject, resourceId) for
permission handling.

mazz:
agree - for now, assume SETTINGS is necessary only to view the agent 
info.

We should leave this issue open for further discussion for future release. 
Not sure SETTINGS is the perm we want - seems INVENTORY is the more 
appropriate one to use.