Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1458013

Summary: [downstream clone - 4.1.3] RHV-M portal shows incorrect inherited permission for users
Product: Red Hat Enterprise Virtualization Manager Reporter: rhev-integ
Component: ovirt-engineAssignee: Ondra Machacek <omachace>
Status: CLOSED ERRATA QA Contact: Lucie Leistnerova <lleistne>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1.1CC: audgiri, lleistne, lsurette, mgoldboi, mperina, omachace, oourfali, pstehlik, rbalakri, Rhev-m-bugs, srevivo, ykaul
Target Milestone: ovirt-4.1.3Keywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1455011 Environment:
Last Closed: 2017-07-06 07:30:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1455011    
Bug Blocks:    

Description rhev-integ 2017-06-01 18:53:34 UTC 
+++ This bug is a downstream clone. The original bug is: +++
+++   bug 1455011 +++
======================================================================

Description of problem:

In some scenarios, RHV-M displays incorrect permission for the users. This only happens with normal user and not with admin@internal user.  Please see "Steps to Reproduce" for more info.


Version-Release number of selected component (if applicable):

rhevm-4.1.1.8-0.1.el7.noarch

How reproducible:

100%

Steps to Reproduce:

1. Create two groups group_a and group_b and add a user_a to group_a and user_b to group_b. 

ovirt-aaa-jdbc-tool group-manage show group_a
Group: group_a(f497038d-98a3-44c8-a9c3-88ecb3654d66) members:
  User: user_a

ovirt-aaa-jdbc-tool group-manage show group_b
Group: group_b(29ceab89-df25-47bc-a4aa-f44f5b6d9271) members:
  User: user_b

2. Assign group_a as superuser on system object.
  
3. Login to admin portal with user_a.

4. Check the permission of user_b . Admin portal will show user_b has superuser role which is inherited from group_a although user_b is not a member of group_a.

5. This is only a "display" issue and user_b don't really have this permission and login to admin portal will fail for this user.


Actual results:

Permission is not shown correctly

Expected results:

Permission should show correctly

Additional info:

Attaching screenshots from my test environment. The customer who reported this issue is using AD .

(Originally by Nijin Ashok)
Comment 1 rhev-integ 2017-06-01 18:53:42 UTC 
Created attachment 1281820 [details]
directory_group_user_a

(Originally by Nijin Ashok)
Comment 3 rhev-integ 2017-06-01 18:53:47 UTC 
Created attachment 1281821 [details]
directory_group_user_b

(Originally by Nijin Ashok)
Comment 4 rhev-integ 2017-06-01 18:53:53 UTC 
Created attachment 1281822 [details]
user_b incorrect permission

(Originally by Nijin Ashok)
Comment 5 rhev-integ 2017-06-01 18:53:58 UTC 
Ondro, could you please take a look?

(Originally by Martin Perina)
Comment 6 rhev-integ 2017-06-01 18:54:02 UTC 
It always shows the group, which is the current logged in user part of. This is UI issue.

(Originally by Ondra Machacek)
Comment 8 rhev-integ 2017-06-01 18:54:12 UTC 
WARN: Bug status wasn't changed from MODIFIED to ON_QA due to the following reason:

[Found clone flags: ['rhevm-4.1.z', 'rhevm-4.2-ga'], ]

For more info please contact: rhv-devops: Bug status wasn't changed from MODIFIED to ON_QA due to the following reason:

[Found clone flags: ['rhevm-4.1.z', 'rhevm-4.2-ga'], ]

For more info please contact: rhv-devops

(Originally by rhev-integ)
Comment 10 Lucie Leistnerova 2017-06-21 12:30:26 UTC 
User in group without superuser doesn't have superuser in Permissions.

verified in ovirt-engine-4.1.3.4-0.1.el7.noarch
Comment 13 errata-xmlrpc 2017-07-06 07:30:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1692