Description of problem: /broker/rest/teams should return teams the user is a member of. Instead, it also includes all global teams if the user has view_global_teams permission. The number of global teams could be very large, and global teams are intended to be found via search, not by listing and traversing. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Create a global teams containing no members (oo-admin-ctl-team -c create -n "Global team 1" --maps-to "team1group") 2. Create a user with view_global_teams capability (oo-admin-ctl-user -l bob -c --allowviewglobalteams true) 3. As the user, access /broker/rest/teams Actual results: The global team is included Expected results: The global team should not be included unless the user is a member Additional info:
Will merge in https://github.com/openshift/origin-server/pull/5298
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/3fd9778cb7f8770fe597a78adcf26e1c50343b1a Bug 1088941: Exclude non-member global teams from index
Assigned this bug. if user is member of global team , then even if --allowviewglobalteams set to 'false', the user still can view the team. 1.set the --allowviewglobalteams to false #oo-broker oo-admin-ctl-user -l zzhao --allowviewglobalteams false Setting view_global_teams capability to false for user zzhao... Done. User zzhao: plan: free consumed domains: 0 max domains: 1 consumed gears: 0 max gears: 3 max tracked storage per gear: 0 max untracked storage per gear: 0 max teams: 0 viewing all global teams allowed: false plan upgrade enabled: true gear sizes: small sub accounts allowed: false private SSL certificates allowed: false inherit gear sizes: false HA allowed: false 2. check the team by restapi [root@ip-10-153-148-122 local]# curl -k -s -H "Accept:application/xml" https://localhost/broker/rest/teams/ -u zzhao Enter host password for user 'zzhao': <?xml version="1.0" encoding="UTF-8"?> <response> <status>ok</status> <type>teams</type> <data> <team> <id>535091228a2c7af85d000001</id> <name>g1</name> <maps-to>1</maps-to> <global>true</global> <links> <link> <rel>Get team</rel> <method>GET</method> <href>https://localhost/broker/rest/team/535091228a2c7af85d000001</href> <required-params/> <optional-params/> </link> <link> <rel>list members</rel> <method>GET</method> <href>https://localhost/broker/rest/team/535091228a2c7af85d000001/members</href> <required-params/> <optional-params/> </link> </links> </team> </data> <messages> <message> <severity>info</severity> <text>Listing teams for user zzhao</text> <exit-code>0</exit-code> <field nil="true"></field> <index nil="true"></index> </message> </messages> <version>1.6</version> <api-version>1.6</api-version> <supported-api-versions> <supported-api-version>1.0</supported-api-version> <supported-api-version>1.1</supported-api-version> <supported-api-version>1.2</supported-api-version> <supported-api-version>1.3</supported-api-version> <supported-api-version>1.4</supported-api-version> <supported-api-version>1.5</supported-api-version> <supported-api-version>1.6</supported-api-version> </supported-api-versions> </response>
Users can always view teams they are a member of. view_global_teams capability controls searching all global teams, and viewing global teams the user is not a member of. Behavior described in comment 3 is correct: "if user is member of global team , then even if --allowviewglobalteams set to 'false', the user still can view the team."
Then I don't know the function of the option '--allowviewglobalteams'? 1)if user is not a member of global team. No matter the --allowviewglobalteams is true or false, the user can not view the global team 2) if user is a member of global team. No matter the --allowviewglobalteams is true or false, the user still can view the global team
If view_global_teams is true: 1. the user can search for global teams using /broker/rest/teams?search=...&global=true 2. the user can view global teams they are not a member of using /broker/test/team/:id If view_global_teams is false: 1. the user cannot search for global teams at all using /broker/rest/teams?search=...&global=true 2. the user can only view a global team directly using /broker/test/team/:id if they are a member of the global team The purpose of the capability is to prevent a user from searching for global teams, or viewing global teams they are not a member of
sorry, I have a little confusion. This bug have a little contradiction with comment 6 1. the bug expect result is the user can not view the global team when view_global_teams is true and user is not member and Comment 6 said the user can view global teams they are not a member of using /broker/test/team/:id
This bug is about the LIST_TEAMS API: "LIST_TEAMS": { "href": "https://.../broker/rest/teams", "method": "GET", "optional_params": [ ], "rel": "List all teams you are a member of", "required_params": [ ] }, /broker/rest/teams should only list teams the user is a member of The bug expected result is that only global teams they are a member of appear in LIST_TEAMS. Comment 6 is also correct, they can view any global team directly using /broker/rest/team/:id
OK, got it, sorry for waste your time for this. Thanks very much. then verified this bug on devenv_stage_812 can not list the global team by restapi by /broker/rest/teams but can list the global team by /broker/rest/teams/:id