Bug 798120

Summary: Zone Creator role user should not be able to destroy zones
Product: [Retired] CloudForms Cloud Engine Reporter: Shveta <ssachdev>
Component: aeolus-allAssignee: Scott Seago <sseago>
Status: CLOSED DUPLICATE QA Contact: wes hayutin <whayutin>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: akarol, cpelland, deltacloud-maint, ssachdev
Target Milestone: beta   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-08 15:06:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Shveta 2012-02-28 05:55:04 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Created a user with Zone creator role 
2. Created a zone , Filter view , destroy zone , zone gets deleted
3. Created a user with Zone Administrator role , it is also able
to destroy zone.

I think no admin rights should be given to Zone creator.

Please correct if i am wrong.
  
Actual results:


Expected results:


Additional info:

rpm -qa|grep aeolus
aeolus-conductor-0.8.0-36.el6.noarch
rubygem-aeolus-cli-0.3.0-10.el6.noarch
aeolus-conductor-daemons-0.8.0-36.el6.noarch
aeolus-configure-2.5.0-15.el6.noarch
rubygem-aeolus-image-0.3.0-10.el6.noarch
aeolus-all-0.8.0-36.el6.noarch
aeolus-conductor-doc-0.8.0-36.el6.noarch
Comment 1 Scott Seago 2012-02-29 17:30:25 UTC 
Zone creator _only_ gives rights to create zones. However, whoever creates a zone (or a pool or an instance or pretty much _anything_ then automatically gets "owner-level" permissions on that object and can delete it.

In other words, if you have 2 zone creators user1 and user2. user1 creates zone1, user2 creates zone2. Since 'zone creator' does not impart zone delete permissions, user1 may not delete zone2, and user2 may not delete zone 1. But since user1 is a zone owner/admin for zone1, he _may_ delete that one.

I think this is NOTABUG.
Comment 2 Scott Seago 2012-03-06 15:38:00 UTC 
Wes,

actually we're going to be removing the 'Zone Creator' role entirely, so this bug won't be relevant anymore.
Comment 3 Scott Seago 2012-03-07 00:43:58 UTC 
Once bug 800511 is fixed, the Zone Creator role will no longer exist.
Comment 4 wes hayutin 2012-03-08 15:06:45 UTC 

*** This bug has been marked as a duplicate of bug 800511 ***