Bug 1225274 - 3.5.1 Upgrade adds "Everyone" group to disk profile
Summary: 3.5.1 Upgrade adds "Everyone" group to disk profile
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.5.1
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ovirt-3.6.0-rc3
: 3.6.0
Assignee: Roy Golan
QA Contact: Ondra Machacek
URL:
Whiteboard:
Depends On:
Blocks: 1284233
TreeView+ depends on / blocked
 
Reported: 2015-05-27 02:27 UTC by nijin ashok
Modified: 2019-09-12 08:29 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The "DiskProfileUser" role, which was an administrator role, was assigned to the "Everyone" group by default. As a result, when users logged into the User Portal, they saw the Extended tab by default and were exposed to options that they did not have permissions to operate. With this update, the "DiskProfileUser" role is changed to an end-user type role. Users with end-user type roles now see the Basic tab by default.
Clone Of:
: 1284233 (view as bug list)
Environment:
Last Closed: 2016-03-09 21:06:54 UTC
oVirt Team: SLA


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:0376 normal SHIPPED_LIVE Red Hat Enterprise Virtualization Manager 3.6.0 2016-03-10 01:20:52 UTC
oVirt gerrit 41834 master MERGED frontend: consider Everyone->diskProfileUser as basic user permission Never

Description nijin ashok 2015-05-27 02:27:08 UTC
Description of problem:

After upgrading to 3.5.1 "Everyone" is added default in the permission of off disk profiles. So every user will be having an extra default permission of "DiskProfileUser" inherited from "Everyone". This gives an "extended view" option in user portal of all users even the users with basic "userrole" permissions. However every operation in the extended view is denied.  . For basic VM users, this option is confusing and will expose unintended information as every information about the VM is visible with option to edit/remove although it is denied after the action.

Version-Release number of selected component (if applicable):

rhevm-3.5.1.1-0.1.el6ev.noarch

How reproducible:

100%

Steps to Reproduce:
1. Upgrade the RHEV-M from 3.5.0 to 3.5.1
2. "Everyone" will be added as default permission for every disk profiles which gives DiskProfileUser permission to all users.


Actual results:

All users will get "DiskProfileUser" permissions which gives them a "extended view" in user portal which is confusing to basic users

Expected results:

DiskProfileUser need not be added by default

Additional info:

Comment 3 Roy Golan 2015-06-01 14:14:17 UTC
note: we must make sure after the fix, any new profile must be restrictive and  not expose to everyone. 

the solution would be then to make the diskUserProfile a user and not admin.

Comment 5 Max Kovgan 2015-06-28 14:12:25 UTC
ovirt-3.6.0-3 release

Comment 6 Ondra Machacek 2015-06-29 13:57:25 UTC
User with 'DiskProfileUser' inherited from everyone group can't now see extended user portal. OK in 3.6.0-3.

Comment 7 Jiri Belka 2015-11-11 13:52:35 UTC
This is clear regression, I see it on 3.5.5 and #2 has report from customer. Why hasn't been this BZ merged to 3.5.x?

Comment 13 errata-xmlrpc 2016-03-09 21:06:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html


Note You need to log in before you can comment on or make changes to this bug.