Bug 767933

Summary: Non user can stop an instance created by admin even when all deployable permissions are revoked.
Product: [Retired] CloudForms Cloud Engine Reporter: Shveta <ssachdev>
Component: aeolus-conductorAssignee: Scott Seago <sseago>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: akarol, deltacloud-maint, ssachdev
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Shveta 2011-12-15 09:41:28 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Created a non admin user (shveta)
2. Launched an instance from admin
3. Revoked all access of deployable for non-admin user(shveta)
4. non admin user can still login and stop that instance.
  
Actual results:


Expected results:


Additional info:
 rpm -qa|grep aeolus
rubygem-aeolus-image-0.2.0-1.el6.noarch
aeolus-conductor-0.7.0-4.el6.noarch
aeolus-conductor-doc-0.7.0-4.el6.noarch
aeolus-configure-2.4.0-3.el6.noarch
rubygem-aeolus-cli-0.2.0-3.el6.noarch
aeolus-all-0.7.0-4.el6.noarch
aeolus-conductor-daemons-0.7.0-4.el6.noarch
Comment 1 wes hayutin 2012-01-10 17:10:32 UTC 
adding to ce-sprint-next
Comment 2 wes hayutin 2012-01-10 17:13:14 UTC 
adding to ce-sprint-next
Comment 3 wes hayutin 2012-01-12 16:34:53 UTC 
adding to ce-sprint
Comment 4 wes hayutin 2012-01-12 16:41:13 UTC 
removing ce-sprint-next tracker
Comment 5 Scott Seago 2012-01-13 01:52:50 UTC 
Stopping an instance won't depend on deployable permissions. However, if the non-admin user in question wasn't the one that launched the instance, this is still a bug -- conductor should be verifying that the user has 'Use Instance' permissions on the instance being stopped.
Comment 6 Scott Seago 2012-01-17 06:47:25 UTC 
What page did you access to stop the instance? I attempted to test this out and, as non-admin user without depoyment rights, when I clicked on the deployment URL I got an 'insufficient privileges' error page, so I could not get to the instance list.

If you could provide the URL of the page on which you were able to stop the instance on which you shouldn't have had access, that would help me track this down.
Comment 7 Shveta 2012-01-18 16:21:32 UTC 
This is changed/fixed recently it seems.

Error not reproducible .
Verified in 
rpm -qa|grep aeolus
aeolus-conductor-0.8.0-7.el6.noarch
aeolus-configure-2.5.0-4.el6.noarch
aeolus-conductor-daemons-0.8.0-7.el6.noarch
rubygem-aeolus-image-0.3.0-2.el6.noarch
rubygem-aeolus-cli-0.3.0-3.el6.noarch
aeolus-all-0.8.0-7.el6.noarch
aeolus-conductor-doc-0.8.0-7.el6.noarch