Bug 809088

Summary: Global Provider User not able to use any provider
Product: [Retired] CloudForms Cloud Engine Reporter: Shveta <ssachdev>
Component: aeolus-conductorAssignee: Angus Thomas <athomas>
Status: CLOSED NOTABUG QA Contact: wes hayutin <whayutin>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: akarol, deltacloud-maint, hbrock, ssachdev, sseago
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-07 17:28:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Roles
none
cluster_1
none
cluster none

Description Shveta 2012-04-02 13:10:33 UTC 
Created attachment 574499 [details]
Roles

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Created a user shveta and assigned role : Global Provider User as shown in screenshot one (Roles)
2. Logged in as shveta , Cloud resource Provider -- "Insufficient Privileges to perform this action" Is displayed , screenshot 2 (Cloud_resource_provider)
3. As mentioned here https://www.aeolusproject.org/redmine/projects/aeolus/wiki/Roles_list 


Global Provider User

    View Provider
        Can view any provider
    Use Provider
        Can perform certain actions using any provider (currently map any provider or its back-end realms to a front-end Realm)


It is not working as mentioned.
  
Actual results:


Expected results:


Additional info:

rpm -qa|grep aeolus
aeolus-conductor-doc-0.8.7-1.el6.noarch
aeolus-conductor-0.8.7-1.el6.noarch
rubygem-aeolus-cli-0.3.1-1.el6.noarch
rubygem-aeolus-image-0.3.0-12.el6.noarch
aeolus-conductor-daemons-0.8.7-1.el6.noarch
aeolus-configure-2.5.2-1.el6.noarch
aeolus-all-0.8.7-1.el6.noarch
Comment 1 Scott Seago 2012-04-02 15:49:38 UTC 
What did you try to do with this user? I think right now the only place that the 'use' permission on providers is checked is for adding Realm/cluster mappings. If you can do that, this role is working properly. There is currently an issue (already in BZ) that provider user can't access the provider details page. The reason is that, for now, the provider details page is the edit page, which currently requires Modify permissions.

Also, I noticed that when you added the 'provider user' -- you did it by removing the 'Global Profile User' permissions. Note that the roles doc already cautions that if you remove 'Global Profile User' your user will no longer be able to launch Applications, since access to the profiles is required.
Comment 2 Shveta 2012-04-03 04:22:36 UTC 
Created attachment 574729 [details]
cluster_1

ok .. i tried using providers in clusters but as shown in attached screenshot , i can't create new cluster with this role neither can i edit an existing cluster
Comment 3 Shveta 2012-04-03 04:23:06 UTC 
Created attachment 574730 [details]
cluster
Comment 4 Scott Seago 2012-04-03 14:22:55 UTC 
Global Provider User doesn't grant access to create realm -- it just includes the proper permissions on the providers. Create/edit cluster permissions are currently only included in "Global Realm Administrator" or the overall Administrator role.

The issue here is you need permissions on both ends of the association -- permission to edit realms, and permission to access providers. We haven't included global provider access in the Realm Admin role since it's possible that there may be users who need to create realms but don't have permission to access all providers. Since there's a valid use case for separating the permissions, we've made them separate roles. Some 'Realm Admins' may also have global provider user, but others may have only permission to map selected providers.
Comment 5 Scott Seago 2012-04-03 14:24:00 UTC 
In the future we'll provide a "role management" UI that will allow administrators to add/remove privileges from the defined roles, which would allow these two to be combined in situations where it makes sense.
Comment 6 wes hayutin 2012-04-17 21:11:55 UTC 
Scott are we saying this is an RFE? or future bug
Comment 7 Scott Seago 2012-04-18 01:35:58 UTC 
Wes: Neither -- I'm saying  that this is not a bug -- in order to map providers to realms you need the ability to Create/Modify realms _and_ the ability to use the provider you're mapping. The last comment about a future 'role management' UI is just pointing out that at some point in the future, an administrator could combine both roles in one, but for now they're separate since it's not clear that in all cases they should be combined (some customers may want to have a finer-grained control over what providers the Realm admins hace access to). 

However, I would not construe this bug as "fixed by a role management UI" -- I think it's simply NOTABUG. Things are working as we designed them to work here. Whether (and when) we add a role management UI will be driven by the post-1.0 feature development process, and it really doesn't relate to the subject of this bug directly.
Comment 8 Hugh Brock 2012-05-07 17:28:15 UTC 
Closing per Scott