Bug 1571224 - Read Action Forbidden When User Tries to Attach Cloud Volume OpenStack
Summary: Read Action Forbidden When User Tries to Attach Cloud Volume OpenStack
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: GA
: 5.10.0
Assignee: Harpreet Kataria
QA Contact: Omri Hochman
URL:
Whiteboard:
Depends On:
Blocks: 1572700 1625249 1625250
TreeView+ depends on / blocked
 
Reported: 2018-04-24 10:55 UTC by myoder
Modified: 2020-11-18 14:53 UTC (History)
16 users (show)

Fixed In Version: 5.10.0.15
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1625249 1625250 (view as bug list)
Environment:
Last Closed: 2020-11-18 14:53:48 UTC
Category: Bug
Cloudforms Team: CFME Core
Target Upstream Version:


Attachments (Terms of Use)
read action forbidden error (61.00 KB, image/png)
2018-04-24 10:55 UTC, myoder
no flags Details

Description myoder 2018-04-24 10:55:18 UTC
Created attachment 1425945 [details]
read action forbidden error

Description of problem:

When user with limited roles permissions tries to attach / detach a cloud volume, a red error message is displayed in the ui stating "Use of the read action is forbidden".

The only way I have found to address this, is by enabling the following product features for the user's role:

  Compute => Infrastructure => Infrastructure Providers => View


However, user should not need to enable Infrastructure role features to attach / detach a cloud volume for a cloud provider.


Please note, even though the red error message is being displayed, the user is still allowed to attach / detach the cloud instance.

Version-Release number of selected component (if applicable):
CFME 5.8.3.5

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
Red error message is displayed when attempting to attach or detach a cloud instance

Expected results:
There should be no error message, as the user has the correct permissions.

Additional info:
This issue was originally for the whole attach / detach cloud image page not displaying and was supposed to be fixed in this bug:

  https://bugzilla.redhat.com/show_bug.cgi?id=1462269

However, that bug was opened for a slightly different issue, so I wanted to open a fresh bug for clarity.

Appliance 10.13.145.93 with credentials admin:smartvm exibits this behavior.

Comment 3 Scott Seago 2018-05-01 20:36:56 UTC
I'm copying over slucidi's comment from the related bug, since it explains the cause of the current behavior:

"It looks like the other half of this issue is related to the 'providers' api endpoint. The cloud volume form calls to it to request a list of providers/managers with storage capabilities, but fails if the user doesn't have ems_infra permissions. 

Looking at https://github.com/imtayadeway/manageiq-api/blob/cebbdc102cd87d0d5120ca35c8571132f7e530eb/config/api.yml#L1856 it appears that the providers endpoint uses all ems_infra related roles. I'm not sure if the issue is that the required permissions are incorrect, if it's the wrong endpoint to use to list storage managers on this form, or if it's just misaligned expectations."

The API call to the providers endpoint that requires these permissions is in the initialization of the angular cloudVolumeFormController. This is needed for the "new cloud volume" operation (to get the list of providers to choose from), but it's completely unnecessary for attach/detach volume.

The angular controller needs to be refactored so that this API call isn't made for forms that don't need it.

Comment 18 conor mcgregor 2019-08-20 09:57:47 UTC Comment hidden (spam)

Note You need to log in before you can comment on or make changes to this bug.