Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1103145

Summary: User couldn't add global team(the user is a member of) as a member by team name when doesn't have view_global_teams permission
Product: OpenShift Container Platform Reporter: Gaoyun Pei <gpei>
Component: NodeAssignee: Brenton Leanhardt <bleanhar>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: high    
Version: 2.1.0CC: adellape, bleanhar, jliggitt, jokerman, libra-onpremise-devel, mmccomas
Target Milestone: ---Keywords: Upstream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
If a developer was part of a global team but did not have the view_global_teams capability enabled on their account, they could add the global team as a member of their domain using the ID but not using the name. This issue was caused by the view_global_teams capability, which is only intended to control the ability to search and view global teams, unintentionally blocking the functionality. This bug fix updates this capability to allow the addition of global teams as domain members using either the ID or name as intended.
 Story Points: ---
Clone Of: 1103131 Environment:
Last Closed: 2014-08-04 13:27:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1103131    
Bug Blocks:    

Description Gaoyun Pei 2014-05-30 11:21:47 UTC 
+++ This bug was initially created as a clone of Bug #1103131 +++

Description of problem:
When a user doesn't have view_global_teams permission, he could add a global team(the user is a member of) by team id as a member under his domain, but the same action would fail when he tries using global team name.

--allowviewglobalteams swith should only working on controlling the capability to search and view any global team of the user, but the current work logic is blocking user adding global team as a member by name, while allowed by team id method.


Version-Release number of selected component (if applicable):
devenv_4830

How reproducible:
Always

Steps to Reproduce:
1. User "gpei" is a member of a global team "team1"
[root@ip-10-230-141-161 ~]# rhc team show -t team1 -l gpei
Team team1
----------
  ID:      538874956402458f90000001
  Global:  true
  Members: gpei (view)

And user "gpei" don't have the view_global_teams permission.
[root@ip-10-230-141-161 ~]# oo-broker oo-admin-ctl-user -l gpei

User gpei:
...
viewing all global teams allowed: false
...

2. Add the global team as a member to his domain via team name
[root@ip-10-230-141-161 ~]# rhc member-add -n jjj team1 --type team --global 
Adding 1 editor to domain ... You are not permitted to perform this action (view_global_teams on cloud user)

3. Add the global team as a member to his domain via team id
[root@ip-10-230-141-161 ~]# rhc member-add -n jjj --ids 538874956402458f90000001 --type team --global
Adding 1 editor to domain ... done


Actual results:
[root@ip-10-230-141-161 ~]# rhc member-add -n jjj team1 --type team --global -d
DEBUG: Using config file /root/.openshift/express.conf
DEBUG: Authenticating with RHC::Auth::Token
DEBUG: Connecting to https://localhost/broker/rest/api
DEBUG: Finding domain jjj
DEBUG: Client supports API versions 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7
DEBUG: Using token authentication
DEBUG: Created new httpclient
DEBUG: Request GET https://localhost/broker/rest/api
DEBUG: SSL Verification failed -- Using self signed cert
DEBUG:    code 200   65 ms
DEBUG: Server supports API versions 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7
DEBUG:    Using API version 1.7
DEBUG: Client API version 1.7 is not current. Refetching API
DEBUG: Using token authentication
DEBUG: Request GET https://localhost/broker/rest/api
DEBUG:    code 200   21 ms
DEBUG: Using token authentication
DEBUG: Request GET https://localhost/broker/rest/domain/jjj
DEBUG:    code 200   31 ms
Adding 1 editor to domain ... DEBUG: Searching teams
DEBUG: Using token authentication
DEBUG: Request GET https://localhost/broker/rest/teams?global=true search=team1
DEBUG:    code 403  162 ms
You are not permitted to perform this action (view_global_teams on cloud user)

When user add global team by name, REST api would search for the global team first, which is not allowed when the user don't have view_global_teams permission according to https://bugzilla.redhat.com/show_bug.cgi?id=1088941


Expected results:
User should have the ability to add a global team(the user is a member of) by name as a member under his domain, even the user don't have view_global_teams permission.


Additional info:
Comment 1 Jordan Liggitt 2014-05-30 20:26:17 UTC 
Fix available in https://github.com/openshift/origin-server/pull/5468
Comment 2 Brenton Leanhardt 2014-07-15 13:29:56 UTC 
Upstream commit:

commit 1e14237ddb04b758734955b170fb1f11d0470641
Author: Jordan Liggitt <jliggitt>
Date:   Fri May 30 10:54:52 2014 -0400

    Bug 1103131: Remove authorize! check and let Team.accessible() limit which global teams a user can see
Comment 5 Gaoyun Pei 2014-07-16 03:15:38 UTC 
Verify this bug on puddle 2.1.z/2014-07-15.1

User gpei have domain "00" and belongs to global team "team1". User gpei doesn't have view_global_teams permission

[root@broker ~]# oo-admin-ctl-user -l gpei


User gpei:
                            plan: 
                consumed domains: 1
                     max domains: 10
                  consumed gears: 0
                       max gears: 100
    max tracked storage per gear: 0
  max untracked storage per gear: 0
                       max teams: 0
viewing all global teams allowed: false
                      gear sizes: small, medium
            sub accounts allowed: false
private SSL certificates allowed: false
              inherit gear sizes: false
                      HA allowed: false


[root@dhcp-129-188 workspace]# rhc team list
Team team1
----------
  ID:      53c5e9f1db26c83b25000001
  Global:  true
  Members: gpei (view)

You are a member of 1 team.


[root@dhcp-129-188 workspace]# rhc member-add team1 -n 00 --type team --global
Adding 1 editor to domain ... DEBUG: Searching teams
done

[root@dhcp-129-188 workspace]# rhc member list -n 00
Name  Login Role          Type
----- ----- ------------- ----
gpei  gpei  admin (owner) user
team1       edit          team
Comment 7 errata-xmlrpc 2014-08-04 13:27:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0999.html