Bug 784988

Summary: JON 3.0.1 RC#1 CLI permissions with users other than rhqadmin
Product: [Other] RHQ Project Reporter: Mike Foley <mfoley>
Component: CLIAssignee: Ian Springer <ian.springer>
Status: CLOSED NOTABUG QA Contact: Mike Foley <mfoley>
Severity: medium Docs Contact:
Priority: high    
Version: 3.0.1CC: ccrouch, hrupp, ian.springer
Target Milestone: ---   
Target Release: JON 3.0.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-01 16:11:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 782579    

Description Mike Foley 2012-01-26 20:41:58 UTC 
Description of problem:  CLI permissions with users other than rhqadmin


Version-Release number of selected component (if applicable):  JON 3.0.1 RC#1


How reproducible:
100%

Steps to Reproduce:
1.  create a new role.  accept the defaults.  expressly note that the new role has implied read permission on the inventory. 
2.  create a new user.  assign the role created in step #1.
3.  using the CLI ... login using the new user, eg. 
  
Actual results:

New user (with implied read permission on inventory) cannot read inventory

mfoley@localhost:7080$ [mfoley@foleymonsterbox1 bin]$ ./rhq-cli.sh -u mfoley -p password
RHQ - RHQ Enterprise Remote CLI 4.2.0.JON.3.0.1.GA
Remote server version is: 3.0.1.GA (784c8ce:5cde182)
Login successful
mfoley@localhost:7080$ var myresource = ProxyFactory.getResource(10034)
Wrapped org.rhq.enterprise.server.authz.PermissionException: [Warning] User [Subject[id=10001,name=mfoley]] does not have permission to view resource [10034] (<Unknown source>#1)
var myresource = ProxyFactory.getResource(10034) 
^



Expected results:  user with implied read permission for inventory can use CLI commands that read inventory



Additional info:
Comment 1 Mike Foley 2012-01-30 16:25:56 UTC 
12/30/2012 BZ triage meeting mfoley, ccrouch, loleary, asantos
Comment 2 Ian Springer 2012-01-31 22:32:42 UTC 
I think you might be confusing the INVENTORY-read Resource permission with the MANAGE_INVENTORY global permission. INVENTORY-read is the permission that is always implied. However, since it is a Resource permission, it only applies to the set of Resources that are members of one or more of the groups associated with the role. For example, for the user to view Resource 10034 (assuming the user did not have MANAGE_INVENTORY or MANAGE_SECURITY), that Resource would have to be in one of that user's role's groups.