Bug 1305158 - Issues with RBAC filtering using the REST API
Issues with RBAC filtering using the REST API
Status: CLOSED WORKSFORME
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API (Show other bugs)
5.5.0
Unspecified Unspecified
high Severity high
: GA
: 5.7.0
Assigned To: abellott
Taras Lehinevych
api:rest:rbac
: ZStream
Depends On:
Blocks: 1306721 1346974
  Show dependency treegraph
 
Reported: 2016-02-05 16:06 EST by Aparna Karve
Modified: 2016-08-02 21:33 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1306721 1346974 (view as bug list)
Environment:
Last Closed: 2016-06-20 16:17:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aparna Karve 2016-02-05 16:06:57 EST
Description of problem:Issues with RBAC filtering using the REST API


Version-Release number of selected component (if applicable):


How reproducible:Always


Steps to Reproduce:
1. Output of this url - /api/services when logged-in as a user of group EvmGroup-user_self_service yields the following result -
{"name":"services","count":10,"subcount":0,"resources":[]}
which is correct since the OPS UI does not display Services for this group

2.However output of the same url (/api/services) when logged-in as a user of group EvmGroup-desktop yields the following result -
{"name":"services","count":10,"subcount":10,"resources":[{"href":"http://localhost:3000/api/services/3"},{"href":"http://localhost:3000/api/services/1"},{"href":"http://localhost:3000/api/services/4"},{"href":"http://localhost:3000/api/services/7"},{"href":"http://localhost:3000/api/services/2"},{"href":"http://localhost:3000/api/services/6"},{"href":"http://localhost:3000/api/services/5"},{"href":"http://localhost:3000/api/services/8"},{"href":"http://localhost:3000/api/services/10"},{"href":"http://localhost:3000/api/services/9"}]}

This is incorrect since a user belonging to this group sees all the services that an Administrator would see. Note that the OPS UI does not display Services for this group.

Actual results: 


Expected results:
For a user belonging to the EvmGroup-desktop group, the output from the REST API should be -
{"name":"services","count":10,"subcount":0,"resources":[]}

Additional info:
Comment 2 abellott 2016-04-28 14:50:59 EDT
This may be resolved with Tim's PR https://github.com/ManageIQ/manageiq/pull/6651
on upstream where we added role identifiers to read actions (e.g. GET), so users of self service group/role would get the list of services and users of desktop groups/role will be getting a 403 (forbidden)

Aparna, can you confirm and let us know ?
Comment 4 abellott 2016-06-20 16:17:45 EDT
RBAC for API Services in 5.6

Note You need to log in before you can comment on or make changes to this bug.