Bug 798204

Summary: Non-admin user able to stop instances even if all the roles are revoked.
Product: [Retired] CloudForms Cloud Engine Reporter: Aziza Karol <akarol>
Component: aeolus-conductorAssignee: Scott Seago <sseago>
Status: CLOSED CURRENTRELEASE QA Contact: pushpesh sharma <psharma>
Severity: high Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: akarol, athomas, bbandari, deltacloud-maint, psharma, redakkan, ssachdev
Target Milestone: beta6   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-30 17:17:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Aziza Karol 2012-02-28 10:08:22 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
i created a user "akarol" and launched few ec2 instances as "akarol" .
Then i revoked all the default roles permissions.I also revoked zone and  application permissions.


As "akarol" i was able to stop the instances.
also while stopping the instance ,no status message got displayed.the instance just got stopped.

  

Expected results:
non-admin should not be able to stop instances if all the permissions are revoked.

Additional info:
rpm -qa | grep aeolus
aeolus-conductor-doc-0.8.0-36.el6.noarch
rubygem-aeolus-cli-0.3.0-10.el6.noarch
aeolus-all-0.8.0-36.el6.noarch
aeolus-conductor-0.8.0-36.el6.noarch
rubygem-aeolus-image-0.3.0-10.el6.noarch
aeolus-configure-2.5.0-15.el6.noarch
aeolus-conductor-daemons-0.8.0-36.el6.noarch
Comment 1 Scott Seago 2012-02-29 17:45:37 UTC 
Hmm. I wonder if you still had instance permissions. When a user launches, both the 'deployment' and 'instance' are owned by the launching user. We track permissions at both levels so you can share a single instance _or_ the whole deployment/app.

If you still had those this is NOTABUG. cascading permission deletion/"revoke everything granted to a user"/etc is out of scope for now, but I imagine we'll need to handle something like this in the  future.
Comment 2 wes hayutin 2012-03-19 18:16:51 UTC 
*** Bug 798212 has been marked as a duplicate of this bug. ***
Comment 3 Rehana 2012-04-04 09:24:04 UTC 
I have retested this in two different scenario,

1. Revoked all the global roles --> user is still able to stop VM as the user have local permissions like (zone user, application owner roles)

2. after revoking the local permissions zone user, application owner roles user was unable to view zone and applications respective.

on:

rpm -qa | grep aeolus
rubygem-aeolus-image-0.3.0-12.el6.noarch
aeolus-conductor-0.8.7-1.el6.noarch
aeolus-conductor-doc-0.8.7-1.el6.noarch
aeolus-conductor-daemons-0.8.7-1.el6.noarch
aeolus-configure-2.5.2-1.el6.noarch
aeolus-all-0.8.7-1.el6.noarch
rubygem-aeolus-cli-0.3.1-1.el6.noarch
Comment 4 Scott Seago 2012-04-04 13:28:24 UTC 
From the last comment, it sounds like this is working fine -- at least the description in the comment sounds like what I'd expect it to do.
Comment 5 pushpesh sharma 2012-04-05 06:56:32 UTC 
As per the comment#3 "after revoking the local permissions zone user, application owner roles user was unable to view zone and applications perspective."

I have the similar observation after revoking rights.Marking this bug as Verified.