| Summary: | Able to launch instance from catalog_entry even after revoking access of "global Deployable User " | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] CloudForms Cloud Engine | Reporter: | Shveta <ssachdev> | ||||
| Component: | aeolus-conductor | Assignee: | Scott Seago <sseago> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | wes hayutin <whayutin> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 1.0.0 | CC: | akarol, deltacloud-maint, slinaber, ssachdev | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | --- | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
|
Description
Shveta
2011-12-14 11:17:54 UTC
adding to ce-sprint-next adding to ce-sprint-next adding to ce-sprint removing ce-sprint-next tracker taking off ce-sprint-next.. So I'm not quite seeing the same thing here.
First of all, I am seeing the correct thing on the pools "New Deployment" side -- the way you set this up, you removed global permission to access deployables, but the user still has permission to launch instances in the pool. What this means is that the user still has launch rights, but without global deployable access, the user will only see deployables with explicit permission granted. In this case, there are none, so the launch form is there, but there aren't any deployables to choose from.
On the 'launch' button from the deployables view, since we've revoked access to get to the deployable page (containing the launch button), that page is correctly preventing this user from accessing the deployable:
Errors
You have insufficient privileges to perform the selected action.
So the one remaining error I see is that the catalog show page that shows the list of deployables (/conductor/catalogs/1) is not properly filtering the deployable list. I can see all of my deployables even though I shouldn't have permission to view them at all.
So, at a minimum, I'll fix the filtering permission as part of this bug. As for the rest, I'm not sure if it was recently fixed or I'm misunderstanding the bug report.
Let me know if there's another aspect of the bug I'm missing.
Patch on list here: https://fedorahosted.org/pipermail/aeolus-devel/2012-January/008140.html Commit hash: f7557c8d264afc20702862cfcab46ef7153b250f 6175ea66a1c1bbac2369de65a9e7b164745f8bf7 in aeolus-conductor-0.8.0-10 Created attachment 557815 [details]
dep_check_added
Verified in rpm -qa|grep aeolus aeolus-conductor-0.8.0-11.el6.noarch aeolus-conductor-doc-0.8.0-11.el6.noarch rubygem-aeolus-image-0.3.0-3.el6.noarch rubygem-aeolus-cli-0.3.0-5.el6.noarch aeolus-all-0.8.0-11.el6.noarch aeolus-configure-2.5.0-7.el6.noarch aeolus-conductor-daemons-0.8.0-11.el6.noarch |