Red Hat Bugzilla – Bug 1291269
Calamari API: User with read/write role is able to add/delete an user
Last modified: 2018-02-20 15:58:58 EST
Description of problem:
As per the doc in http://calamari.readthedocs.org/en/v1.3/operations/users.html an user with 'read/write' role, cannot add/delete a user. Refer to "Read/write user role has the ability to see every resource and add or changes any resource that is not users and roles."
Version-Release number of selected component (if applicable): Ceph 1.3.1 on RHEL 7.2 with Django REST Framework version 2.3.12.
How reproducible: always
Steps to Reproduce:
1) Create a user using: "calamari-ctl add_user <new-user> --password <password> --email <email>"
2) Assign the role "read/write" to this newly added user: "calamari-ctl assign_role <new-user> --role read/write"
3) Login to calamari UI as "new-user"
4) Open Django REST framework for this user in the new tab in the browser using url: <calamari-admin-ip>/api/v1/user
5) Make sure that Django REST framework window's top right hand corner shows the "new-user" name
6) Select "Raw Data" tab
7) In the "Content" Text box add:
8) Click POST button
9) User creation is successful
Note: delete operation is also successful (using url: <calamari-admin-ip>/api/v1/user/<pk>)
User creation and deletion is successful
User creation and deletion should not be permitted for a read/write role