| Summary: | Revoking "Zone Administrator " role does not revokes all roles of that user | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] CloudForms Cloud Engine | Reporter: | Shveta <ssachdev> | ||||
| Component: | aeolus-conductor | Assignee: | Scott Seago <sseago> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | wes hayutin <whayutin> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 1.0.0 | CC: | akarol, deltacloud-maint, ssachdev | ||||
| Target Milestone: | beta5 | Keywords: | Triaged | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | --- | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Make sure that the admin in question didn't create those zones he can see. The 'zone admin' is a global role (soon to be renamed 'Global Zone Administrator'). In addition, any time a user creates something, that user becomes a resource-level owner/admin for the owned resources. Revoking global admin does nothing for locally-controlled resources. It's like taking the master key from the facilities manager but leaving the manager with the office key to his private office. So if the revoked zone admin can access zones he created but is prevented from accessing zones others create then this isn't a bug. please try So if the revoked zone admin can access zones he created but is prevented from accessing zones others create then this isn't a bug. Yes checked , User is able to see self -created clouds only and not those by admin . Not a bug rpm -qa|grep aeolus aeolus-conductor-doc-0.8.0-41.el6.noarch rubygem-aeolus-cli-0.3.0-13.el6.noarch aeolus-all-0.8.0-41.el6.noarch aeolus-conductor-0.8.0-41.el6.noarch rubygem-aeolus-image-0.3.0-12.el6.noarch aeolus-configure-2.5.0-18.el6.noarch aeolus-conductor-daemons-0.8.0-41.el6.noarch |
Created attachment 566228 [details] zone_Admin_revoked Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Created a user with role "Zone Administrator" 2. Zone Admin can see and create/edit/delete all clouds (Note :other zone roles can't) 3. revoked zone admin role , now user can still see all clouds but default 4. Even edit and delete them . Actual results: Expected results: Revoking role should behave exactly behave like when user was not assigned that role. Additional info: rpm -qa|grep aeolus aeolus-conductor-0.8.0-36.el6.noarch rubygem-aeolus-cli-0.3.0-10.el6.noarch aeolus-conductor-daemons-0.8.0-36.el6.noarch aeolus-configure-2.5.0-15.el6.noarch rubygem-aeolus-image-0.3.0-10.el6.noarch aeolus-all-0.8.0-36.el6.noarch aeolus-conductor-doc-0.8.0-36.el6.noarch