| Summary: | Do not allow users without any global role grants to see Administer in the UI | ||
|---|---|---|---|
| Product: | [Retired] CloudForms Cloud Engine | Reporter: | james labocki <jlabocki> |
| Component: | aeolus-conductor | Assignee: | Angus Thomas <athomas> |
| Status: | CLOSED EOL | QA Contact: | Rehana <aeolus-qa-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.0.0 | CC: | akarol, cpelland, deltacloud-maint, hbrock, ssachdev, sseago |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-27 18:05:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
james labocki
2012-03-19 07:25:26 UTC
This is not quite correct -- and (broken record time) why 'Administer' is not a good name for the second top level tab. There are various things that users with no global level permissions still need access to. For example:
1) Cloud/Pool Family Administrator (not global here) -- the Cloud/Pool Family UI is on the 'Administer' side
2) Cloud Image Administrator (also not global) -- the Image build/push UI is under the Cloud UI
3) even regular end users will have permission to see the image list within Clouds they have permissions on
4) Regular users with no global role grants have permission to see the Realm/Cluster mappings
5) non-global admins may have rights on individual Providers and Provider Accounts (which belongs to the 'administer' side)
In addition every user has at least one global role grant by default ('Global HWP User') without which the user won't be able to launch anything -- so the test of "any global role grant" will show the administer tab anyway.
Also -- be careful not to specify behavior based on specific role grants since a role is just a collection of lower-level privileges that are assigned as a group. All permission checks should check against specific low-level privileges in the context of a specific resource (or object type). For example the details page for a specific provider (under 'administer') will be shown whether the user has global provider view privilege via the "Administrator" role or global provider view privilege via the "Provider Administrator" (more limited admin) role or simply the "Provider User" role on that one provider (no global role at all).
As it stands now, we should be filtering everything by permissions below the top level tabs anyway -- there are a couple bugs open to address a few situations where we're not yet doing that properly.
Post-1.0 I'd like to see the top level (Monitor and Administer) re-named something more accurate (something like "Front end" and "back end", or whatever we eventually settle on for "Clouds" and "Providers" (in that case we'd need to move the 'Clouds' tab over from second main tab back t othe first). But that's a different discussion entirely.
As for this bug, I don't think showing the tab is a bug, given the many situations in which non-global-admin users need access to something on the 'administer' side.
|