Description of problem: Use case - government customer runs cyber security training lab, and create multiple VMs - some of which the students own and have direct console access to. The others, the should not be aware of - the idea is that they will be discovering them and accessing them via SSH, RDP, etc as part of the course. In the most recent release of CloudForms, I have created a mockup of this lab design using bundle catalog items - the first item creates the visible VMs, the second creates the hidden ones. They are all under the same service. In the ops UI, this works as intended - the student user with a restricted view only sees the items they should. In the self service UI, they still show up as visible, regardless of how I handle limiting their visibiliby - through ownership change or using tagging. Note that this only makes them visible - if the user clicks on the VMs they should not have access to, an error loading VM details pops up, and they can't interact with it. Ideally, however, the VMs should not be visible at all. Version-Release number of selected component (if applicable): 5.9.2 How reproducible: Always Steps to Reproduce: 1. Provision catalog item with multiple VMs as a user with access set to only user owned, or with some sort of visibility restriction based on tagging 2. Either change the ownership of some of the created items, or apply a tag that would restrict the users's view 3. Log into self service UI as the user and navigate the service Actual results: User can see a listing of the items they do not have access to Expected results: Student should not see the items they do not have access to, as in the ops UI. Additional info:
Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition. If it's something like a tracker bug where it doesn't matter, please set the severity to Low.
Reassigning to API team to take a look at. The UI doesn't control what data comes back from API in order to decide what to hide or show an individual user. Please let me know if you would like my help in the future to test or validate this after API changes have been made.
Chris, would you be able to provide us with the API call being made that is bringing VMs that the use shouldn't see? This way we can verify that RBAC is properly being enforced.
Hi jritenou, Do you have an appliance setup that can reproduce this issue that we can look at? Thank you in advance, Chris H
https://github.com/ManageIQ/manageiq-api/pull/404
New commit detected on ManageIQ/manageiq-api/master: https://github.com/ManageIQ/manageiq-api/commit/7566ed9c7c6bfb57305d9456c98285f040a3346a commit 7566ed9c7c6bfb57305d9456c98285f040a3346a Author: Milan Zazrivec <mzazrivec> AuthorDate: Wed Jun 20 12:08:16 2018 -0400 Commit: Milan Zazrivec <mzazrivec> CommitDate: Wed Jun 20 12:08:16 2018 -0400 services?expand=vms: fetch RBAC-filtered list of vms https://bugzilla.redhat.com/show_bug.cgi?id=1589266 app/controllers/api/subcollections/vms.rb | 1 + 1 file changed, 1 insertion(+)
VERIFIED in 5.10.0.8. I was able to create a user restricted to the engineering department that could only see services that were also tagged with Engineering. When completed services were created via a bundle the user could only see services that were tagged with Engineering