1451266 – Rbac | Tag: Inconsistency in group/tag restriction for 'group or user owned' roles

Bug 1451266 - Rbac | Tag: Inconsistency in group/tag restriction for 'group or user owned' roles

Summary: Rbac | Tag: Inconsistency in group/tag restriction for 'group or user owned' ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Appliance
Sub Component:
Version:	5.8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	GA
Target Release:	5.9.0
Assignee:	Gregg Tanzillo
QA Contact:	Ruslana Babyuk
Docs Contact:
URL:
Whiteboard:	rbac:tag
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-16 09:08 UTC by Ruslana Babyuk
Modified:	2018-04-20 16:27 UTC (History)
CC List:	7 users (show)
Fixed In Version:	5.9.0.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-03-01 13:12:35 UTC
Category:	---
Cloudforms Team:	CFME Core
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1570119	0	high	CLOSED	Inconsistency in group/tag restriction - users groups	2021-06-10 15:55:43 UTC
Red Hat Product Errata	RHSA-2018:0380	0	normal	SHIPPED_LIVE	Moderate: Red Hat CloudForms security, bug fix, and enhancement update	2018-03-01 18:37:12 UTC

Internal Links: 1570119

Description Ruslana Babyuk 2017-05-16 09:08:44 UTC

Description of problem:
There is a strange restriction for "Only User or Group Owned" and "Only User Owned" with tag combination. If the group tag is assigned for vm/instance but ownership is not set, user from this group can see this vm/instance, and vice versa.

Version-Release number of selected component (if applicable):
5.8.0, 5.7.2, 5.7.1.3

How reproducible:
100%

Steps to Reproduce:
1. Create role(role1) with "Only User or Group Owned" restriction
2. Create group(group1) with selected role1
3. Add tag(in my case:Service Level->Platinum) for this group
4. Create user(user1), assign it to group1
5. As admin add tag to vm/instance (group1 should not be an owner on this vm)
6. As user1 login and check vm

Actual results:
User have access to vm, though group is not the owner of this vm.

Expected results:
User should not see this vm as group or user doesn't own it

Additional info:
In case we set the group ownership to vm and remove tag from vm, user also will see this vm.

Comment 7 errata-xmlrpc 2018-03-01 13:12:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0380

Note You need to log in before you can comment on or make changes to this bug.