Bug 1291269 - Calamari API: User with read/write role is able to add/delete an user
Calamari API: User with read/write role is able to add/delete an user
Status: ASSIGNED
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: Calamari (Show other bugs)
1.3.1
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 1.3.4
Assigned To: Gregory Meno
ceph-qe-bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-14 08:25 EST by Harish NV Rao
Modified: 2016-08-03 15:27 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Harish NV Rao 2015-12-14 08:25:02 EST
Description of problem:
As per the doc in http://calamari.readthedocs.org/en/v1.3/operations/users.html an user with 'read/write' role, cannot add/delete a user. Refer to "Read/write user role has the ability to see every resource and add or changes any resource that is not users and roles."

Version-Release number of selected component (if applicable): Ceph 1.3.1 on RHEL 7.2 with Django REST Framework version 2.3.12.

How reproducible: always

Steps to Reproduce:
1) Create a user using: "calamari-ctl add_user <new-user> --password <password> --email <email>"
2) Assign the role "read/write" to this newly added user: "calamari-ctl assign_role <new-user> --role read/write"
3) Login to calamari UI as "new-user"
4) Open Django REST framework for this user in the new tab in the browser using url: <calamari-admin-ip>/api/v1/user
5) Make sure that Django REST framework window's top right hand corner shows the "new-user" name
6) Select "Raw Data" tab
7) In the "Content" Text box add: 
{
    "username": "OneMoreUser", 
    "password": "test123",	
    "email": "OneMoreUser@test.com"
}
8) Click POST button
9) User creation is successful

Note: delete operation is also successful (using url:  <calamari-admin-ip>/api/v1/user/<pk>)

Actual results:
 User creation and deletion is successful

Expected results:
User creation and deletion should not be permitted for a read/write role

Additional info:

Note You need to log in before you can comment on or make changes to this bug.