Bug 1464093 - Not able to retire VM/instance via API unless "Set Retirement Date" feature is checked for role
Not able to retire VM/instance via API unless "Set Retirement Date" feature i...
Status: ON_QA
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API (Show other bugs)
5.7.0
Unspecified Unspecified
unspecified Severity high
: GA
: 5.9.0
Assigned To: Jillian Tullo
Martin Kourim
: TestOnly, ZStream
Depends On:
Blocks: 1468614 1478508
  Show dependency treegraph
 
Reported: 2017-06-22 08:16 EDT by Sachin
Modified: 2017-10-05 22:30 EDT (History)
7 users (show)

See Also:
Fixed In Version: 5.9.0.1
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1468614 1478508 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sachin 2017-06-22 08:16:20 EDT
Description of problem:

I have role: EvmGroup-super-admin-psachin(copied from EvmGroup-super-admin) where "Everything" -> "Access Rules for all Virtual Machines" -> "VM Access Rules/Instance Access Rules" -> "Operate" -> "Set Ownership" & "Set Retirement Date" is checked.

If I try to retire VM via API it gets retired

~~~
curl -k -l --user psachin:psachin \
	 -H "Content-Type: application/json" \
	 -i -X POST -H "Accept: application/json" \
	 -d { "action": "retire"} \
 	 https://cfme.com/api/vms/21000000000145


HTTP/1.1 200 OK
Date: Thu, 22 Jun 2017 12:08:05 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Content-Type: application/json; charset=utf-8
Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report
Strict-Transport-Security: max-age=631152000
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
ETag: W/"76590b8bba8d9e8d4afaf2b054cebcd6"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: 9b911396-c726-441c-b5ea-50c759628d8f
X-Runtime: 0.408045
Transfer-Encoding: chunked

{"success":true,"message":"VM id:21000000000145 name:'psachin-vm-with-2-nics-from-template' retiring","href":"https://10.74.130.155/api/vms/21000000000145"}
~~~


Whereas if "Set Retirement Date" is un-checked, the request is forbidden.

~~~
curl -k -l --user psachin:psachin \
	 -H "Content-Type: application/json" \
	 -i -X POST -H "Accept: application/json" \
	 -d { "action": "retire"} \
 	 https://cfme.com/api/vms/21000000000145


HTTP/1.1 403 Forbidden
Date: Thu, 22 Jun 2017 11:59:10 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Content-Type: application/json; charset=utf-8
Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report
Strict-Transport-Security: max-age=631152000
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
X-Request-Id: 7e05393d-98bc-4fa3-b63b-ef0ed5b74d9a
X-Runtime: 0.123695
Transfer-Encoding: chunked

{"error":{"kind":"forbidden","message":"Use of Action retire is forbidden","klass":"Api::ForbiddenError"}}
~~~



Version-Release number of selected component (if applicable):
5.7.2.1

How reproducible:
Always

Steps to Reproduce:
1. Please see description
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Jillian Tullo 2017-07-05 11:31:12 EDT
PR: https://github.com/ManageIQ/manageiq/pull/15509

Note You need to log in before you can comment on or make changes to this bug.