Bug 1291269 - Calamari API: User with read/write role is able to add/delete an user
Calamari API: User with read/write role is able to add/delete an user
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: Calamari (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 1.3.4
Assigned To: Gregory Meno
Depends On:
  Show dependency treegraph
Reported: 2015-12-14 08:25 EST by Harish NV Rao
Modified: 2018-02-20 15:58 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2018-02-20 15:58:58 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Harish NV Rao 2015-12-14 08:25:02 EST
Description of problem:
As per the doc in http://calamari.readthedocs.org/en/v1.3/operations/users.html an user with 'read/write' role, cannot add/delete a user. Refer to "Read/write user role has the ability to see every resource and add or changes any resource that is not users and roles."

Version-Release number of selected component (if applicable): Ceph 1.3.1 on RHEL 7.2 with Django REST Framework version 2.3.12.

How reproducible: always

Steps to Reproduce:
1) Create a user using: "calamari-ctl add_user <new-user> --password <password> --email <email>"
2) Assign the role "read/write" to this newly added user: "calamari-ctl assign_role <new-user> --role read/write"
3) Login to calamari UI as "new-user"
4) Open Django REST framework for this user in the new tab in the browser using url: <calamari-admin-ip>/api/v1/user
5) Make sure that Django REST framework window's top right hand corner shows the "new-user" name
6) Select "Raw Data" tab
7) In the "Content" Text box add: 
    "username": "OneMoreUser", 
    "password": "test123",	
    "email": "OneMoreUser@test.com"
8) Click POST button
9) User creation is successful

Note: delete operation is also successful (using url:  <calamari-admin-ip>/api/v1/user/<pk>)

Actual results:
 User creation and deletion is successful

Expected results:
User creation and deletion should not be permitted for a read/write role

Additional info:

Note You need to log in before you can comment on or make changes to this bug.