Bug 839569
Summary: | [RHVM-ENGINE] Engine should not return all host details for non-admin users | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Michael Pasternak <mpastern> |
Component: | ovirt-engine | Assignee: | Oved Ourfali <oourfali> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ondra Machacek <omachace> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 3.1.0 | CC: | acathrow, bazulay, dyasny, iheim, lpeer, oourfali, oramraz, Rhev-m-bugs, sgrinber, yeylon, ykaul, yzaslavs |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | infra | ||
Fixed In Version: | si12 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael Pasternak
2012-07-12 10:34:09 UTC
not sure if the correct approach is to keep GetVdsCertificateSubjectByVdsId as a user query, or wrap it with a user query of GetVdsCertificateSubjectByVmId at the end, users should not be able to GET /hosts resources at all, but VM resource should expose display_addr/port/host_subject for console *** Bug 839227 has been marked as a duplicate of this bug. *** Posted a patch for that: http://gerrit.ovirt.org/#/c/6542 Information on the contents of this patch (also answering Yaniv's question): 1. Block users from getting Host information via REST API (both host resource, and relevant host data in the VM resource). 2. Add GetManagementInterfaceAddressByVmIdQuery, removing GetManagementInterfaceAddressByVdsIdQuery (as it isn't used anywhere). 3. Add GetVdsCertificateSubjectByVmIdQuery which uses the existing GetVdsCertificateSubjectByVdsIdQuery (as this query is also used in other scenarios). 4. Update VncConsoleModel and SpiceConsoleModel to work with the new queries. So, need to test that when using User level API: 1. The user can't access /api/hosts (error 403, forbidden) 2. The user can't access a specific host (/api/host/<some guid>). 3. When getting all VMs (/api/vms), or a specific one (/api/vms/<some guid>) the user doesn't see any host information. 4. When getting all VMs (/api/vms), or a specific one (/api/vms/<some guid>) the user neither sees any placement policy information, nor can change it! i.e, only administrators are allowed to change the placement policy. Commit: 1ca8d9e215bbf94138dac4ff1aa6055321fb438d http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=1ca8d9e215bbf94138dac4ff1aa6055321fb438d |