Bug 769573

Summary: Role enforcement in Cumin
Product: Red Hat Enterprise MRG Reporter: Stanislav Graf <sgraf>
Component: cuminAssignee: Trevor McKay <tmckay>
Status: CLOSED ERRATA QA Contact: Daniel Horák <dahorak>
Severity: medium Docs Contact:
Priority: high    
Version: 2.1CC: croberts, fweimer, jwest, ltoscano, matt, mkudlej, tmckay
Target Milestone: 2.2   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cumin-0.1.5419-1 Doc Type: Bug Fix
Doc Text:
Cause Cumin allowed the assignment of roles to user accounts but role enforcement was never implemented. Consequence There was no mechanism for distinguishing between administrative users with access to all displays and functions in the user interface and general users with access only to management of their own submissions. Change Role enforcement has been implemented, but will be off by default after installation and may be turned in /etc/cumin/cumin.conf. General users will see only displays under the Grid User tab when enforcement is enabled. All users will default to the "user" unless they are specifically assigned to the "admin" role with the cumin-admin command. Result Site administrators may now selectively grant administrative privileges to certain users. Other users will be able to manage their own jobs but will not have visibility to other jobs through Cumin.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-19 17:42:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 737979, 811230, 828434, 828935    

Description Stanislav Graf 2011-12-21 11:18:42 UTC 
Description of problem:
When I create 2 users each in different role, there is no distinction between their privileges in cumin web interface.

This is how you can create two users with different roles:

[root@rhel6i ~]# cumin-database install
...
The database is installed
ecode=0
[root@rhel6i ~]# cumin-admin list-users
  ID Name                 Roles
---- -------------------- --------------------

(0 users found)
ecode=0
[root@rhel6i ~]# cumin-admin list-roles
  ID Name
---- --------------------
   1 user                
   2 admin               

(2 users found)
ecode=0
[root@rhel6i ~]# cumin-admin add-user cuser cuser
User 'cuser' is added
ecode=0
[root@rhel6i ~]# cumin-admin add-user cadmin cadmin
User 'cadmin' is added
ecode=0
[root@rhel6i ~]# cumin-admin remove-assignment cadmin user
User 'cadmin' is no longer assigned to role 'user'
ecode=0
[root@rhel6i ~]# cumin-admin add-assignment cadmin admin
User 'cadmin' is assigned to role 'admin'
ecode=0
[root@rhel6i ~]# cumin-admin list-users
  ID Name                 Roles
---- -------------------- --------------------
   3 cuser                user                
   4 cadmin               admin               

(2 users found)
ecode=0


Version-Release number of selected component (if applicable):
cumin-0.1.5098-2

How reproducible:
100%

Steps to Reproduce:
1. cumin-database install
2. cumin-admin add-user cuser cuser
3. cumin-admin add-user cadmin cadmin
4. cumin-admin remove-assignment cadmin user
5. cumin-admin add-assignment cadmin admin
6. cumin-admin list-users
7. Go to cumin web interface and try to find difference
  
Actual results:
Cumin user and admin roles have the same privileges.

Expected results:
Cumin user and admin roles have different privileges

Additional info:
Comment 6 Trevor McKay 2012-04-11 19:47:31 UTC 
Fixed in revision 5295.
Comment 7 Trevor McKay 2012-04-25 20:29:18 UTC 
Additional notes on testing:

1) Role enforcement is complete, but it is turned off by default currently for backwards compatibility.  At some point in the future it will be turned on by default, after an adjustment period.  With role enforcement off, there should be no difference between user and admin accounts as noted above.

2) To turn on role enforcement, set the "authorize" parameter in /etc/cumin/cumin.conf file in the [common] or [web] section:

authorize: True

3) (Re)start Cumin

4) Log in as the cadmin user.  There should be no difference with older versions of Cumin and with the current version when role enforcement is turned off.  Cumin will open to the Administrator->Grid tab.

5) Log in as the cuser user.  The entire "Administrator" tab will be missing -- Administrator->Grid and Administrator-Inventory, and everything below.  Only "Your account", "Grid user", and "About" should be visible.

How this works with the other personas:

1) In the 'default' persona (so named for historical reasons), the cadmin user will open to the Administrator->Overview tab showing Deepest Message Queues, Busiest Systems, and Longest Running Grid Submissions.  In addition to Administrator->Grid and Administrator->Inventory, there will be an Administrator->Messaging tab.

The cuser user will see the same view as in the 'grid' persona.  There will be no Messaging tab for the cuser user.

2) In the 'messaging' persona, no grid components are visible.  Just Messaging and Inventory.  There is no role enforcement in the Messaging persona, since the most likely case is "cuser sees nothing at all and cadmin sees everything".  In this scenario sites that run Cumin in the messaging persona would likely assign everyone the 'admin' role, so there seems little point.
Comment 8 Trevor McKay 2012-05-04 20:01:19 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
    Cumin allowed the assignment of roles to user accounts but role enforcement was never implemented.

Consequence
    There was no mechanism for distinguishing between administrative users with access to all displays and functions in the user interface and general users with access only to management of their own submissions.

Change
    Role enforcement has been implemented, but will be off by default after installation and may be turned in /etc/cumin/cumin.conf.  General users will see only displays under the Grid User tab when enforcement is enabled.  All users will default to the "user" unless they are specifically assigned to the "admin" role with the cumin-admin command.

Result
    Site administrators may now selectively grant administrative privileges to certain users.  Other users will be able to manage their own jobs but will not have visibility to other jobs through Cumin.
Comment 20 Stanislav Graf 2012-07-25 08:45:03 UTC 
I have verified steps in comment 7
Comment 23 Trevor McKay 2012-07-26 16:11:37 UTC 
As QE has noticed, the "banner" code is not available in cumin-0.1.5419 and so the redirection messages can be viewed as log entries in web.log.
Comment 26 Daniel Horák 2012-07-27 09:53:39 UTC 
Verified on RHEL 8.8, 6.3 - i386, x86_64 with condor-7.6.5-0.19 and cumin-0.1.5419-4.

>>> VERIFIED
Comment 27 Daniel Horák 2012-07-27 09:54:34 UTC 
(In reply to comment #26)
> Verified on RHEL 8.8 
RHEL 5.8
Comment 53 errata-xmlrpc 2012-09-19 17:42:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1278.html