Bug 1525598 - Control->Explorer is visible for evmgroup-security role
Summary: Control->Explorer is visible for evmgroup-security role
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: GA
: 5.10.0
Assignee: Harpreet Kataria
QA Contact: Mike Shriver
URL:
Whiteboard: rbac:control
Depends On:
Blocks: 1533219 1568045
TreeView+ depends on / blocked
 
Reported: 2017-12-13 16:16 UTC by Mike Shriver
Modified: 2018-06-21 20:55 UTC (History)
8 users (show)

Fixed In Version: 5.10.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1533219 1568045 (view as bug list)
Environment:
Last Closed: 2018-06-21 20:55:00 UTC
Category: ---
Cloudforms Team: CFME Core
mshriver: automate_bug+


Attachments (Terms of Use)
Screenshot of evmrole-security configuration (130.85 KB, image/jpeg)
2017-12-13 16:16 UTC, Mike Shriver
no flags Details
Screenshot of evmrole-security visibility (52.75 KB, image/jpeg)
2017-12-13 16:17 UTC, Mike Shriver
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1531499 None None None Never

Internal Links: 1531499

Description Mike Shriver 2017-12-13 16:16:24 UTC
Created attachment 1367488 [details]
Screenshot of evmrole-security configuration

Description of problem:
The Control->Explorer page is visible when authenticated as a user that has the EvmRole-Security role.

This role should only have access to Control->Simulation and Control->Log. Included screenshot shows evmrole-security default configuration, and default visibility.

Version-Release number of selected component (if applicable):
5.8.2.3

How reproducible:
100%

Steps to Reproduce:
1. Create user with evmgroup-security/evmrole-security
2. Login as user
3. Note visibility for Control->Explorer0

Actual results:
Control->Explorer is visible

Expected results:
Only Log and Simulation are visible under Control

Additional info:
Tested with an aws_iam user, but AWS only provides auth, and doesn't impact RBAC.

Comment 2 Mike Shriver 2017-12-13 16:17:10 UTC
Created attachment 1367489 [details]
Screenshot of evmrole-security visibility

Comment 3 Dave Johnson 2017-12-13 16:46:01 UTC
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.

Comment 4 Mike Shriver 2017-12-13 17:03:24 UTC
(In reply to Dave Johnson from comment #3)
> Please assess the impact of this issue and update the severity accordingly. 
> Please refer to
> https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a
> reminder on each severity's definition.
> 
> If it's something like a tracker bug where it doesn't matter, please set the
> severity to Low.

ack, set to medium

Comment 5 Mike Shriver 2017-12-13 19:44:46 UTC
This is also true in 5.9.0.12, Control->Explorer is not included in evmrole-security configuration, but is visible to a user with this role.

Comment 6 Mike Shriver 2017-12-15 22:33:56 UTC
This behavior is present for:

EvmRole-security
EvmRole-support
EvmRole-auditor
EvmRole-approver

Comment 7 Antonin Pagac 2018-01-04 14:24:38 UTC
Appliance version: 5.8.3.0

There's also a problem with Automation -> Ansible, it's visible when it should not be, for:

EvmRole-administrator
EvmRole-user_self_service
EvmRole-vm_user
EvmRole-desktop

Tested with ldap user.

Comment 8 Mike Shriver 2018-01-04 15:28:03 UTC
Antonin,

I've written separate bugs for each of the RBAC mismatches that I've found on the default roles.

Please record any issues with Automation->Ansible vertical nav/access control in a separate BZ so that we can accurately track RBAC changes.

Unless Harpreet would prefer these two separate vertical nav issues under one BZ, in which case ignore me.

Comment 9 Antonin Pagac 2018-01-05 10:43:21 UTC
bz 1531499 opened.

Comment 10 Mike Shriver 2018-01-05 13:24:19 UTC
(In reply to Antonin Pagac from comment #9)
> bz 1531499 opened.

Very much appreciated!

Comment 12 CFME Bot 2018-01-09 21:41:49 UTC
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/827e8a860363b78f342f111fb6c42764a6994c03

commit 827e8a860363b78f342f111fb6c42764a6994c03
Author:     Harpreet Kataria <hkataria@redhat.com>
AuthorDate: Tue Jan 9 12:18:33 2018 -0500
Commit:     Harpreet Kataria <hkataria@redhat.com>
CommitDate: Tue Jan 9 12:18:33 2018 -0500

    Fixed control explorer feature id
    
    Fixed control explorer feature id for EvmRole-security, EvmRole-support,EvmRole-auditor, EvmRole-approver roles. This was causing confusion by not showing them as selected in the Product features tree whereas these roles did have an access to Control explorer in UI.
    
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1525598

 db/fixtures/miq_user_roles.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)


Note You need to log in before you can comment on or make changes to this bug.