1225274 – 3.5.1 Upgrade adds "Everyone" group to disk profile

Bug 1225274 - 3.5.1 Upgrade adds "Everyone" group to disk profile

Summary: 3.5.1 Upgrade adds "Everyone" group to disk profile

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	3.5.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-3.6.0-rc3
Target Release:	3.6.0
Assignee:	Roy Golan
QA Contact:	Ondra Machacek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1284233
TreeView+	depends on / blocked

Reported:	2015-05-27 02:27 UTC by nijin ashok
Modified:	2019-09-12 08:29 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	The "DiskProfileUser" role, which was an administrator role, was assigned to the "Everyone" group by default. As a result, when users logged into the User Portal, they saw the Extended tab by default and were exposed to options that they did not have permissions to operate. With this update, the "DiskProfileUser" role is changed to an end-user type role. Users with end-user type roles now see the Basic tab by default.
Clone Of:
Clones:	1284233 (view as bug list)
Environment:
Last Closed:	2016-03-09 21:06:54 UTC
oVirt Team:	SLA
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:0376	0	normal	SHIPPED_LIVE	Red Hat Enterprise Virtualization Manager 3.6.0	2016-03-10 01:20:52 UTC
oVirt gerrit	41834	0	master	MERGED	frontend: consider Everyone->diskProfileUser as basic user permission	2020-10-07 13:41:05 UTC

Description nijin ashok 2015-05-27 02:27:08 UTC

Description of problem:

After upgrading to 3.5.1 "Everyone" is added default in the permission of off disk profiles. So every user will be having an extra default permission of "DiskProfileUser" inherited from "Everyone". This gives an "extended view" option in user portal of all users even the users with basic "userrole" permissions. However every operation in the extended view is denied.  . For basic VM users, this option is confusing and will expose unintended information as every information about the VM is visible with option to edit/remove although it is denied after the action.

Version-Release number of selected component (if applicable):

rhevm-3.5.1.1-0.1.el6ev.noarch

How reproducible:

100%

Steps to Reproduce:
1. Upgrade the RHEV-M from 3.5.0 to 3.5.1
2. "Everyone" will be added as default permission for every disk profiles which gives DiskProfileUser permission to all users.


Actual results:

All users will get "DiskProfileUser" permissions which gives them a "extended view" in user portal which is confusing to basic users

Expected results:

DiskProfileUser need not be added by default

Additional info:

Comment 3 Roy Golan 2015-06-01 14:14:17 UTC

note: we must make sure after the fix, any new profile must be restrictive and  not expose to everyone. 

the solution would be then to make the diskUserProfile a user and not admin.

Comment 5 Max Kovgan 2015-06-28 14:12:25 UTC

ovirt-3.6.0-3 release

Comment 6 Ondra Machacek 2015-06-29 13:57:25 UTC

User with 'DiskProfileUser' inherited from everyone group can't now see extended user portal. OK in 3.6.0-3.

Comment 7 Jiri Belka 2015-11-11 13:52:35 UTC

This is clear regression, I see it on 3.5.5 and #2 has report from customer. Why hasn't been this BZ merged to 3.5.x?

Comment 13 errata-xmlrpc 2016-03-09 21:06:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0376.html

Note You need to log in before you can comment on or make changes to this bug.