Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1089647

Summary: /broker/rest/teams returns all global teams for users with view_global_teams capability
Product: OpenShift Container Platform Reporter: Gaoyun Pei <gpei>
Component: NodeAssignee: Brenton Leanhardt <bleanhar>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1.0CC: bleanhar, jliggitt, libra-onpremise-devel, xtian, zzhao
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1088941 Environment:
Last Closed: 2014-05-15 14:40:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1088941    
Bug Blocks:    

Description Gaoyun Pei 2014-04-21 10:32:36 UTC 
We need to pick up this patch for the new feature. 

+++ This bug was initially created as a clone of Bug #1088941 +++

Description of problem:
/broker/rest/teams should return teams the user is a member of. Instead, it also includes all global teams if the user has view_global_teams permission. The number of global teams could be very large, and global teams are intended to be found via search, not by listing and traversing.


Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
1. Create a global teams containing no members (oo-admin-ctl-team -c create -n "Global team 1" --maps-to "team1group")
2. Create a user with view_global_teams capability (oo-admin-ctl-user -l bob -c --allowviewglobalteams true)
3. As the user, access /broker/rest/teams

Actual results:
The global team is included

Expected results:
The global team should not be included unless the user is a member

Additional info:

--- Additional comment from Jordan Liggitt on 2014-04-17 11:31:28 EDT ---

Will merge in https://github.com/openshift/origin-server/pull/5298

--- Additional comment from openshift-github-bot on 2014-04-17 12:23:59 EDT ---

Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/3fd9778cb7f8770fe597a78adcf26e1c50343b1a
Bug 1088941: Exclude non-member global teams from index

--- Additional comment from zhaozhanqi on 2014-04-17 23:23:47 EDT ---

Assigned this bug.

if user is member of global team , then even if --allowviewglobalteams set to 'false', the user still can view the team.


1.set the --allowviewglobalteams to false
   #oo-broker oo-admin-ctl-user -l zzhao --allowviewglobalteams false


Setting view_global_teams capability to false for user zzhao... Done.
User zzhao:
                            plan: free
                consumed domains: 0
                     max domains: 1
                  consumed gears: 0
                       max gears: 3
    max tracked storage per gear: 0
  max untracked storage per gear: 0
                       max teams: 0
viewing all global teams allowed: false
            plan upgrade enabled: true
                      gear sizes: small
            sub accounts allowed: false
private SSL certificates allowed: false
              inherit gear sizes: false
                      HA allowed: false

2. check the team by restapi

[root@ip-10-153-148-122 local]# curl  -k  -s  -H "Accept:application/xml"  https://localhost/broker/rest/teams/ -u zzhao
Enter host password for user 'zzhao':
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <status>ok</status>
  <type>teams</type>
  <data>
    <team>
      <id>535091228a2c7af85d000001</id>
      <name>g1</name>
      <maps-to>1</maps-to>
      <global>true</global>
      <links>
        <link>
          <rel>Get team</rel>
          <method>GET</method>
          <href>https://localhost/broker/rest/team/535091228a2c7af85d000001</href>
          <required-params/>
          <optional-params/>
        </link>
        <link>
          <rel>list members</rel>
          <method>GET</method>
          <href>https://localhost/broker/rest/team/535091228a2c7af85d000001/members</href>
          <required-params/>
          <optional-params/>
        </link>
      </links>
    </team>
  </data>
  <messages>
    <message>
      <severity>info</severity>
      <text>Listing teams for user zzhao</text>
      <exit-code>0</exit-code>
      <field nil="true"></field>
      <index nil="true"></index>
    </message>
  </messages>
  <version>1.6</version>
  <api-version>1.6</api-version>
  <supported-api-versions>
    <supported-api-version>1.0</supported-api-version>
    <supported-api-version>1.1</supported-api-version>
    <supported-api-version>1.2</supported-api-version>
    <supported-api-version>1.3</supported-api-version>
    <supported-api-version>1.4</supported-api-version>
    <supported-api-version>1.5</supported-api-version>
    <supported-api-version>1.6</supported-api-version>
  </supported-api-versions>
</response>

--- Additional comment from Jordan Liggitt on 2014-04-17 23:25:31 EDT ---

Users can always view teams they are a member of. view_global_teams capability controls searching all global teams, and viewing global teams the user is not a member of.

Behavior described in comment 3 is correct: "if user is member of global team , then even if --allowviewglobalteams set to 'false', the user still can view the team."

--- Additional comment from zhaozhanqi on 2014-04-18 01:08:33 EDT ---

Then I don't know the function of the option '--allowviewglobalteams'?

1)if user is not a member of global team. No matter the --allowviewglobalteams is true or false, the user can not view the global team

2) if user is a member of global team. No matter the --allowviewglobalteams is true or false, the user still can view the global team

--- Additional comment from Jordan Liggitt on 2014-04-18 01:11:15 EDT ---

If view_global_teams is true:
1. the user can search for global teams using /broker/rest/teams?search=...&global=true
2. the user can view global teams they are not a member of using /broker/test/team/:id

If view_global_teams is false:
1. the user cannot search for global teams at all using /broker/rest/teams?search=...&global=true
2. the user can only view a global team directly using /broker/test/team/:id if they are a member of the global team

The purpose of the capability is to prevent a user from searching for global teams, or viewing global teams they are not a member of

--- Additional comment from zhaozhanqi on 2014-04-18 01:23:40 EDT ---

sorry, I have a little confusion.

This bug have a little contradiction with comment 6

1. the bug expect result is the user can not view the global team when view_global_teams is true and user is not member

 and 

Comment 6 said the user can view global teams they are not a member of using /broker/test/team/:id

--- Additional comment from Jordan Liggitt on 2014-04-18 01:30:44 EDT ---

This bug is about the LIST_TEAMS API:
"LIST_TEAMS": {
    "href": "https://.../broker/rest/teams",
    "method": "GET",
    "optional_params": [ ],
    "rel": "List all teams you are a member of",
    "required_params": [ ]
},

/broker/rest/teams should only list teams the user is a member of

The bug expected result is that only global teams they are a member of appear in LIST_TEAMS.

Comment 6 is also correct, they can view any global team directly using /broker/rest/team/:id

--- Additional comment from zhaozhanqi on 2014-04-18 01:52:00 EDT ---

OK, got it, sorry for waste your time for this. Thanks very much.

then verified this bug on devenv_stage_812

can not list the global team by restapi by /broker/rest/teams

but can list the global team by /broker/rest/teams/:id
Comment 2 Brenton Leanhardt 2014-04-21 12:17:59 UTC 
I'll pull this from upstream in today's build.
Comment 3 Gaoyun Pei 2014-04-23 10:38:33 UTC 
This issue has been resolved on puddle: 2.1/2014-04-22.2
Users could not get all global teams list via /broker/rest/teams, only shows teams belong to the user or the user is a member of. 

For users with view_global_teams=true, he could search global team via /broker/rest/teams, and could get global team info via /broker/rest/team/:id

For users with view_global_teams=false, he could not search global team, with an error "You are not permitted to perform this action (view_global_teams on cloud user)" returned.  But the user could get global team info via /broker/rest/team/:id if he is a member of this global team.

So once the status changed to ON_QA, QE would move this bug to VERIFIED.
Comment 4 Gaoyun Pei 2014-04-24 08:10:26 UTC 
Move it to VERIFIED according to Comment 3