Bug 923100

Summary: User who can't manipulate users, can add user if he has manipulate_permission action group.
Product: Red Hat Enterprise Virtualization Manager Reporter: Ondra Machacek <omachace>
Component: ovirt-engineAssignee: Ravi Nori <rnori>
Status: CLOSED CURRENTRELEASE QA Contact: Ondra Machacek <omachace>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.2.0CC: acathrow, bazulay, iheim, jkt, lpeer, pstehlik, Rhev-m-bugs, yeylon, yzaslavs
Target Milestone: ---   
Target Release: 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: is15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1019461    

Description Ondra Machacek 2013-03-19 08:19:16 UTC
Description of problem:
When user has manipulate_permission action group, and don't have manipulate_users action group, then he can add permission to user, who is not added in the system, thus he can add user to the system.

Version-Release number of selected component (if applicable):
sf10

How reproducible:
always

Steps to Reproduce:
1. Add ClusterAdmin permissions to user1 on cluster.
2. Login as user1.
3. Add UserVmManager permissions to cluster to user who is not added to the system yet.
  
Actual results:
Action succeed.

Expected results:
Action fail, because ClusterAdmin don't have manipulate_users action group.
If ClusterAdmin try to add user via Users tab => add user, then the action fail.

Additional info:
2013-03-19 09:15:28,291 INFO  [org.ovirt.engine.core.bll.AddPermissionCommand] (pool-3-thread-39) [37540286] Running command: AddPermissionCommand internal: false. Entities affected :  ID: fea51314-f9bf-45a0-9c5b-3bb2085b1876 Type: VdsGroups
2013-03-19 09:15:30,037 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-8) Running command: LoginUserCommand internal: false.
2013-03-19 09:15:30,045 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-8) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 09:15:30,045 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-8) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 09:15:30,645 INFO  [org.ovirt.engine.core.bll.LogoutUserCommand] (ajp-/127.0.0.1:8702-1) [107c92f4] Running command: LogoutUserCommand internal: false.
2013-03-19 09:15:37,483 INFO  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-15) Running command: LoginAdminUserCommand internal: false.
2013-03-19 09:15:38,270 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-7) Running command: LoginUserCommand internal: false.
2013-03-19 09:15:38,281 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-7) calling GetConfigurationValueQuery (ApplicationMode) with null version, using default general for version
2013-03-19 09:15:38,281 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-7) calling GetConfigurationValueQuery (VdcVersion) with null version, using default general for version
2013-03-19 09:15:43,119 WARN  [org.ovirt.engine.core.bll.GetConfigurationValueQuery] (ajp-/127.0.0.1:8702-18) calling GetConfigurationValueQuery (WebAdminUpperRightButtonURL) with null version, using default general for version
2013-03-19 09:16:01,531 INFO  [org.ovirt.engine.core.bll.AddPermissionCommand] (pool-3-thread-39) [3b82c592] Running command: AddPermissionCommand internal: false. Entities affected :  ID: fea51314-f9bf-45a0-9c5b-3bb2085b1876 Type: VdsGroups

Comment 1 Yair Zaslavsky 2013-03-24 16:49:09 UTC
AddPermissionCommand parameters include two fields -
vdcUser and adGroup - one of them is filled with the user or group to be added a permission for (+ to be added to db in case the user/group is not in DB).
We should add a check during getPermissionsSubject to check if the user/group is not a DB - and if not in db, we should check for a permission to manipulate users (similar to the check in AddUserCommand).

Comment 3 Itamar Heim 2014-01-21 22:24:34 UTC
Closing - RHEV 3.3 Released

Comment 4 Itamar Heim 2014-01-21 22:25:24 UTC
Closing - RHEV 3.3 Released

Comment 5 Itamar Heim 2014-01-21 22:28:56 UTC
Closing - RHEV 3.3 Released